Bug 2048592
Summary: | SELinux is preventing /usr/bin/dccproc from map access on the file /etc/dcc/map | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Brian J. Murrell <brian> |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | urgent | Docs Contact: | |
Priority: | medium | ||
Version: | 8.5 | CC: | lvrabec, mmalik, ssekidde |
Target Milestone: | rc | Keywords: | Triaged |
Target Release: | 8.6 | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2022-02-04 16:13:47 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Brian J. Murrell
2022-01-31 15:07:11 UTC
I haven't managed to find dccproc in RHEL repositories. Please reach out to the package vendor to get support for your issue. If map is the only missing permission, the following module can be used to work around: # cat local_dcc_var_map.cil (allow dcc_client_t dcc_var_t (file (map))) # semodule -i local_dcc_var_map.cil So what is the policy (NPI) about SELinux policy rules that are required for software that is not in RHEL/EPEL? Does the selinux-policy package try to maintain policy for all known software no matter where it comes from (it seems not given the response on this ticket) or are third-party software distributions supposed to supply SELinux policy modules with their software package? If the latter, is any documentation available on how a software packager supplies their own policy modules in their packages? Packages provided by Red Hat are supported. Packages in EPEL are considered high-quality add-on packages that complement the Red Hat Enterprise Linux. The EPEL project is led by community-led volunteers, packages from this project are not provided by Red Hat though and therefore they are not supported. The selinux-policy package in RHEL is based off of the package from Fedora. It contains modules for software in RHEL as well as for software which is not a part of RHEL (i. e. 3rd party) for the users convenience. However, it does not mean the policy modules are supported by Red Hat. Some custom policy hints can be found e. g. here: https://fedoraproject.org/wiki/SELinux/IndependentPolicy https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/writing-a-custom-selinux-policy_using-selinux |