Bug 451948
Summary: | prelude patch | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Dominick Grift <domg444> | ||||||||||||||||
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> | ||||||||||||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||||||||||
Severity: | low | Docs Contact: | |||||||||||||||||
Priority: | low | ||||||||||||||||||
Version: | 9 | CC: | rvokal | ||||||||||||||||
Target Milestone: | --- | ||||||||||||||||||
Target Release: | --- | ||||||||||||||||||
Hardware: | All | ||||||||||||||||||
OS: | Linux | ||||||||||||||||||
Whiteboard: | |||||||||||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||||||||||
Doc Text: | Story Points: | --- | |||||||||||||||||
Clone Of: | Environment: | ||||||||||||||||||
Last Closed: | 2008-11-17 22:04:41 UTC | Type: | --- | ||||||||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||||||||
Documentation: | --- | CRM: | |||||||||||||||||
Verified Versions: | Category: | --- | |||||||||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||||||
Embargoed: | |||||||||||||||||||
Attachments: |
|
Description
Dominick Grift
2008-06-18 10:15:20 UTC
Created attachment 309716 [details]
patch1
Created attachment 309717 [details]
patch2
Created attachment 309993 [details]
prelude.fc
Created attachment 309994 [details]
prelude.te
Thanks. looks good. Although i wanted the files_config_file for prewikka because it has a mysql password in there. Also i noticed that you removed the gamin optional policy block for prelude-lml. Not sure why but it seemed needed when i tried it. Also i think (domain_use_interactive_fds(prelude_lml_t) may not be required So you are trying to prevent other domains from reading the config file? In that case you might want to label it something like prewikka_secret_t and not give it files_config, since files_config allows all domains to read, just like etc_t. gamin_ is a bad thing to use for a system service, since it is long running and shared by other domains. So it causes SELinux problems when it is run. gamin policy is not being shipped so this optional block will not be executed. The gamin policy is also pretty broken right now. understood, i also noticed you didnt declare a domain type for prelude-lml. Interface admin_prelude needs update to reflect prelude-lml. also we need a prelude_manage_spool() for snort Created attachment 309995 [details]
snort.te
Created attachment 309996 [details]
snort.if
Created attachment 309997 [details]
snort.fc
files_search_spool(snort_t) should be in that optional_policy block for prelude, since any domain will need to be able to search spool to be able to append to preludes spool files ######################################## ## <summary> ## Append to prelude-manager write files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed to transition. ## </summary> ## </param> # interface(`prelude_write_spool_files',` gen_require(` type prelude_spool_t; ') files_search_spool($1) allow $1 prelude_spool_t:dir { read search getattr }; allow $1 prelude_spool_t:file { read lock getattr write append }; ') Fixed in selinux-policy-3.3.1-70.fc9.noarch thanks. one small issue left: #============= snort_t ============== allow snort_t prelude_spool_t:dir read; and this, but you have explained why: #============= prelude_lml_t ============== allow prelude_lml_t gamin_exec_t:file { read execute }; By the way should, corenet_tcp_connect_prelude_port(snort_t), not be in the optional policy block designated for prelude? I know the port is defined in corenetwork but if there is no prelude module than there likely wont be a prelude_port_type. No, Other policies might not include the prelude policy but would still define the prelude port Fixed in selinux-policy-3.3.1-71.fc9.noarch Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed. |