Bug 499519
| Summary: | checkmodule interrupts parsing .te-file at init_script_type because of syntax error | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | oni <oni303> |
| Component: | policycoreutils | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | low | ||
| Version: | 10 | CC: | dwalsh, jim.cromie, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-11-18 10:27:35 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
oni
2009-05-06 22:58:14 UTC
.te-file: policy_module(vsftpd,1.0.0) ######################################## # # Declarations # type vsftpd_t; type vsftpd_exec_t; init_daemon_domain(vsftpd_t, vsftpd_exec_t) permissive vsftpd_t; type vsftpd_script_exec_t; init_script_type(vsftpd_script_exec_t) type vsftpd_rw_t; files_type(vsftpd_rw_t) ######################################## # # vsftpd local policy # # Init script handling domain_use_interactive_fds(vsftpd_t) # internal communication is often done using fifo and unix sockets. allow vsftpd_t self:fifo_file rw_file_perms; allow vsftpd_t self:unix_stream_socket create_stream_socket_perms; files_read_etc_files(vsftpd_t) libs_use_ld_so(vsftpd_t) libs_use_shared_libs(vsftpd_t) miscfiles_read_localization(vsftpd_t) allow vsftpd_t vsftpd_rw_t:file manage_file_perms; allow vsftpd_t vsftpd_rw_t:dir create_dir_perms; sysnet_dns_name_resolve(vsftpd_t) corenet_all_recvfrom_unlabeled(vsftpd_t) allow vsftpd_t self:tcp_socket create_stream_socket_perms; corenet_tcp_sendrecv_all_if(vsftpd_t) corenet_tcp_sendrecv_all_nodes(vsftpd_t) corenet_tcp_sendrecv_all_ports(vsftpd_t) corenet_tcp_bind_all_nodes(vsftpd_t) corenet_tcp_connect_all_ports(vsftpd_t) corenet_tcp_bind_ftp_port(vsftpd_t) logging_send_syslog_msg(vsftpd_t) auth_domtrans_chk_passwd(vsftpd_t) For now you can change the 'init_script_type' macro to the 'init_script_file' macro manually in your .te file. oni, There is already policy for vsftpd in SELinux. (ftp.te) Miroslav, I think this is fixed in policycoreutils-2.0.57-20.fc10 Which should probably be put into Fedora Testing. Can you take over this package in F10? (In reply to comment #4) > Miroslav, I think this is fixed in > > policycoreutils-2.0.57-20.fc10 > > Which should probably be put into Fedora Testing. Can you take over this > package in F10? Yes, I can. I'm taking it over. Fixed in policycoreutils-2.0.57-21.fc10 hi Miroslav, this bugzilla report seemed close enough in subject, time and status (modified) so I didnt open separate one. I installed, then tried ftp localhost, was refused, and selinux complained, and asked for a bug report. SELinux is preventing vsftpd (ftpd_t) "sys_admin" ftpd_t. Detailed Description SELinux denied access requested by vsftpd. It is not expected that this access is required by vsftpd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package. Jim check to see if pam_namspace is being called in your pam stack? it seems so. (/me needs to read up on pam) [jimc@harpo pam.d]$ sudo grep pam_namespace * gdm:session required pam_namespace.so gdm-autologin:session required pam_namespace.so gdm-fingerprint:session required pam_namespace.so gdm-password:session required pam_namespace.so login:session required pam_namespace.so newrole:session required pam_namespace.so unmnt_remnt no_unmount_on_close remote:session required pam_namespace.so [jimc@harpo pam.d]$ hmm. I have no /etc/pam.conf, but rpm indicates thats ok: ?! [jimc@harpo etc]$ rpm -qf /etc/pam.d pam-1.0.91-6.fc11.i586 [jimc@harpo etc]$ rpm -V pam-1.0.91-6.fc11.i586 ....L.... c /etc/pam.d/fingerprint-auth ....L.... c /etc/pam.d/password-auth ....L.... c /etc/pam.d/smartcard-auth ....L.... c /etc/pam.d/system-auth S.5....T. c /etc/security/limits.conf ..?...... c /etc/security/opasswd ..?...... /sbin/unix_update [jimc@harpo etc]$ This message is a reminder that Fedora 10 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 10. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '10'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 10's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 10 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping |