Bug 529448

Summary: qpidd should not require selinux-policy-minimum
Product: [Fedora] Fedora Reporter: Eric Paris <eparis>
Component: qpidcAssignee: Nuno Santos <nsantos>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: aconway, aortega, dwalsh, jneedle, mgrepl, nsantos
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: qpid-cpp-0.6.895736-3.fc13 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-04-09 01:34:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
qpidd policy package none

Description Eric Paris 2009-10-16 21:22:39 UTC 
rpm -q --requires qpidd
[snip] 
selinux-policy-minimum
[snip]

I don't know why qpidd has a requirement on selinux-policy-minimum but if the requirement is that some selinux policy be installed the proper requires is selinux-policy-base

noone has the selinux-policy-minimum policy installed, it's an almost useless policy which confined basically nothing.
Comment 1 Daniel Walsh 2009-10-16 21:34:57 UTC 
If you want to make sure some policy is installed, you can require selinux-policy-base, which all policies define.
Comment 2 Daniel Walsh 2009-10-16 21:36:14 UTC 
What rules are in qpidd.pp?
Comment 3 Nuno Santos 2009-10-16 21:55:37 UTC 
Created attachment 365096 [details]
qpidd policy package

Dan, I've attached the policy package.
Comment 4 Daniel Walsh 2009-10-16 21:59:30 UTC 
I have seen the pp file but do you have the te and fc file used to create it?
Comment 5 Eric Paris 2009-10-16 23:08:34 UTC 
no idea what their actual module is, but I disassembled the binary:

TE rules:
  allow [ccs_t] [tmpfs_t] : [dir] { search };
  allow [ccs_t] [tmpfs_t] : [file] { ioctl read write getattr lock append };
  allow [ccs_t] [initrc_t] : [sem] { getattr read write associate unix_read unix_write };
  allow [ccs_t] [initrc_t] : [shm] { getattr read write associate unix_read unix_write lock };
  allow [ccs_t] self : [capability] { ipc_owner };

That's pretty much all that's in that .pp file.
Comment 6 Daniel Walsh 2009-10-17 10:46:59 UTC 
OK I can add the first two rules and the last rule to ccs.te, but I will create a new type called ccs_tmpfs_t to prevent ccs_t from accessing random tmpfs_t.

I have no idea what the initrc_t is, it should have policy associated with it.
Comment 7 Bug Zapper 2009-11-16 13:46:08 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 8 Fedora Update System 2010-04-06 21:47:05 UTC 
qpidc-0.5.829175-4.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/qpidc-0.5.829175-4.fc12
Comment 9 Fedora Update System 2010-04-06 22:18:57 UTC 
qpid-cpp-0.6.895736-3.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/qpid-cpp-0.6.895736-3.fc13
Comment 10 Fedora Update System 2010-04-09 01:34:45 UTC 
qpidc-0.5.829175-4.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2010-04-09 03:51:34 UTC 
qpid-cpp-0.6.895736-3.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.