Bug 166451 - Policy for Roundup issue tracker
Policy for Roundup issue tracker
Product: Fedora
Classification: Fedora
Component: selinux-policy-strict (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2005-08-21 16:05 EDT by W. Michael Petullo
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: 1.25.4-9
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-03-20 14:52:06 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Created roundup.te in unused directory (942 bytes, application/octet-stream)
2005-08-22 09:56 EDT, Daniel Walsh
no flags Details
File Contexts (149 bytes, application/octet-stream)
2005-08-22 09:57 EDT, Daniel Walsh
no flags Details

  None (edit)
Description W. Michael Petullo 2005-08-21 16:05:34 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7.11) Gecko/20050815 Epiphany/1.7.4

Description of problem:
I am trying to get the Roundup issue tracking system into Fedora Extras.  The following allows Roundup to work with the strict SELinux policy:

domain_auto_trans(initrc_t, roundup_exec_t, roundup_t)


file_type_auto_trans(roundup_t, var_run_t, roundup_var_run_t, file)

# execute python
allow roundup_t bin_t:dir r_dir_perms;
can_exec(roundup_t, bin_t)
allow roundup_t bin_t:lnk_file read;

allow roundup_t etc_t:file { getattr read };
allow roundup_t net_conf_t:file { getattr read };

allow roundup_t self:capability { setgid setuid };

allow roundup_t http_cache_port_t:tcp_socket { name_bind };
allow roundup_t smtp_port_t:tcp_socket { name_connect };
allow roundup_t self:unix_stream_socket { create connect shutdown setopt read write };

allow roundup_t mysqld_db_t:dir { search };
allow roundup_t mysqld_var_run_t:sock_file { write };
allow roundup_t mysqld_t:unix_stream_socket { connectto };
# /usr/share/mysql/charsets/Index.xml
allow roundup_t usr_t:file { getattr read };

allow roundup_t urandom_device_t:chr_file { read };

The following file contexts should be set:

/usr/bin/roundup-server         --      system_u:object_r:roundup_exec_t
/var/lib/roundup(/.*)?          --      system_u:object_r:roundup_var_lib_t

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Notice that Roundup does not work when SELinux is enforcing the strict policy.

Additional info:
Comment 1 W. Michael Petullo 2005-08-21 16:08:37 EDT
The Roundup package is proposed in bug #165329.
Comment 2 Daniel Walsh 2005-08-22 09:56:30 EDT
Created attachment 117967 [details]
Created roundup.te in unused directory

Modified it in a few places since daemon_domain gives you some stuff for free.
Comment 3 Daniel Walsh 2005-08-22 09:57:11 EDT
Created attachment 117968 [details]
File Contexts
Comment 4 Daniel Walsh 2005-08-25 15:22:25 EDT
Added in selinux-policy-strict-1.25.4-9
Comment 5 W. Michael Petullo 2005-09-02 18:03:32 EDT
This still seems to be explicitly required required:

allow roundup_t etc_t:file { getattr read };

This is not in selinux-policy-strict-1.25.4-8.

Note You need to log in before you can comment on or make changes to this bug.