Bug 166451 - Policy for Roundup issue tracker
Summary: Policy for Roundup issue tracker
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-strict
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-08-21 20:05 UTC by W. Michael Petullo
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version: 1.25.4-9
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-03-20 19:52:06 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
Created roundup.te in unused directory (942 bytes, application/octet-stream)
2005-08-22 13:56 UTC, Daniel Walsh 		no flags Details
File Contexts (149 bytes, application/octet-stream)
2005-08-22 13:57 UTC, Daniel Walsh 		no flags Details
View All

Description W. Michael Petullo 2005-08-21 20:05:34 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7.11) Gecko/20050815 Epiphany/1.7.4

Description of problem:
I am trying to get the Roundup issue tracking system into Fedora Extras.  The following allows Roundup to work with the strict SELinux policy:

domain_auto_trans(initrc_t, roundup_exec_t, roundup_t)

daemon_domain(roundup)
var_lib_domain(roundup)
can_network_server(roundup_t)
can_network_client(roundup_t)

file_type_auto_trans(roundup_t, var_run_t, roundup_var_run_t, file)

# execute python
allow roundup_t bin_t:dir r_dir_perms;
can_exec(roundup_t, bin_t)
allow roundup_t bin_t:lnk_file read;

allow roundup_t etc_t:file { getattr read };
allow roundup_t net_conf_t:file { getattr read };

allow roundup_t self:capability { setgid setuid };

allow roundup_t http_cache_port_t:tcp_socket { name_bind };
allow roundup_t smtp_port_t:tcp_socket { name_connect };
allow roundup_t self:unix_stream_socket { create connect shutdown setopt read write };

allow roundup_t mysqld_db_t:dir { search };
allow roundup_t mysqld_var_run_t:sock_file { write };
allow roundup_t mysqld_t:unix_stream_socket { connectto };
# /usr/share/mysql/charsets/Index.xml
allow roundup_t usr_t:file { getattr read };

allow roundup_t urandom_device_t:chr_file { read };

The following file contexts should be set:

/usr/bin/roundup-server         --      system_u:object_r:roundup_exec_t
/var/lib/roundup(/.*)?          --      system_u:object_r:roundup_var_lib_t

Version-Release number of selected component (if applicable):
selinux-policy-strict-1.23.16-6

How reproducible:
Always

Steps to Reproduce:
Notice that Roundup does not work when SELinux is enforcing the strict policy.
  

Additional info:
Comment 1 W. Michael Petullo 2005-08-21 20:08:37 UTC 
The Roundup package is proposed in bug #165329.
Comment 2 Daniel Walsh 2005-08-22 13:56:30 UTC 
Created attachment 117967 [details]
Created roundup.te in unused directory

Modified it in a few places since daemon_domain gives you some stuff for free.
Comment 3 Daniel Walsh 2005-08-22 13:57:11 UTC 
Created attachment 117968 [details]
File Contexts
Comment 4 Daniel Walsh 2005-08-25 19:22:25 UTC 
Added in selinux-policy-strict-1.25.4-9
Comment 5 W. Michael Petullo 2005-09-02 22:03:32 UTC 
This still seems to be explicitly required required:

allow roundup_t etc_t:file { getattr read };

This is not in selinux-policy-strict-1.25.4-8.
Note You need to log in before you can comment on or make changes to this bug.