From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7.11) Gecko/20050815 Epiphany/1.7.4 Description of problem: I am trying to get the Roundup issue tracking system into Fedora Extras. The following allows Roundup to work with the strict SELinux policy: domain_auto_trans(initrc_t, roundup_exec_t, roundup_t) daemon_domain(roundup) var_lib_domain(roundup) can_network_server(roundup_t) can_network_client(roundup_t) file_type_auto_trans(roundup_t, var_run_t, roundup_var_run_t, file) # execute python allow roundup_t bin_t:dir r_dir_perms; can_exec(roundup_t, bin_t) allow roundup_t bin_t:lnk_file read; allow roundup_t etc_t:file { getattr read }; allow roundup_t net_conf_t:file { getattr read }; allow roundup_t self:capability { setgid setuid }; allow roundup_t http_cache_port_t:tcp_socket { name_bind }; allow roundup_t smtp_port_t:tcp_socket { name_connect }; allow roundup_t self:unix_stream_socket { create connect shutdown setopt read write }; allow roundup_t mysqld_db_t:dir { search }; allow roundup_t mysqld_var_run_t:sock_file { write }; allow roundup_t mysqld_t:unix_stream_socket { connectto }; # /usr/share/mysql/charsets/Index.xml allow roundup_t usr_t:file { getattr read }; allow roundup_t urandom_device_t:chr_file { read }; The following file contexts should be set: /usr/bin/roundup-server -- system_u:object_r:roundup_exec_t /var/lib/roundup(/.*)? -- system_u:object_r:roundup_var_lib_t Version-Release number of selected component (if applicable): selinux-policy-strict-1.23.16-6 How reproducible: Always Steps to Reproduce: Notice that Roundup does not work when SELinux is enforcing the strict policy. Additional info:
The Roundup package is proposed in bug #165329.
Created attachment 117967 [details] Created roundup.te in unused directory Modified it in a few places since daemon_domain gives you some stuff for free.
Created attachment 117968 [details] File Contexts
Added in selinux-policy-strict-1.25.4-9
This still seems to be explicitly required required: allow roundup_t etc_t:file { getattr read }; This is not in selinux-policy-strict-1.25.4-8.