Bug 169788 - apache_domain macro misses a httpd_ prefix
Summary: apache_domain macro misses a httpd_ prefix
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted
Version: 4.0
Hardware: x86_64
OS: Linux
medium
low
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-10-03 16:41 UTC by Jonathan Larmour
Modified: 2007-11-30 22:07 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-10-03 18:36:21 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Jonathan Larmour 2005-10-03 16:41:53 UTC
Description of problem:

In /etc/selinux/targeted/src/policy/macros/program/apache_macros.te there is the
following block:
ifelse($1, sys, `
domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
create_dir_file(httpd_t, httpdcontent)
can_exec(httpd_t, httpdcontent )
', `
can_exec(httpd_$1_script_t, httpdcontent )
domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t)
')
create_dir_file(httpd_$1_script_t, httpdcontent)
}

Note that the domain_auto_trans near the end is $1_t, not httpd_$1_t. This
causes an error when writing new policy that uses the apache_domain() macro.

Version-Release number of selected component (if applicable):

selinux-policy-targeted-1.17.30-2.88

How reproducible:

cd /etc/selinux/targeted/src/policy
cat >> domains/foo.te <<EOF
apache_domain(sys_writable)
EOF
make

Actual results:

/usr/bin/checkpolicy -o policy.18 policy.conf
/usr/bin/checkpolicy:  loading policy configuration from policy.conf
types/x.te:6:ERROR 'unknown type sys_writable_t' at token ';' on line 4301:
#line 6
allow sys_writable_t httpd_sys_writable_script_t:process transition;
/usr/bin/checkpolicy:  error(s) encountered while parsing configuration
make: *** [policy.18] Error 1

Expected results:

It should work :)

Comment 1 Daniel Walsh 2005-10-03 18:07:26 UTC
This is fixed in U2 policy. 1.17.30-2.110


Comment 2 Jonathan Larmour 2005-10-03 18:36:21 UTC
Oh there's a U2 out? I haven't noticed that. Do I need to subscribe to a
different channel?
My problem was sorted anyway by changing the apache_macros.te file myself, so as
far as I'm concerned this can be closed, but I don't know whether to say
CURRENTRELEASE or NEXTRELEASE :). You can close it with the appropriate status
if you prefer.



Note You need to log in before you can comment on or make changes to this bug.