Red Hat Bugzilla – Bug 171612
Incomplete policy definition for INNd (control* related programs to be exact).
Last modified: 2007-11-30 17:11:15 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7
Description of problem:
After running the INNd with the SELinux protection (targeted policy) enforced I get errors in the audit log stating that numerous programs ("/usr/lib/news/bin/control/*" and "controlchan") do not have an access to "/var/spool/news/articles/control". Moreover "controlchan" itself can't access "/usr/lib/news/bin/control" directory.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Enforce SELinux protection (targeted policy).
2. Run INNd.
3. Check for "controlchan" to start... and fail. Same for eg. "ihave.pl".
Actual Results: "controlchan" can't access binary files from within the "/usr/lib/news/bin/control" directory. Plus - programs from "/usr/lib/news/bin/control" directory (like "ihave.pl") can't access "/var/spool/news/articles/control".
Expected Results: "controlchan" should have an access to the aforementioned files, since otherwise it cannot work correctly. Next - most (all?) programs from "/usr/lib/news/bin/control" directory should be allowed to "read" and "getattr" "news_spool_t".
Question - should we label all "/usr/lib/news/bin/control/*" with "innd_exec_t" (which will work out of the box) or maybe we could create smth like "innd_control_exec_t" & "news_spool_control_t" with finer control on what actually happens.
For the time being I've used the first approach and it worked. But...
Fixed in selinux-policy-targeted-1.27.1-2.14
Closing as these have been marked as modified, for a while. Feel free to reopen
if not fixed