This bug has been copied from bug #515687 and has been proposed to be backported to 5.4 z-stream (EUS).
Fixed in selinux-policy-2.4.6-255.el5_4.2.noarch
Following denial still blocks the expected functionality, and is shown only after rebuild with "semodule -DB": #============= setkey_t ============== allow setkey_t sysadm_tmp_t:file { read getattr }; After adding custom policy module as follows make it work again: # cat my.te policy_module(mypol,1.0.0) require{ type setkey_t; type sysadm_tmp_t; } allow setkey_t sysadm_tmp_t:file { read getattr }; # make -f /usr/share/selinux/devel/Makefile
Everything seems to work if I use this: # cat my.if my.te -n 1 interface(`userdom_read_sysadm_tmp_files',` 2 gen_require(` 3 type sysadm_tmp_t; 4 ') 5 allow $1 sysadm_tmp_t:file { read getattr }; 6 ') 7 8 policy_module(mysetkey,1.0.0) 9 10 gen_require(` 11 type setkey_t; 12 ') 13 14 userdom_read_sysadm_tmp_files(setkey_t);
Fixed in selinux-policy-2.4.6-255.el5_4.3.noarch
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2010-0013.html