Description of problem: New rules for f18 installation: # cat /var/log/audit/audit.log | audit2allow -R require { type httpd_suexec_exec_t; type pki_tps_t; class file { read getattr execute }; } #============= pki_tps_t ============== allow pki_tps_t httpd_suexec_exec_t:file { read getattr execute }; files_manage_generic_tmp_dirs(pki_tps_t) files_manage_generic_tmp_files(pki_tps_t) RA: # getenforce Permissive # cat /var/log/audit/audit.log | audit2allow -R require { type pki_tps_t; type pki_ra_t; type httpd_suexec_exec_t; class file { getattr read execute }; } #============= pki_ra_t ============== allow pki_ra_t httpd_suexec_exec_t:file { read getattr execute }; files_manage_generic_tmp_dirs(pki_ra_t) files_manage_generic_tmp_files(pki_ra_t) #============= pki_tps_t ============== allow pki_tps_t httpd_suexec_exec_t:file { read getattr execute }; files_manage_generic_tmp_dirs(pki_tps_t) files_manage_generic_tmp_files(pki_tps_t) Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
we probably need these for f19/rawhide as well.
Created attachment 741728 [details] AVC audit.log messages (TPS)
Created attachment 741729 [details] AVC audit.log messages (RA)
commit 3aabce123ac964f3a065243c1e091da3f804a911 Author: Miroslav Grepl <mgrepl> Date: Tue Apr 30 08:18:07 2013 +0200 Allow pki apache domain to create own tmp files and execute httpd_suexec
I need to fix labeling for /usr/share/pki.
After installing the following yum build: # yum update selinux-policy-3.11.1-93.fc18.noarch.rpm selinux-policy-targeted- 3.11.1-93.fc18.noarch.rpm selinux-policy-devel-3.11.1-93.fc18.noarch.rpm selinux-policy-doc-3.11.1-93.fc18.noarch.rpm I encountered the following AVCs when attempting to install an RA in Permissive mode: # cat /var/log/audit/audit.log | audit2allow -R require { type pki_ra_t; type cert_t; class file { execute execute_no_trans }; } #============= pki_ra_t ============== allow pki_ra_t cert_t:file { execute execute_no_trans }; The entire RA audit.log file will be attached.
Created attachment 742927 [details] AVC audit.log messages (RA) - after installation of scratch selinux policy build
After installing the following yum build: # yum update selinux-policy-3.11.1-93.fc18.noarch.rpm selinux-policy-targeted- 3.11.1-93.fc18.noarch.rpm selinux-policy-devel-3.11.1-93.fc18.noarch.rpm selinux-policy-doc-3.11.1-93.fc18.noarch.rpm I encountered the following AVCs when attempting to install a TPS in Permissive mode: # cat /var/log/audit/audit.log | audit2allow -R require { type cert_t; type pki_tps_t; class file { execute execute_no_trans }; } #============= pki_tps_t ============== allow pki_tps_t cert_t:file { execute execute_no_trans }; The entire TPS audit.log file will be attached.
Created attachment 742928 [details] AVC audit.log messages (TPS) - after installation of scratch selinux policy build
commit ebdb50273cd9216712af7d33795e35056375f833 Author: Miroslav Grepl <mgrepl> Date: Fri May 3 10:21:24 2013 +0200 Add labeling just for /usr/share/pki/ca-trust-source instead of /usr/share/pki
selinux-policy-3.11.1-94.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-94.fc18
Package selinux-policy-3.11.1-94.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-94.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-7743/selinux-policy-3.11.1-94.fc18 then log in and leave karma (feedback).
selinux-policy-3.11.1-95.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-95.fc18
selinux-policy-3.11.1-95.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.