166451 – Policy for Roundup issue tracker

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 166451 - Policy for Roundup issue tracker

Summary: Policy for Roundup issue tracker

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-strict
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-08-21 20:05 UTC by W. Michael Petullo
Modified:	2007-11-30 22:11 UTC (History)
CC List:	0 users
Fixed In Version:	1.25.4-9
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-03-20 19:52:06 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Created roundup.te in unused directory (942 bytes, application/octet-stream) 2005-08-22 13:56 UTC, Daniel Walsh	no flags	Details
File Contexts (149 bytes, application/octet-stream) 2005-08-22 13:57 UTC, Daniel Walsh	no flags	Details
View All

Description W. Michael Petullo 2005-08-21 20:05:34 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7.11) Gecko/20050815 Epiphany/1.7.4

Description of problem:
I am trying to get the Roundup issue tracking system into Fedora Extras.  The following allows Roundup to work with the strict SELinux policy:

domain_auto_trans(initrc_t, roundup_exec_t, roundup_t)

daemon_domain(roundup)
var_lib_domain(roundup)
can_network_server(roundup_t)
can_network_client(roundup_t)

file_type_auto_trans(roundup_t, var_run_t, roundup_var_run_t, file)

# execute python
allow roundup_t bin_t:dir r_dir_perms;
can_exec(roundup_t, bin_t)
allow roundup_t bin_t:lnk_file read;

allow roundup_t etc_t:file { getattr read };
allow roundup_t net_conf_t:file { getattr read };

allow roundup_t self:capability { setgid setuid };

allow roundup_t http_cache_port_t:tcp_socket { name_bind };
allow roundup_t smtp_port_t:tcp_socket { name_connect };
allow roundup_t self:unix_stream_socket { create connect shutdown setopt read write };

allow roundup_t mysqld_db_t:dir { search };
allow roundup_t mysqld_var_run_t:sock_file { write };
allow roundup_t mysqld_t:unix_stream_socket { connectto };
# /usr/share/mysql/charsets/Index.xml
allow roundup_t usr_t:file { getattr read };

allow roundup_t urandom_device_t:chr_file { read };

The following file contexts should be set:

/usr/bin/roundup-server         --      system_u:object_r:roundup_exec_t
/var/lib/roundup(/.*)?          --      system_u:object_r:roundup_var_lib_t

Version-Release number of selected component (if applicable):
selinux-policy-strict-1.23.16-6

How reproducible:
Always

Steps to Reproduce:
Notice that Roundup does not work when SELinux is enforcing the strict policy.
  

Additional info:

Comment 1 W. Michael Petullo 2005-08-21 20:08:37 UTC

The Roundup package is proposed in bug #165329.

Comment 2 Daniel Walsh 2005-08-22 13:56:30 UTC

Created attachment 117967 [details]
Created roundup.te in unused directory

Modified it in a few places since daemon_domain gives you some stuff for free.

Comment 3 Daniel Walsh 2005-08-22 13:57:11 UTC

Created attachment 117968 [details]
File Contexts

Comment 4 Daniel Walsh 2005-08-25 19:22:25 UTC

Added in selinux-policy-strict-1.25.4-9

Comment 5 W. Michael Petullo 2005-09-02 22:03:32 UTC

This still seems to be explicitly required required:

allow roundup_t etc_t:file { getattr read };

This is not in selinux-policy-strict-1.25.4-8.

Note You need to log in before you can comment on or make changes to this bug.