Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 166451 - Policy for Roundup issue tracker
Summary: Policy for Roundup issue tracker
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-strict
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-08-21 20:05 UTC by W. Michael Petullo
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version: 1.25.4-9
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-03-20 19:52:06 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
Created roundup.te in unused directory (deleted)
2005-08-22 13:56 UTC, Daniel Walsh
no flags Details
File Contexts (deleted)
2005-08-22 13:57 UTC, Daniel Walsh
no flags Details

Description W. Michael Petullo 2005-08-21 20:05:34 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7.11) Gecko/20050815 Epiphany/1.7.4

Description of problem:
I am trying to get the Roundup issue tracking system into Fedora Extras.  The following allows Roundup to work with the strict SELinux policy:

domain_auto_trans(initrc_t, roundup_exec_t, roundup_t)

daemon_domain(roundup)
var_lib_domain(roundup)
can_network_server(roundup_t)
can_network_client(roundup_t)

file_type_auto_trans(roundup_t, var_run_t, roundup_var_run_t, file)

# execute python
allow roundup_t bin_t:dir r_dir_perms;
can_exec(roundup_t, bin_t)
allow roundup_t bin_t:lnk_file read;

allow roundup_t etc_t:file { getattr read };
allow roundup_t net_conf_t:file { getattr read };

allow roundup_t self:capability { setgid setuid };

allow roundup_t http_cache_port_t:tcp_socket { name_bind };
allow roundup_t smtp_port_t:tcp_socket { name_connect };
allow roundup_t self:unix_stream_socket { create connect shutdown setopt read write };

allow roundup_t mysqld_db_t:dir { search };
allow roundup_t mysqld_var_run_t:sock_file { write };
allow roundup_t mysqld_t:unix_stream_socket { connectto };
# /usr/share/mysql/charsets/Index.xml
allow roundup_t usr_t:file { getattr read };

allow roundup_t urandom_device_t:chr_file { read };

The following file contexts should be set:

/usr/bin/roundup-server         --      system_u:object_r:roundup_exec_t
/var/lib/roundup(/.*)?          --      system_u:object_r:roundup_var_lib_t

Version-Release number of selected component (if applicable):
selinux-policy-strict-1.23.16-6

How reproducible:
Always

Steps to Reproduce:
Notice that Roundup does not work when SELinux is enforcing the strict policy.
  

Additional info:

Comment 1 W. Michael Petullo 2005-08-21 20:08:37 UTC
The Roundup package is proposed in bug #165329.

Comment 2 Daniel Walsh 2005-08-22 13:56:30 UTC
Created attachment 117967 [details]
Created roundup.te in unused directory

Modified it in a few places since daemon_domain gives you some stuff for free.

Comment 3 Daniel Walsh 2005-08-22 13:57:11 UTC
Created attachment 117968 [details]
File Contexts

Comment 4 Daniel Walsh 2005-08-25 19:22:25 UTC
Added in selinux-policy-strict-1.25.4-9

Comment 5 W. Michael Petullo 2005-09-02 22:03:32 UTC
This still seems to be explicitly required required:

allow roundup_t etc_t:file { getattr read };

This is not in selinux-policy-strict-1.25.4-8.


Note You need to log in before you can comment on or make changes to this bug.