On Tue, 2012-12-18 at 17:17 +0000, Moray Henderson wrote:
> -----Original Message-----
> From: grift [mailto:dominick.grift@gmail.com]
> Sent: 18 December 2012 17:01
>
> On Tue, 2012-12-18 at 17:49 +0100, grift wrote:
> > On Tue, 2012-12-18 at 16:37 +0000, Moray Henderson wrote:
> > > Hi SELinux
>
> >
> > mkdir myapcupsd; cd myapcupsd; echo "policy_module(myapcupsd, 1.0.0)
> > gen_require(\` type apcupsd_t; ')
> > corenet_udp_bind_generic_node(apcupsd_t)
> > corenet_udp_bind_snmp_port(apcupsd_t) allow apcupsd_t self:capability
> > net_bind_service;" > myapcupsd.te
> >
> > make -f /usr/share/selinux/devel/Makefile myapcupsd.te sudo semodule
> > -i myapcupsd.pp;
> >
> > consider filing a bugzilla please
>
> I am adding this upstream (should eventually trickle down):
>
> > From 87e5d6d571cb82c3a96159041962c2a9378bc023 Tue, 18 Dec 2012
> > 17:59:34 +0100
> > From: Dominick Grift <dominick.grift(a)gmail.com>
> > Date: Tue, 18 Dec 2012 17:59:18 +0100
> > Subject: [PATCH] Changes to the apcupsd policy module
> >
> >
> > Support apcupsd configured for snmp
> >
> > Signed-off-by: Dominick Grift <dominick.grift(a)gmail.com> diff --git
> > a/apcupsd.te b/apcupsd.te index ceb368d..9cd93c5 100644
> > --- a/apcupsd.te
> > +++ b/apcupsd.te
> > @@ -1,4 +1,4 @@
> > -policy_module(apcupsd, 1.8.3)
> > +policy_module(apcupsd, 1.8.4)
> >
> > ########################################
> > #
> > @@ -29,7 +29,7 @@
> > # Local policy
> > #
> >
> > -allow apcupsd_t self:capability { dac_override setgid sys_tty_config
> > };
> > +allow apcupsd_t self:capability { dac_override setgid sys_tty_config
> > +net_bind_service };
> > allow apcupsd_t self:process signal;
> > allow apcupsd_t self:fifo_file rw_file_perms; allow apcupsd_t
> > self:unix_stream_socket create_stream_socket_perms; @@ -58,13 +58,20
> > @@
> > corenet_all_recvfrom_netlabel(apcupsd_t)
> > corenet_tcp_sendrecv_generic_if(apcupsd_t)
> > corenet_tcp_sendrecv_generic_node(apcupsd_t)
> > -corenet_tcp_sendrecv_all_ports(apcupsd_t)
> > corenet_tcp_bind_generic_node(apcupsd_t)
> > +corenet_udp_sendrecv_generic_if(apcupsd_t)
> > +corenet_udp_sendrecv_generic_node(apcupsd_t)
> > +corenet_udp_bind_generic_node(apcupsd_t)
> >
> > corenet_tcp_bind_apcupsd_port(apcupsd_t)
> > corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
> > +corenet_tcp_sendrecv_apcupsd_port(apcupsd_t)
> > corenet_tcp_connect_apcupsd_port(apcupsd_t)
> >
> > +corenet_udp_bind_snmp_port(apcupsd_t)
> > +corenet_sendrecv_snmp_server_packets(apcupsd_t)
> > +corenet_udp_sendrecv_snmp_port(apcupsd_t)
> > +
> > dev_rw_generic_usb_dev(apcupsd_t)
> >
> > files_read_etc_files(apcupsd_t)
Excellent - thanks. It looks as if corenet_udp_bind_snmp_port already allows the
capability net_bind_service. Do you still want an RHEL 6 bug logged?
nice catch on the net_bind_service :)
Welp, that is up to you. Not sure how soon this fix would end up in el6
though.. but then again, reporting it could not hurt.. or could it?
Moray.
“To err is human; to purr, feline.”