On 10/20/2010 01:23 PM, Vadym Chepkov wrote:
On Oct 20, 2010, at 3:17 AM, Miroslav Grepl wrote:
> On 10/20/2010 01:35 AM, Vadym Chepkov wrote:
>> On Oct 19, 2010, at 9:33 AM, Miroslav Grepl wrote:
>>
>>> On 10/19/2010 01:58 PM, Vadym Chepkov wrote:
>>>> On Oct 19, 2010, at 3:17 AM, Miroslav Grepl wrote:
>>>>
>>>>> On 10/18/2010 04:46 PM, Vadym Chepkov wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I have an issue I would like to fix properly.
>>>>>>
>>>>>> I have a policy for mediawiki defined this way:
>>>>>>
>>>>>> apache_content_template(mediawiki)
>>>>>> apache_search_sys_content(httpd_mediawiki_script_t)
>>>>>>
>>>>>> /var/www/mediawiki/bin(/.*)?
>>>>>>
gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
>>>>>> /var/www/mediawiki/images(/.*)?
>>>>>>
gen_context(system_u:object_r:httpd_mediawiki_script_rw_t,s0)
>>>>>> /var/www/mediawiki/cache(/.*)?
>>>>>>
gen_context(system_u:object_r:httpd_mediawiki_script_rw_t,s0)
>>>>> Vadym,
>>>>> we shipped the mediawiki policy in Fedora 13+. Any chance you have
some of these Fedora release?
>>>>>
>>>> This package is usually very behind. mediawiki 1.15.5 and 1.16.0 were
released back in July and they are security releases no less,
>>>> but Fedora still has 1.15.4
>>>> Anyway, I always install directly from mediawiki subversion tag.
>>>> I don't need multi-site feature and other then that I don't see
any other patches that would prevent the problem I have.
>>>> I tried to check what selinux policy does Fedora provide and I found just
one line in selinux-policy-3.7.19-62.fc13.src.rpm :
>>> The mediawiki policy was added to selinux-policy-3.7.19-65.fc13 policy which
should be available from the stable repo now. So you can update your policy and try to
test the mediawiki policy which we shipped and you can help us to improve this policy.
>>>
>> Yep, I see it now.
>> There are several scripts in the package without proper context:
>>
>> /usr/share/mediawiki/bin
>> /usr/share/mediawiki/bin/svnstat
>> /usr/share/mediawiki/bin/ulimit-tvf.sh
>> /usr/share/mediawiki/bin/ulimit.sh
>> /usr/share/mediawiki/bin/ulimit4.sh
>>
>> I had them as httpd_mediawiki_script_exec_t, because ulimit scripts are
definitely used: that's what I had to give them :
>>
>> apache_search_sys_content(httpd_mediawiki_script_t)
>> fs_rw_anon_inodefs_files(httpd_mediawiki_script_t)
>> allow httpd_mediawiki_script_t httpd_t:file read;
>> allow httpd_mediawiki_script_t self:process setrlimit;
>>
> So does it work with these rules, labels and with the policy which we shipped?
I will install mediawiki somewhere on fedora and will try it out.
OK
Even after I removed 'permissive' I can't compile it on
EPEL:
Compiling targeted mediawiki module
/usr/bin/checkmodule: loading policy configuration from tmp/mediawiki.tmp
mediawiki.te:26:ERROR 'syntax error' at token ':' on line 99670:
allow tmp_t:dir { getattr search };
#line 26
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/mediawiki.mod] Error 1
line 26 is this
userdom_read_user_tmp_files(httpd_mediawiki_script_t)
Yes, this interface is called
in the template interfaces in RHEL. Two
arguments are needed:
userdom_read_user_tmp_files(prefix,domain)
So just try to remove this interface.
>> I wasn't able to compile this policy on RHEL :(
>> It uses 'permissive' domain, which is not available there. Why is it
used, by the way? Does it mean "work in progress" ?
> We can push out a new policy as permissive domain and simply collect AVC messages.
Users don’t have to switch to permissive mode globally and they can stay in the enforcing
mode.
>
>
> Miroslav
>> Thanks,
>> Vadym
>>
>>
>>
>>