Transitions for files.

Vadym Chepkov vchepkov at gmail.com
Tue Oct 19 23:35:06 UTC 2010 

On Oct 19, 2010, at 9:33 AM, Miroslav Grepl wrote:

> On 10/19/2010 01:58 PM, Vadym Chepkov wrote:
>> On Oct 19, 2010, at 3:17 AM, Miroslav Grepl wrote:
>> 
>>> On 10/18/2010 04:46 PM, Vadym Chepkov wrote:
>>>> Hi,
>>>> 
>>>> I have an issue I would like to fix properly.
>>>> 
>>>> I have a policy for mediawiki defined this way:
>>>> 
>>>> apache_content_template(mediawiki)
>>>> apache_search_sys_content(httpd_mediawiki_script_t)
>>>> 
>>>> /var/www/mediawiki/bin(/.*)?
>>>>        gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
>>>> /var/www/mediawiki/images(/.*)?
>>>>    gen_context(system_u:object_r:httpd_mediawiki_script_rw_t,s0)
>>>> /var/www/mediawiki/cache(/.*)?
>>>>    gen_context(system_u:object_r:httpd_mediawiki_script_rw_t,s0)
>>> Vadym,
>>> we shipped the mediawiki policy in Fedora 13+. Any chance you have some of these Fedora release?
>>> 
>> This package is usually very behind. mediawiki 1.15.5 and 1.16.0 were released back in July and they are security releases no less,
>> but Fedora still has 1.15.4
>> Anyway, I always install directly from mediawiki subversion tag.
>> I don't need multi-site feature and other then that I don't see any other patches that would prevent the problem I have.
>> I tried to check what selinux policy does Fedora provide and I found just one line in selinux-policy-3.7.19-62.fc13.src.rpm :
> The mediawiki policy was added to selinux-policy-3.7.19-65.fc13 policy which should be available from the stable repo now. So you can update your policy and try to test the mediawiki policy which we shipped and you can help us to improve this policy.
> 

Yep, I see it now.
There are several scripts in the package without proper context:

/usr/share/mediawiki/bin
/usr/share/mediawiki/bin/svnstat
/usr/share/mediawiki/bin/ulimit-tvf.sh
/usr/share/mediawiki/bin/ulimit.sh
/usr/share/mediawiki/bin/ulimit4.sh

I had them as httpd_mediawiki_script_exec_t, because ulimit scripts are definitely used: that's what I had to give them :

apache_search_sys_content(httpd_mediawiki_script_t)
fs_rw_anon_inodefs_files(httpd_mediawiki_script_t)
allow httpd_mediawiki_script_t httpd_t:file read;
allow httpd_mediawiki_script_t self:process setrlimit;

I wasn't able to compile this policy on RHEL :(
It uses 'permissive' domain, which is not available there. Why is it used, by the way? Does it mean "work in progress" ?

Thanks,
Vadym

More information about the selinux mailing list