apcupsd

Tue Dec 18 17:18:18 UTC 2012

On Tue, 2012-12-18 at 17:17 +0000, Moray Henderson wrote:
> > -----Original Message-----
> > From: grift [mailto:dominick.grift at gmail.com]
> > Sent: 18 December 2012 17:01
> > 
> > On Tue, 2012-12-18 at 17:49 +0100, grift wrote:
> > > On Tue, 2012-12-18 at 16:37 +0000, Moray Henderson wrote:
> > > > Hi SELinux
> > 
> > >
> > > mkdir myapcupsd; cd myapcupsd; echo "policy_module(myapcupsd, 1.0.0)
> > > gen_require(\` type apcupsd_t; ')
> > > corenet_udp_bind_generic_node(apcupsd_t)
> > > corenet_udp_bind_snmp_port(apcupsd_t) allow apcupsd_t self:capability
> > > net_bind_service;"  > myapcupsd.te
> > >
> > > make -f /usr/share/selinux/devel/Makefile myapcupsd.te sudo semodule
> > > -i myapcupsd.pp;
> > >
> > > consider filing a bugzilla please
> > 
> > I am adding this upstream (should eventually trickle down):
> > 
> > > From 87e5d6d571cb82c3a96159041962c2a9378bc023 Tue, 18 Dec 2012
> > > 17:59:34 +0100
> > > From: Dominick Grift <dominick.grift at gmail.com>
> > > Date: Tue, 18 Dec 2012 17:59:18 +0100
> > > Subject: [PATCH] Changes to the apcupsd policy module
> > >
> > >
> > > Support apcupsd configured for snmp
> > >
> > > Signed-off-by: Dominick Grift <dominick.grift at gmail.com> diff --git
> > > a/apcupsd.te b/apcupsd.te index ceb368d..9cd93c5 100644
> > > --- a/apcupsd.te
> > > +++ b/apcupsd.te
> > > @@ -1,4 +1,4 @@
> > > -policy_module(apcupsd, 1.8.3)
> > > +policy_module(apcupsd, 1.8.4)
> > >
> > >  ########################################
> > >  #
> > > @@ -29,7 +29,7 @@
> > >  # Local policy
> > >  #
> > >
> > > -allow apcupsd_t self:capability { dac_override setgid sys_tty_config
> > > };
> > > +allow apcupsd_t self:capability { dac_override setgid sys_tty_config
> > > +net_bind_service };
> > >  allow apcupsd_t self:process signal;
> > >  allow apcupsd_t self:fifo_file rw_file_perms;  allow apcupsd_t
> > > self:unix_stream_socket create_stream_socket_perms; @@ -58,13 +58,20
> > > @@
> > >  corenet_all_recvfrom_netlabel(apcupsd_t)
> > >  corenet_tcp_sendrecv_generic_if(apcupsd_t)
> > >  corenet_tcp_sendrecv_generic_node(apcupsd_t)
> > > -corenet_tcp_sendrecv_all_ports(apcupsd_t)
> > >  corenet_tcp_bind_generic_node(apcupsd_t)
> > > +corenet_udp_sendrecv_generic_if(apcupsd_t)
> > > +corenet_udp_sendrecv_generic_node(apcupsd_t)
> > > +corenet_udp_bind_generic_node(apcupsd_t)
> > >
> > >  corenet_tcp_bind_apcupsd_port(apcupsd_t)
> > >  corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
> > > +corenet_tcp_sendrecv_apcupsd_port(apcupsd_t)
> > >  corenet_tcp_connect_apcupsd_port(apcupsd_t)
> > >
> > > +corenet_udp_bind_snmp_port(apcupsd_t)
> > > +corenet_sendrecv_snmp_server_packets(apcupsd_t)
> > > +corenet_udp_sendrecv_snmp_port(apcupsd_t)
> > > +
> > >  dev_rw_generic_usb_dev(apcupsd_t)
> > >
> > >  files_read_etc_files(apcupsd_t)
> 
> Excellent - thanks.  It looks as if corenet_udp_bind_snmp_port already allows the capability net_bind_service.  Do you still want an RHEL 6 bug logged?

nice catch on the net_bind_service :)

Welp, that is up to you. Not sure how soon this fix would end up in el6
though.. but then again, reporting it could not hurt.. or could it?

> 
> Moray.
> “To err is human; to purr, feline.”
> 
> 
> 
> 
> 