How to deal with Selinux local packages?
Steven Stern
subscribed-lists at sterndata.com
Mon Dec 22 13:15:19 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ran a yum update today that picked up these pages
selinux-policy noarch 3.5.13-34.fc10 updates 613 k
selinux-policy-targeted noarch 3.5.13-34.fc10 updates 2.0 M
and saw this:
Updating : selinux-policy-targeted
28/104
libsepol.print_missing_requirements: policy20080911's global
requirements were not met: type/attribute user_gnome_home_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed!
The policy 20080911 was something created with audit2allow to work
around a problem with a prior defefault selinux policy.
Is there a better way to manage needed local exceptions?
- --
Steve
Please snip when replying. Here's the policy:
module policy20080911 1.0;
require {
type unconfined_t;
type unconfined_tmpfs_t;
type user_gnome_home_t;
type system_dbusd_var_run_t;
type mqueue_spool_t;
type user_home_t;
type user_mozilla_home_t;
type home_root_t;
type port_t;
type system_dbusd_t;
type tmp_t;
type smtp_port_t;
type ftpd_t;
type httpd_sys_content_t;
type etc_mail_t;
type user_tmp_t;
type var_run_t;
type passwd_t;
type consolekit_t;
type user_home_dir_t;
type admin_home_t;
type httpd_t;
type iptables_t;
type bin_t;
type sshd_t;
type hald_t;
type file_t;
type mysqld_port_t;
type gconfd_exec_t;
type var_t;
type smbd_t;
type xferlog_t;
class lnk_file read;
class key { write search link };
class unix_stream_socket connectto;
class dbus send_msg;
class capability dac_override;
class tcp_socket { name_bind name_connect };
class file { rename execute setattr read lock create execute_no_trans wr
ite getattr link unlink append };
class sock_file { write create unlink getattr };
class sem { unix_read read write unix_write associate };
class shm { unix_read read write unix_write associate };
class dir { search setattr read create write getattr rmdir remove_name a
dd_name };
}
require {
type unconfined_t;
type unconfined_tmpfs_t;
type user_gnome_home_t;
type system_dbusd_var_run_t;
type mqueue_spool_t;
type user_home_t;
type user_mozilla_home_t;
type home_root_t;
type port_t;
type system_dbusd_t;
type tmp_t;
type smtp_port_t;
type ftpd_t;
type httpd_sys_content_t;
type etc_mail_t;
type user_tmp_t;
type var_run_t;
type passwd_t;
type consolekit_t;
type user_home_dir_t;
type admin_home_t;
type httpd_t;
type iptables_t;
type bin_t;
type sshd_t;
type hald_t;
type file_t;
type mysqld_port_t;
type gconfd_exec_t;
type var_t;
type smbd_t;
type xferlog_t;
class lnk_file read;
class key { write search link };
class unix_stream_socket connectto;
class dbus send_msg;
class capability dac_override;
class tcp_socket { name_bind name_connect };
class file { rename execute setattr read lock create execute_no_trans wr
ite getattr link unlink append };
class sock_file { write create unlink getattr };
class sem { unix_read read write unix_write associate };
class shm { unix_read read write unix_write associate };
class dir { search setattr read create write getattr rmdir remove_name a
dd_name };
}
#============= consolekit_t ==============
allow consolekit_t admin_home_t:file { read getattr };
#============= ftpd_t ==============
allow ftpd_t home_root_t:dir { read write getattr search add_name };
allow ftpd_t home_root_t:file { write getattr create };
allow ftpd_t self:capability dac_override;
allow ftpd_t self:key { write search };
allow ftpd_t user_home_dir_t:dir { getattr search };
allow ftpd_t user_home_t:dir { read write getattr search add_name };
allow ftpd_t user_home_t:file { read write getattr create };
allow ftpd_t var_run_t:file { write getattr setattr read lock unlink };
allow ftpd_t xferlog_t:dir { write add_name };
#============= hald_t ==============
allow hald_t passwd_t:dbus send_msg;
#============= httpd_t ==============
allow httpd_t etc_mail_t:dir { search getattr };
allow httpd_t etc_mail_t:file { read getattr };
allow httpd_t httpd_sys_content_t:file { write setattr };
allow httpd_t mqueue_spool_t:dir { write search read remove_name getattr
add_nam
e };
allow httpd_t mqueue_spool_t:file { write getattr read lock create unlink };
allow httpd_t mysqld_port_t:tcp_socket name_connect;
allow httpd_t port_t:tcp_socket name_connect;
allow httpd_t smtp_port_t:tcp_socket name_connect;
allow httpd_t unconfined_t:sem { unix_read read write unix_write
associate };
allow httpd_t unconfined_t:shm { unix_read read write unix_write
associate };
allow httpd_t unconfined_tmpfs_t:file { read write };
allow httpd_t user_home_t:dir { read getattr search };
allow httpd_t user_home_t:file { read getattr };
allow httpd_t user_tmp_t:dir { read search getattr };
allow httpd_t user_tmp_t:file { read getattr setattr };
#============= iptables_t ==============
allow iptables_t user_tmp_t:file read;
allow iptables_t var_t:file append;
#============= passwd_t ==============
allow passwd_t bin_t:file { read execute execute_no_trans };
allow passwd_t gconfd_exec_t:file { read execute execute_no_trans };
allow passwd_t hald_t:dbus send_msg;
allow passwd_t system_dbusd_t:dbus send_msg;
allow passwd_t system_dbusd_t:unix_stream_socket connectto;
allow passwd_t system_dbusd_var_run_t:sock_file write;
allow passwd_t tmp_t:dir { write setattr read remove_name create add_name };
allow passwd_t tmp_t:sock_file { write create unlink getattr };
allow passwd_t user_gnome_home_t:dir { write remove_name add_name };
allow passwd_t user_gnome_home_t:file { rename write setattr read create
unlink
};
allow passwd_t user_home_t:dir { write remove_name add_name };
allow passwd_t user_home_t:file { write read create unlink rename };
allow passwd_t user_tmp_t:dir { write rmdir read remove_name create
add_name };
allow passwd_t user_tmp_t:file { read lock create unlink link };
#============= smbd_t ==============
allow smbd_t admin_home_t:file getattr;
allow smbd_t file_t:file getattr;
allow smbd_t home_root_t:dir { search getattr };
allow smbd_t user_gnome_home_t:dir getattr;
allow smbd_t user_home_dir_t:dir { read getattr search };
allow smbd_t user_home_t:dir { read getattr search };
allow smbd_t user_home_t:file { read lock getattr };
allow smbd_t user_home_t:lnk_file read;
allow smbd_t user_mozilla_home_t:dir getattr;
allow smbd_t var_t:dir { read write add_name setattr };
allow smbd_t var_t:file { write getattr setattr read lock create };
#============= sshd_t ==============
allow sshd_t port_t:tcp_socket name_bind;
allow sshd_t smbd_t:key { search link };
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAklPkucACgkQeERILVgMyvD0agCfTDlu1YLU5mtu8tzSOc0ymCMT
IiEAnRfbpzbOCUh+E2YKmTG4itnFh2eP
=ZM4x
-----END PGP SIGNATURE-----
More information about the users
mailing list