How to deal with Selinux local packages?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Ran a yum update today that picked up these pages
selinux-policy noarch 3.5.13-34.fc10updates 613 k
selinux-policy-targeted noarch 3.5.13-34.fc10 updates 2.0 M
and saw this:
Updating : selinux-policy-targeted
28/104
libsepol.print_missing_requirements: policy20080911's global
requirements were not met: type/attribute user_gnome_home_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed!
The policy 20080911 was something created with audit2allow to work
around a problem with a prior defefault selinux policy.
Is there a better way to manage needed local exceptions?
- --
Steve
Please snip when replying. Here's the policy:
module policy20080911 1.0;
require {
type unconfined_t;
type unconfined_tmpfs_t;
type user_gnome_home_t;
type system_dbusd_var_run_t;
type mqueue_spool_t;
type user_home_t;
type user_mozilla_home_t;
type home_root_t;
type port_t;
type system_dbusd_t;
type tmp_t;
type smtp_port_t;
type ftpd_t;
type httpd_sys_content_t;
type etc_mail_t;
type user_tmp_t;
type var_run_t;
type passwd_t;
type consolekit_t;
type user_home_dir_t;
type admin_home_t;
type httpd_t;
type iptables_t;
type bin_t;
type sshd_t;
type hald_t;
type file_t;
type mysqld_port_t;
type gconfd_exec_t;
type var_t;
type smbd_t;
type xferlog_t;
class lnk_file read;
class key { write search link };
class unix_stream_socket connectto;
class dbus send_msg;
class capability dac_override;
class tcp_socket { name_bind name_connect };
class file { rename execute setattr read lock create execute_no_trans wr
ite getattr link unlink append };
class sock_file { write create unlink getattr };
class sem { unix_read read write unix_write associate };
class shm { unix_read read write unix_write associate };
class dir { search setattr read create write getattr rmdir remove_name a
dd_name };
}
require {
type unconfined_t;
type unconfined_tmpfs_t;
type user_gnome_home_t;
type system_dbusd_var_run_t;
type mqueue_spool_t;
type user_home_t;
type user_mozilla_home_t;
type home_root_t;
type port_t;
type system_dbusd_t;
type tmp_t;
type smtp_port_t;
type ftpd_t;
type httpd_sys_content_t;
type etc_mail_t;
type user_tmp_t;
type var_run_t;
type passwd_t;
type consolekit_t;
type user_home_dir_t;
type admin_home_t;
type httpd_t;
type iptables_t;
type bin_t;
type sshd_t;
type hald_t;
type file_t;
type mysqld_port_t;
type gconfd_exec_t;
type var_t;
type smbd_t;
type xferlog_t;
class lnk_file read;
class key { write search link };
class unix_stream_socket connectto;
class dbus send_msg;
class capability dac_override;
class tcp_socket { name_bind name_connect };
class file { rename execute setattr read lock create execute_no_trans wr
ite getattr link unlink append };
class sock_file { write create unlink getattr };
class sem { unix_read read write unix_write associate };
class shm { unix_read read write unix_write associate };
class dir { search setattr read create write getattr rmdir remove_name a
dd_name };
}
#= consolekit_t ==
allow consolekit_t admin_home_t:file { read getattr };
#= ftpd_t ==
allow ftpd_t home_root_t:dir { read write getattr search add_name };
allow ftpd_t home_root_t:file { write getattr create };
allow ftpd_t self:capability dac_override;
allow ftpd_t self:key { write search };
allow ftpd_t user_home_dir_t:dir { getattr search };
allow ftpd_t user_home_t:dir { read write getattr search add_name };
allow ftpd_t user_home_t:file { read write getattr create };
allow ftpd_t var_run_t:file { write getattr setattr read lock unlink };
allow ftpd_t xferlog_t:dir { write add_name };
#= hald_t ==
allow hald_t passwd_t:dbus send_msg;
#= httpd_t ==
allow httpd_t etc_mail_t:dir { search getattr };
allow httpd_t etc_mail_t:file { read getattr };
allow httpd_t httpd_sys_content_t:file { write setattr };
allow httpd_t mqueue_spool_t:dir { write search read remove_name getattr
add_nam
e };
allow httpd_t mqueue_spool_t:file { write getattr read lock create unlink };
allow httpd_t mysqld_port_t:tcp_socket name_connect;
allow httpd_t port_t:tcp_socket name_connect;
allow httpd_t smtp_port_t:tcp_socket name_connect;
allow httpd_t unconfined_t:sem { unix_read read write unix_write
ass
Re: How to deal with Selinux local packages?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Steven Stern wrote: > Ran a yum update today that picked up these pages > > selinux-policy noarch 3.5.13-34.fc10updates 613 k > selinux-policy-targeted noarch 3.5.13-34.fc10 updates 2.0 M > > and saw this: > > Updating : selinux-policy-targeted > 28/104 > libsepol.print_missing_requirements: policy20080911's global > requirements were not met: type/attribute user_gnome_home_t > libsemanage.semanage_link_sandbox: Link packages failed > semodule: Failed! > > The policy 20080911 was something created with audit2allow to work > around a problem with a prior defefault selinux policy. > > Is there a better way to manage needed local exceptions? > This looks like a bug gnome_home_t is supposed to be an alias of user_gnome_home_t, not sure why you would have gotten this error. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAklP6gIACgkQrlYvE4MpobMW3gCcDIb2Z3SfSuH+YnFifwNava7q ga0AniyXXGg47lN7dME7Nr6hvZqOcP2L =stkv -END PGP SIGNATURE- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
