How to deal with Selinux local packages?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ran a yum update today that picked up these pages selinux-policy noarch 3.5.13-34.fc10updates 613 k selinux-policy-targeted noarch 3.5.13-34.fc10 updates 2.0 M and saw this: Updating : selinux-policy-targeted 28/104 libsepol.print_missing_requirements: policy20080911's global requirements were not met: type/attribute user_gnome_home_t libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! The policy 20080911 was something created with audit2allow to work around a problem with a prior defefault selinux policy. Is there a better way to manage needed local exceptions? - -- Steve Please snip when replying. Here's the policy: module policy20080911 1.0; require { type unconfined_t; type unconfined_tmpfs_t; type user_gnome_home_t; type system_dbusd_var_run_t; type mqueue_spool_t; type user_home_t; type user_mozilla_home_t; type home_root_t; type port_t; type system_dbusd_t; type tmp_t; type smtp_port_t; type ftpd_t; type httpd_sys_content_t; type etc_mail_t; type user_tmp_t; type var_run_t; type passwd_t; type consolekit_t; type user_home_dir_t; type admin_home_t; type httpd_t; type iptables_t; type bin_t; type sshd_t; type hald_t; type file_t; type mysqld_port_t; type gconfd_exec_t; type var_t; type smbd_t; type xferlog_t; class lnk_file read; class key { write search link }; class unix_stream_socket connectto; class dbus send_msg; class capability dac_override; class tcp_socket { name_bind name_connect }; class file { rename execute setattr read lock create execute_no_trans wr ite getattr link unlink append }; class sock_file { write create unlink getattr }; class sem { unix_read read write unix_write associate }; class shm { unix_read read write unix_write associate }; class dir { search setattr read create write getattr rmdir remove_name a dd_name }; } require { type unconfined_t; type unconfined_tmpfs_t; type user_gnome_home_t; type system_dbusd_var_run_t; type mqueue_spool_t; type user_home_t; type user_mozilla_home_t; type home_root_t; type port_t; type system_dbusd_t; type tmp_t; type smtp_port_t; type ftpd_t; type httpd_sys_content_t; type etc_mail_t; type user_tmp_t; type var_run_t; type passwd_t; type consolekit_t; type user_home_dir_t; type admin_home_t; type httpd_t; type iptables_t; type bin_t; type sshd_t; type hald_t; type file_t; type mysqld_port_t; type gconfd_exec_t; type var_t; type smbd_t; type xferlog_t; class lnk_file read; class key { write search link }; class unix_stream_socket connectto; class dbus send_msg; class capability dac_override; class tcp_socket { name_bind name_connect }; class file { rename execute setattr read lock create execute_no_trans wr ite getattr link unlink append }; class sock_file { write create unlink getattr }; class sem { unix_read read write unix_write associate }; class shm { unix_read read write unix_write associate }; class dir { search setattr read create write getattr rmdir remove_name a dd_name }; } #= consolekit_t == allow consolekit_t admin_home_t:file { read getattr }; #= ftpd_t == allow ftpd_t home_root_t:dir { read write getattr search add_name }; allow ftpd_t home_root_t:file { write getattr create }; allow ftpd_t self:capability dac_override; allow ftpd_t self:key { write search }; allow ftpd_t user_home_dir_t:dir { getattr search }; allow ftpd_t user_home_t:dir { read write getattr search add_name }; allow ftpd_t user_home_t:file { read write getattr create }; allow ftpd_t var_run_t:file { write getattr setattr read lock unlink }; allow ftpd_t xferlog_t:dir { write add_name }; #= hald_t == allow hald_t passwd_t:dbus send_msg; #= httpd_t == allow httpd_t etc_mail_t:dir { search getattr }; allow httpd_t etc_mail_t:file { read getattr }; allow httpd_t httpd_sys_content_t:file { write setattr }; allow httpd_t mqueue_spool_t:dir { write search read remove_name getattr add_nam e }; allow httpd_t mqueue_spool_t:file { write getattr read lock create unlink }; allow httpd_t mysqld_port_t:tcp_socket name_connect; allow httpd_t port_t:tcp_socket name_connect; allow httpd_t smtp_port_t:tcp_socket name_connect; allow httpd_t unconfined_t:sem { unix_read read write unix_write ass
Re: How to deal with Selinux local packages?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Steven Stern wrote: > Ran a yum update today that picked up these pages > > selinux-policy noarch 3.5.13-34.fc10updates 613 k > selinux-policy-targeted noarch 3.5.13-34.fc10 updates 2.0 M > > and saw this: > > Updating : selinux-policy-targeted > 28/104 > libsepol.print_missing_requirements: policy20080911's global > requirements were not met: type/attribute user_gnome_home_t > libsemanage.semanage_link_sandbox: Link packages failed > semodule: Failed! > > The policy 20080911 was something created with audit2allow to work > around a problem with a prior defefault selinux policy. > > Is there a better way to manage needed local exceptions? > This looks like a bug gnome_home_t is supposed to be an alias of user_gnome_home_t, not sure why you would have gotten this error. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAklP6gIACgkQrlYvE4MpobMW3gCcDIb2Z3SfSuH+YnFifwNava7q ga0AniyXXGg47lN7dME7Nr6hvZqOcP2L =stkv -END PGP SIGNATURE- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines