FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 06-30-2010, 09:03 PM
Dominick Grift
 
Default SELinux and Shorewall with IPSets

On 06/30/2010 11:00 PM, Mr Dash Four wrote:
>
>> this is what i committed to my branch that might fix that:
>>
>> ------------------------ policy/modules/apps/livecd.te
>> ------------------------
>> index 4e69cdf..5d1084a 100644
>> @@ -23,7 +23,7 @@
>>
>> domain_ptrace_all_domains(livecd_t)
>>
>> -seutil_domtrans_setfiles_mac(livecd_t)
>> +seutil_run_setfiles_mac(livecd_t, system_r)
>>
>> manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
>> manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
>>
>>
>
> Do I save this as ~/rpmbuld/SOURCES/DG-SELinux.patch and then apply it
> to my custom selinux-policy?

Replace it manually. Because that isnt a proper patch.

open policy/modules/apps/livecd.te. find
seutil_domtrans_setfiles_mac(livecd_t) and replace it by
seutil_run_setfiles_mac(livecd_t, system_r)

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 06-30-2010, 09:09 PM
Mr Dash Four
 
Default SELinux and Shorewall with IPSets

>>> this is what i committed to my branch that might fix that:
>>>
>>> ------------------------ policy/modules/apps/livecd.te
>>> ------------------------
>>> index 4e69cdf..5d1084a 100644
>>> @@ -23,7 +23,7 @@
>>>
>>> domain_ptrace_all_domains(livecd_t)
>>>
>>> -seutil_domtrans_setfiles_mac(livecd_t)
>>> +seutil_run_setfiles_mac(livecd_t, system_r)
>>>
>>> manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
>>> manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
>>>
>>>
>>>
>> Do I save this as ~/rpmbuld/SOURCES/DG-SELinux.patch and then apply it
>> to my custom selinux-policy?
>>
>
> Replace it manually. Because that isnt a proper patch.
>
> open policy/modules/apps/livecd.te. find
> seutil_domtrans_setfiles_mac(livecd_t) and replace it by
> seutil_run_setfiles_mac(livecd_t, system_r)
>
I presume this will be for the development machine (the one I am using
to create the image) as on the image itself livecd is not used at all
and is not needed. Is that correct? If so, I presume I need to compile
and install my own custom policy and replace it with the 'stock' version
- is that right?
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 06-30-2010, 09:14 PM
Dominick Grift
 
Default SELinux and Shorewall with IPSets

On 06/30/2010 11:09 PM, Mr Dash Four wrote:
>
>>>> this is what i committed to my branch that might fix that:
>>>>
>>>> ------------------------ policy/modules/apps/livecd.te
>>>> ------------------------
>>>> index 4e69cdf..5d1084a 100644
>>>> @@ -23,7 +23,7 @@
>>>>
>>>> domain_ptrace_all_domains(livecd_t)
>>>>
>>>> -seutil_domtrans_setfiles_mac(livecd_t)
>>>> +seutil_run_setfiles_mac(livecd_t, system_r)
>>>>
>>>> manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
>>>> manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
>>>>
>>>>
>>> Do I save this as ~/rpmbuld/SOURCES/DG-SELinux.patch and then apply it
>>> to my custom selinux-policy?
>>>
>>
>> Replace it manually. Because that isnt a proper patch.
>>
>> open policy/modules/apps/livecd.te. find
>> seutil_domtrans_setfiles_mac(livecd_t) and replace it by
>> seutil_run_setfiles_mac(livecd_t, system_r)
>>
> I presume this will be for the development machine (the one I am using
> to create the image) as on the image itself livecd is not used at all
> and is not needed. Is that correct? If so, I presume I need to compile
> and install my own custom policy and replace it with the 'stock' version
> - is that right?

Its a bug in policy, and in that regard it affects all systems. The
problem is that if you are going to maintain your own fork of
selinux_policy it will be much work to maintain (a fedora update might
undo your changes)

Therefore it is best to submit this bug report to fedora bugzilla so
that the fix can be applied upstream, then eventually it will get pushed
to the repositories and end up on your system.

So in your case, you might want to, in the meantime, fix it with a
custom module (myseutils.pp) whilst your bug report is processed.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 06-30-2010, 09:31 PM
Mr Dash Four
 
Default SELinux and Shorewall with IPSets

> Its a bug in policy, and in that regard it affects all systems. The
> problem is that if you are going to maintain your own fork of
> selinux_policy it will be much work to maintain (a fedora update might
> undo your changes)
>
> Therefore it is best to submit this bug report to fedora bugzilla so
> that the fix can be applied upstream, then eventually it will get pushed
> to the repositories and end up on your system.
>
> So in your case, you might want to, in the meantime, fix it with a
> custom module (myseutils.pp) whilst your bug report is processed.
>
I get you know! The way I see it I could maintain the source via a set
of patches recording the changes I have made (the source will only be
updated, the binary selinux-policy-* rpm won't be touched) and not
install (the stock) selinux-policy - from what I've seen apart from
selinux-targeted(minimal,mls) nothing else is dependant on this package,
so it won't break anything (for now, that is!).

This until the fix is officially released, that is.

I have just finished building the image and tested it again - there were
NO errors, none whatsoever! Superb work - thank you!
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 03:59 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org