* bug in policy (1.14-3+?) with apache.te unused
@ 2004-08-17 11:29 Luke Kenneth Casson Leighton
2004-08-18 8:45 ` Russell Coker
0 siblings, 1 reply; 3+ messages in thread
From: Luke Kenneth Casson Leighton @ 2004-08-17 11:29 UTC (permalink / raw)
To: SE-Linux
hi,
i'm not using apache.
i upgraded to 1.14-6 on the policycoreutils and i get
httpd_sysadm_content_t does not exist in file_contexts
on a make relabel.
so.... well, i figured okay, let's make apache.te unused
(as i should have done in the first place) because apache
isn't on this system.
i get a compile error on openca.te not being able to find
httpd_t.
okay _now_ my make install relabel works :)
it's not such a big deal that openca.te can't find httpd_t
because, well, if you don't have an http server, what use
is the open cert auth stuff?
if that's not a rhetorical question then there is a bug in
the policy files there.
l.
--
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love. If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net"> lkcl.net </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: bug in policy (1.14-3+?) with apache.te unused
2004-08-17 11:29 bug in policy (1.14-3+?) with apache.te unused Luke Kenneth Casson Leighton
@ 2004-08-18 8:45 ` Russell Coker
2004-08-18 10:02 ` Luke Kenneth Casson Leighton
0 siblings, 1 reply; 3+ messages in thread
From: Russell Coker @ 2004-08-18 8:45 UTC (permalink / raw)
To: Luke Kenneth Casson Leighton; +Cc: SE-Linux
[-- Attachment #1: Type: text/plain, Size: 870 bytes --]
On Tue, 17 Aug 2004 21:29, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> i upgraded to 1.14-6 on the policycoreutils and i get
> httpd_sysadm_content_t does not exist in file_contexts
> on a make relabel.
That's a minor bug in the apache policy for Debian, I'll fix it in the next
upload.
> so.... well, i figured okay, let's make apache.te unused
> (as i should have done in the first place) because apache
> isn't on this system.
>
> i get a compile error on openca.te not being able to find
> httpd_t.
openca-ca.te depends on apache.te . Why do you want to use openca without
Apache? Is it usable?
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
[-- Attachment #2: openca-ca.te --]
[-- Type: text/plain, Size: 4658 bytes --]
#DESC OpenCA - Open Certificate Authority
#
# Author: Brian May <bam@snoopy.apana.org.au>
# X-Debian-Packages:
# Depends: apache.te
#
#################################
#
# domain for openCA cgi-bin scripts.
#
# Type that system CGI scripts run as
#
type openca_ca_t, domain;
role system_r types openca_ca_t;
uses_shlib(openca_ca_t)
# Types that system CGI scripts on the disk are
# labeled with
#
type openca_ca_exec_t, file_type, sysadmfile;
# When the server starts the script it needs to get the proper context
#
ifdef(`apache.te', `
domain_auto_trans(httpd_t, openca_ca_exec_t, openca_ca_t)
#
# Allow httpd daemon to search /usr/share/openca
#
allow httpd_t openca_usr_share_t:dir { getattr search };
################################################################
# Allow the web server to run scripts and serve pages
##############################################################
allow httpd_t bin_t:file { read execute }; # execute perl
allow httpd_t openca_ca_exec_t:file {execute getattr read};
allow httpd_t openca_ca_t:process {signal sigkill sigstop};
allow httpd_t openca_ca_t:process {transition};
allow httpd_t openca_ca_exec_t:dir r_dir_perms;
##################################################################
# Allow the script to get the file descriptor from the http deamon
# and send sigchild to http deamon
#################################################################
allow openca_ca_t httpd_t:process {sigchld};
allow openca_ca_t httpd_t:fd use;
allow openca_ca_t httpd_t:fifo_file {getattr write};
############################################
# Allow scripts to append to http logs
#########################################
allow openca_ca_t httpd_log_t:file { append getattr };
')
#############################################################
# Allow the script access to the library files so it can run
#############################################################
can_exec(openca_ca_t, lib_t)
########################################################################
# The script needs to inherit the file descriptor and find the script it
# needs to run
########################################################################
allow openca_ca_t initrc_t:fd {use};
allow openca_ca_t init_t:fd {use};
allow openca_ca_t default_t:dir r_dir_perms;
allow openca_ca_t random_device_t:chr_file r_file_perms;
#######################################################################
# Allow the script to return its output
######################################################################
#allow openca_ca_t httpd_var_run_t: file rw_file_perms;
allow openca_ca_t null_device_t: chr_file rw_file_perms;
ifdef(`apache.te', `
allow openca_ca_t httpd_cache_t: file rw_file_perms;
')
###########################################################################
# Allow the script interpreters to run the scripts. So
# the perl executable will be able to run a perl script
#########################################################################
can_exec(openca_ca_t, bin_t)
############################################################################
# Allow the script process to search the cgi directory, and users directory
##############################################################################
allow openca_ca_t openca_ca_exec_t:dir search;
#
# Allow access to writeable files under /etc/openca
#
allow openca_ca_t openca_etc_writeable_t:file create_file_perms;
allow openca_ca_t openca_etc_writeable_t:dir create_dir_perms;
#
# Allow access to other files under /etc/openca
#
allow openca_ca_t openca_etc_t:file r_file_perms;
allow openca_ca_t openca_etc_t:dir r_dir_perms;
#
# Allow access to private CA key
#
allow openca_ca_t openca_var_lib_keys_t:file create_file_perms;
allow openca_ca_t openca_var_lib_keys_t:dir create_dir_perms;
#
# Allow access to other /var/lib/openca files
#
allow openca_ca_t openca_var_lib_t:file create_file_perms;
allow openca_ca_t openca_var_lib_t:dir create_dir_perms;
#
# Allow access to other /usr/share/openca files
#
allow openca_ca_t openca_usr_share_t:file r_file_perms;
allow openca_ca_t openca_usr_share_t:lnk_file r_file_perms;
allow openca_ca_t openca_usr_share_t:dir r_dir_perms;
# /etc/openca standard files
type openca_etc_t, file_type, sysadmfile;
# /etc/openca template files
type openca_etc_in_t, file_type, sysadmfile;
# /etc/openca writeable (from CGI script) files
type openca_etc_writeable_t, file_type, sysadmfile;
# /var/lib/openca
type openca_var_lib_t, file_type, sysadmfile;
# /var/lib/openca/crypto/keys
type openca_var_lib_keys_t, file_type, sysadmfile;
# /usr/share/openca/crypto/keys
type openca_usr_share_t, file_type, sysadmfile;
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: bug in policy (1.14-3+?) with apache.te unused
2004-08-18 8:45 ` Russell Coker
@ 2004-08-18 10:02 ` Luke Kenneth Casson Leighton
0 siblings, 0 replies; 3+ messages in thread
From: Luke Kenneth Casson Leighton @ 2004-08-18 10:02 UTC (permalink / raw)
To: Russell Coker; +Cc: SE-Linux
On Wed, Aug 18, 2004 at 06:45:50PM +1000, Russell Coker wrote:
> On Tue, 17 Aug 2004 21:29, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> > i upgraded to 1.14-6 on the policycoreutils and i get
> > httpd_sysadm_content_t does not exist in file_contexts
> > on a make relabel.
>
> That's a minor bug in the apache policy for Debian, I'll fix it in the next
> upload.
ah, cool.
well, i removed apache.te and openca.te and that fixed it, too.
> > so.... well, i figured okay, let's make apache.te unused
> > (as i should have done in the first place) because apache
> > isn't on this system.
> >
> > i get a compile error on openca.te not being able to find
> > httpd_t.
>
> openca-ca.te depends on apache.te . Why do you want to use openca without
> Apache? Is it usable?
... i have _no_ idea :)
if it's a dependency, maybe it's good that it breaks.
it would be better to have some sort of more descriptive error
message saying "you don't have a policy for apache.te but are trying
to use openca.te".
then people can choose, based on now knowing what's going on, to either
install apache.te or remove openca.te.
*shrug* :)
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2004-08-18 9:51 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-08-17 11:29 bug in policy (1.14-3+?) with apache.te unused Luke Kenneth Casson Leighton
2004-08-18 8:45 ` Russell Coker
2004-08-18 10:02 ` Luke Kenneth Casson Leighton
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.