How to deal with Selinux local packages?

[Steven Stern <subscribed-lists@xxxxxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ran a yum update today  that  picked up these pages

 selinux-policy  noarch   3.5.13-34.fc10        updates   613 k
 selinux-policy-targeted noarch   3.5.13-34.fc10 updates   2.0 M

and saw this:

  Updating       : selinux-policy-targeted
 28/104
libsepol.print_missing_requirements: policy20080911's global
requirements were not met: type/attribute user_gnome_home_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule:  Failed!

The policy 20080911 was something created with audit2allow to work
around a problem with a prior defefault selinux policy.

Is there a better way to manage needed local exceptions?

- --

  Steve

Please snip when replying.  Here's the policy:

module policy20080911 1.0;

require {
	type unconfined_t;
	type unconfined_tmpfs_t;
	type user_gnome_home_t;
	type system_dbusd_var_run_t;
	type mqueue_spool_t;
	type user_home_t;
	type user_mozilla_home_t;
	type home_root_t;
	type port_t;
	type system_dbusd_t;
	type tmp_t;
	type smtp_port_t;
	type ftpd_t;
	type httpd_sys_content_t;
	type etc_mail_t;
	type user_tmp_t;
	type var_run_t;
	type passwd_t;
	type consolekit_t;
	type user_home_dir_t;
	type admin_home_t;
	type httpd_t;
	type iptables_t;
	type bin_t;
	type sshd_t;
	type hald_t;
	type file_t;
	type mysqld_port_t;
	type gconfd_exec_t;
	type var_t;
	type smbd_t;
	type xferlog_t;
	class lnk_file read;
	class key { write search link };
	class unix_stream_socket connectto;
	class dbus send_msg;
	class capability dac_override;
	class tcp_socket { name_bind name_connect };
	class file { rename execute setattr read lock create execute_no_trans wr
ite getattr link unlink append };
	class sock_file { write create unlink getattr };
	class sem { unix_read read write unix_write associate };
	class shm { unix_read read write unix_write associate };
	class dir { search setattr read create write getattr rmdir remove_name a
dd_name };
}
require {
	type unconfined_t;
	type unconfined_tmpfs_t;
	type user_gnome_home_t;
	type system_dbusd_var_run_t;
	type mqueue_spool_t;
	type user_home_t;
	type user_mozilla_home_t;
	type home_root_t;
	type port_t;
	type system_dbusd_t;
	type tmp_t;
	type smtp_port_t;
	type ftpd_t;
	type httpd_sys_content_t;
	type etc_mail_t;
	type user_tmp_t;
	type var_run_t;
	type passwd_t;
	type consolekit_t;
	type user_home_dir_t;
	type admin_home_t;
	type httpd_t;
	type iptables_t;
	type bin_t;
	type sshd_t;
	type hald_t;
	type file_t;
	type mysqld_port_t;
	type gconfd_exec_t;
	type var_t;
	type smbd_t;
	type xferlog_t;
	class lnk_file read;
	class key { write search link };
	class unix_stream_socket connectto;
	class dbus send_msg;
	class capability dac_override;
	class tcp_socket { name_bind name_connect };
	class file { rename execute setattr read lock create execute_no_trans wr
ite getattr link unlink append };
	class sock_file { write create unlink getattr };
	class sem { unix_read read write unix_write associate };
	class shm { unix_read read write unix_write associate };
	class dir { search setattr read create write getattr rmdir remove_name a
dd_name };
}

#============= consolekit_t ==============
allow consolekit_t admin_home_t:file { read getattr };

#============= ftpd_t ==============
allow ftpd_t home_root_t:dir { read write getattr search add_name };
allow ftpd_t home_root_t:file { write getattr create };
allow ftpd_t self:capability dac_override;
allow ftpd_t self:key { write search };
allow ftpd_t user_home_dir_t:dir { getattr search };
allow ftpd_t user_home_t:dir { read write getattr search add_name };
allow ftpd_t user_home_t:file { read write getattr create };
allow ftpd_t var_run_t:file { write getattr setattr read lock unlink };
allow ftpd_t xferlog_t:dir { write add_name };

#============= hald_t ==============
allow hald_t passwd_t:dbus send_msg;

#============= httpd_t ==============
allow httpd_t etc_mail_t:dir { search getattr };
allow httpd_t etc_mail_t:file { read getattr };
allow httpd_t httpd_sys_content_t:file { write setattr };
allow httpd_t mqueue_spool_t:dir { write search read remove_name getattr
add_nam
e };
allow httpd_t mqueue_spool_t:file { write getattr read lock create unlink };
allow httpd_t mysqld_port_t:tcp_socket name_connect;
allow httpd_t port_t:tcp_socket name_connect;
allow httpd_t smtp_port_t:tcp_socket name_connect;
allow httpd_t unconfined_t:sem { unix_read read write unix_write
associate };
allow httpd_t unconfined_t:shm { unix_read read write unix_write
associate };
allow httpd_t unconfined_tmpfs_t:file { read write };
allow httpd_t user_home_t:dir { read getattr search };
allow httpd_t user_home_t:file { read getattr };
allow httpd_t user_tmp_t:dir { read search getattr };
allow httpd_t user_tmp_t:file { read getattr setattr };

#============= iptables_t ==============
allow iptables_t user_tmp_t:file read;
allow iptables_t var_t:file append;

#============= passwd_t ==============
allow passwd_t bin_t:file { read execute execute_no_trans };
allow passwd_t gconfd_exec_t:file { read execute execute_no_trans };
allow passwd_t hald_t:dbus send_msg;
allow passwd_t system_dbusd_t:dbus send_msg;
allow passwd_t system_dbusd_t:unix_stream_socket connectto;
allow passwd_t system_dbusd_var_run_t:sock_file write;
allow passwd_t tmp_t:dir { write setattr read remove_name create add_name };
allow passwd_t tmp_t:sock_file { write create unlink getattr };
allow passwd_t user_gnome_home_t:dir { write remove_name add_name };
allow passwd_t user_gnome_home_t:file { rename write setattr read create
unlink
};
allow passwd_t user_home_t:dir { write remove_name add_name };
allow passwd_t user_home_t:file { write read create unlink rename };
allow passwd_t user_tmp_t:dir { write rmdir read remove_name create
add_name };
allow passwd_t user_tmp_t:file { read lock create unlink link };

#============= smbd_t ==============
allow smbd_t admin_home_t:file getattr;
allow smbd_t file_t:file getattr;
allow smbd_t home_root_t:dir { search getattr };
allow smbd_t user_gnome_home_t:dir getattr;
allow smbd_t user_home_dir_t:dir { read getattr search };
allow smbd_t user_home_t:dir { read getattr search };
allow smbd_t user_home_t:file { read lock getattr };
allow smbd_t user_home_t:lnk_file read;
allow smbd_t user_mozilla_home_t:dir getattr;
allow smbd_t var_t:dir { read write add_name setattr };
allow smbd_t var_t:file { write getattr setattr read lock create };

#============= sshd_t ==============
allow sshd_t port_t:tcp_socket name_bind;
allow sshd_t smbd_t:key { search link };
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklPkucACgkQeERILVgMyvD0agCfTDlu1YLU5mtu8tzSOc0ymCMT
IiEAnRfbpzbOCUh+E2YKmTG4itnFh2eP
=ZM4x
-----END PGP SIGNATURE-----

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines