On Tue, 2012-12-18 at 17:17 +0000, Moray Henderson wrote:
-----Original Message----- From: grift [mailto:dominick.grift@gmail.com] Sent: 18 December 2012 17:01
On Tue, 2012-12-18 at 17:49 +0100, grift wrote:
On Tue, 2012-12-18 at 16:37 +0000, Moray Henderson wrote:
Hi SELinux
mkdir myapcupsd; cd myapcupsd; echo "policy_module(myapcupsd, 1.0.0) gen_require(` type apcupsd_t; ') corenet_udp_bind_generic_node(apcupsd_t) corenet_udp_bind_snmp_port(apcupsd_t) allow apcupsd_t self:capability net_bind_service;" > myapcupsd.te
make -f /usr/share/selinux/devel/Makefile myapcupsd.te sudo semodule -i myapcupsd.pp;
consider filing a bugzilla please
I am adding this upstream (should eventually trickle down):
From 87e5d6d571cb82c3a96159041962c2a9378bc023 Tue, 18 Dec 2012 17:59:34 +0100 From: Dominick Grift dominick.grift@gmail.com Date: Tue, 18 Dec 2012 17:59:18 +0100 Subject: [PATCH] Changes to the apcupsd policy module
Support apcupsd configured for snmp
Signed-off-by: Dominick Grift dominick.grift@gmail.com diff --git a/apcupsd.te b/apcupsd.te index ceb368d..9cd93c5 100644 --- a/apcupsd.te +++ b/apcupsd.te @@ -1,4 +1,4 @@ -policy_module(apcupsd, 1.8.3) +policy_module(apcupsd, 1.8.4)
######################################## # @@ -29,7 +29,7 @@ # Local policy #
-allow apcupsd_t self:capability { dac_override setgid sys_tty_config }; +allow apcupsd_t self:capability { dac_override setgid sys_tty_config +net_bind_service }; allow apcupsd_t self:process signal; allow apcupsd_t self:fifo_file rw_file_perms; allow apcupsd_t self:unix_stream_socket create_stream_socket_perms; @@ -58,13 +58,20 @@ corenet_all_recvfrom_netlabel(apcupsd_t) corenet_tcp_sendrecv_generic_if(apcupsd_t) corenet_tcp_sendrecv_generic_node(apcupsd_t) -corenet_tcp_sendrecv_all_ports(apcupsd_t) corenet_tcp_bind_generic_node(apcupsd_t) +corenet_udp_sendrecv_generic_if(apcupsd_t) +corenet_udp_sendrecv_generic_node(apcupsd_t) +corenet_udp_bind_generic_node(apcupsd_t)
corenet_tcp_bind_apcupsd_port(apcupsd_t) corenet_sendrecv_apcupsd_server_packets(apcupsd_t) +corenet_tcp_sendrecv_apcupsd_port(apcupsd_t) corenet_tcp_connect_apcupsd_port(apcupsd_t)
+corenet_udp_bind_snmp_port(apcupsd_t) +corenet_sendrecv_snmp_server_packets(apcupsd_t) +corenet_udp_sendrecv_snmp_port(apcupsd_t)
dev_rw_generic_usb_dev(apcupsd_t)
files_read_etc_files(apcupsd_t)
Excellent - thanks. It looks as if corenet_udp_bind_snmp_port already allows the capability net_bind_service. Do you still want an RHEL 6 bug logged?
nice catch on the net_bind_service :)
Welp, that is up to you. Not sure how soon this fix would end up in el6 though.. but then again, reporting it could not hurt.. or could it?
Moray. “To err is human; to purr, feline.”