Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 451948 - prelude patch
Summary: prelude patch
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 9
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2008-06-18 10:15 UTC by Dominick Grift
Modified: 2008-11-17 22:04 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-11-17 22:04:41 UTC

Attachments (Terms of Use)
patch1 (deleted)
2008-06-18 10:15 UTC, Dominick Grift
no flags Details
patch2 (deleted)
2008-06-18 10:17 UTC, Dominick Grift
no flags Details
prelude.fc (deleted)
2008-06-22 11:29 UTC, Daniel Walsh
no flags Details
prelude.te (deleted)
2008-06-22 11:29 UTC, Daniel Walsh
no flags Details
snort.te (deleted)
2008-06-22 13:24 UTC, Dominick Grift
no flags Details
snort.if (deleted)
2008-06-22 13:25 UTC, Dominick Grift
no flags Details
snort.fc (deleted)
2008-06-22 13:25 UTC, Dominick Grift
no flags Details

Description Dominick Grift 2008-06-18 10:15:20 UTC
Description of problem:
After doing this howto:
i noticed some issues in prelude policy

some high lights are:
patch to prelude init script needed escape character
policy for prelude-lml was missing
policy for prewikka was coarse and didnt have a files config file

these patches are against 331-48 f9

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:

Additional info:

Comment 1 Dominick Grift 2008-06-18 10:15:20 UTC
Created attachment 309716 [details]

Comment 2 Dominick Grift 2008-06-18 10:17:04 UTC
Created attachment 309717 [details]

Comment 3 Daniel Walsh 2008-06-22 11:29:36 UTC
Created attachment 309993 [details]

Comment 4 Daniel Walsh 2008-06-22 11:29:58 UTC
Created attachment 309994 [details]

Comment 5 Dominick Grift 2008-06-22 12:43:37 UTC
Thanks. looks good. Although i wanted the files_config_file for prewikka because
it has a mysql password in there.

Also i noticed that you removed the gamin optional policy block for prelude-lml.
Not sure why but it seemed needed when i tried it.

Also i think (domain_use_interactive_fds(prelude_lml_t) may not be required

Comment 6 Daniel Walsh 2008-06-22 12:52:19 UTC
So you are trying to prevent other domains from reading the config file?

In that case you might want to label it something like prewikka_secret_t and not
give it files_config, since files_config allows all domains to read, just like

gamin_ is a bad thing to use for a system service, since it is long running and
shared by other domains.  So it causes SELinux problems when it is run.  gamin
policy is not being shipped so this optional block will not be executed.

The gamin policy is also pretty broken right now.

Comment 7 Dominick Grift 2008-06-22 13:22:48 UTC
understood, i also noticed you didnt declare a domain type for prelude-lml.
Interface admin_prelude needs update to reflect prelude-lml. 

also we need a prelude_manage_spool() for snort

Comment 8 Dominick Grift 2008-06-22 13:24:23 UTC
Created attachment 309995 [details]

Comment 9 Dominick Grift 2008-06-22 13:25:01 UTC
Created attachment 309996 [details]

Comment 10 Dominick Grift 2008-06-22 13:25:34 UTC
Created attachment 309997 [details]

Comment 11 Dominick Grift 2008-06-22 13:56:48 UTC
files_search_spool(snort_t) should be in that optional_policy block for prelude,
since any domain will need to be able to search spool to be able to append to
preludes spool files

Comment 12 Dominick Grift 2008-06-22 14:22:11 UTC
## <summary>
##	Append to prelude-manager write files.
## </summary>
## <param name="domain">
## <summary>
##	Domain allowed to transition.
## </summary>
## </param>
		type prelude_spool_t;

        allow $1 prelude_spool_t:dir { read search getattr };
	allow $1 prelude_spool_t:file { read lock getattr write append };

Comment 13 Daniel Walsh 2008-06-23 12:20:24 UTC
Fixed in selinux-policy-3.3.1-70.fc9.noarch

Comment 14 Dominick Grift 2008-06-23 15:09:33 UTC
thanks. one small issue left:

#============= snort_t ==============
allow snort_t prelude_spool_t:dir read;

and this, but you have explained why:

#============= prelude_lml_t ==============
allow prelude_lml_t gamin_exec_t:file { read execute };

Comment 15 Dominick Grift 2008-06-23 15:30:08 UTC
By the way should, corenet_tcp_connect_prelude_port(snort_t), not be in the
optional policy block designated for prelude? I know the port is defined in
corenetwork but if there is no prelude module than there likely wont be a

Comment 16 Daniel Walsh 2008-06-24 10:35:07 UTC
No, Other policies might not include the prelude policy but would still define
the prelude port

Fixed in selinux-policy-3.3.1-71.fc9.noarch

Comment 17 Daniel Walsh 2008-11-17 22:04:41 UTC
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.