On 10/20/2010 01:23 PM, Vadym Chepkov wrote: > On Oct 20, 2010, at 3:17 AM, Miroslav Grepl wrote: > >> On 10/20/2010 01:35 AM, Vadym Chepkov wrote: >>> On Oct 19, 2010, at 9:33 AM, Miroslav Grepl wrote: >>> >>>> On 10/19/2010 01:58 PM, Vadym Chepkov wrote: >>>>> On Oct 19, 2010, at 3:17 AM, Miroslav Grepl wrote: >>>>> >>>>>> On 10/18/2010 04:46 PM, Vadym Chepkov wrote: >>>>>>> Hi, >>>>>>> >>>>>>> I have an issue I would like to fix properly. >>>>>>> >>>>>>> I have a policy for mediawiki defined this way: >>>>>>> >>>>>>> apache_content_template(mediawiki) >>>>>>> apache_search_sys_content(httpd_mediawiki_script_t) >>>>>>> >>>>>>> /var/www/mediawiki/bin(/.*)? >>>>>>> gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0) >>>>>>> /var/www/mediawiki/images(/.*)? >>>>>>> gen_context(system_u:object_r:httpd_mediawiki_script_rw_t,s0) >>>>>>> /var/www/mediawiki/cache(/.*)? >>>>>>> gen_context(system_u:object_r:httpd_mediawiki_script_rw_t,s0) >>>>>> Vadym, >>>>>> we shipped the mediawiki policy in Fedora 13+. Any chance you have some of these Fedora release? >>>>>> >>>>> This package is usually very behind. mediawiki 1.15.5 and 1.16.0 were released back in July and they are security releases no less, >>>>> but Fedora still has 1.15.4 >>>>> Anyway, I always install directly from mediawiki subversion tag. >>>>> I don't need multi-site feature and other then that I don't see any other patches that would prevent the problem I have. >>>>> I tried to check what selinux policy does Fedora provide and I found just one line in selinux-policy-3.7.19-62.fc13.src.rpm : >>>> The mediawiki policy was added to selinux-policy-3.7.19-65.fc13 policy which should be available from the stable repo now. So you can update your policy and try to test the mediawiki policy which we shipped and you can help us to improve this policy. >>>> >>> Yep, I see it now. >>> There are several scripts in the package without proper context: >>> >>> /usr/share/mediawiki/bin >>> /usr/share/mediawiki/bin/svnstat >>> /usr/share/mediawiki/bin/ulimit-tvf.sh >>> /usr/share/mediawiki/bin/ulimit.sh >>> /usr/share/mediawiki/bin/ulimit4.sh >>> >>> I had them as httpd_mediawiki_script_exec_t, because ulimit scripts are definitely used: that's what I had to give them : >>> >>> apache_search_sys_content(httpd_mediawiki_script_t) >>> fs_rw_anon_inodefs_files(httpd_mediawiki_script_t) >>> allow httpd_mediawiki_script_t httpd_t:file read; >>> allow httpd_mediawiki_script_t self:process setrlimit; >>> >> So does it work with these rules, labels and with the policy which we shipped? > I will install mediawiki somewhere on fedora and will try it out. OK > Even after I removed 'permissive' I can't compile it on EPEL: > > Compiling targeted mediawiki module > /usr/bin/checkmodule: loading policy configuration from tmp/mediawiki.tmp > mediawiki.te:26:ERROR 'syntax error' at token ':' on line 99670: > allow tmp_t:dir { getattr search }; > #line 26 > /usr/bin/checkmodule: error(s) encountered while parsing configuration > make: *** [tmp/mediawiki.mod] Error 1 > > line 26 is this > userdom_read_user_tmp_files(httpd_mediawiki_script_t) Yes, this interface is called in the template interfaces in RHEL. Two arguments are needed: userdom_read_user_tmp_files(prefix,domain) So just try to remove this interface. > > >>> I wasn't able to compile this policy on RHEL :( >>> It uses 'permissive' domain, which is not available there. Why is it used, by the way? Does it mean "work in progress" ? >> We can push out a new policy as permissive domain and simply collect AVC messages. Users don’t have to switch to permissive mode globally and they can stay in the enforcing mode. >> >> >> Miroslav >>> Thanks, >>> Vadym >>> >>> >>> >>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux