RE: apcupsd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> -----Original Message-----
> From: grift [mailto:dominick.grift@xxxxxxxxx]
> Sent: 18 December 2012 17:01
> 
> On Tue, 2012-12-18 at 17:49 +0100, grift wrote:
> > On Tue, 2012-12-18 at 16:37 +0000, Moray Henderson wrote:
> > > Hi SELinux
> 
> >
> > mkdir myapcupsd; cd myapcupsd; echo "policy_module(myapcupsd, 1.0.0)
> > gen_require(\` type apcupsd_t; ')
> > corenet_udp_bind_generic_node(apcupsd_t)
> > corenet_udp_bind_snmp_port(apcupsd_t) allow apcupsd_t self:capability
> > net_bind_service;"  > myapcupsd.te
> >
> > make -f /usr/share/selinux/devel/Makefile myapcupsd.te sudo semodule
> > -i myapcupsd.pp;
> >
> > consider filing a bugzilla please
> 
> I am adding this upstream (should eventually trickle down):
> 
> > From 87e5d6d571cb82c3a96159041962c2a9378bc023 Tue, 18 Dec 2012
> > 17:59:34 +0100
> > From: Dominick Grift <dominick.grift@xxxxxxxxx>
> > Date: Tue, 18 Dec 2012 17:59:18 +0100
> > Subject: [PATCH] Changes to the apcupsd policy module
> >
> >
> > Support apcupsd configured for snmp
> >
> > Signed-off-by: Dominick Grift <dominick.grift@xxxxxxxxx> diff --git
> > a/apcupsd.te b/apcupsd.te index ceb368d..9cd93c5 100644
> > --- a/apcupsd.te
> > +++ b/apcupsd.te
> > @@ -1,4 +1,4 @@
> > -policy_module(apcupsd, 1.8.3)
> > +policy_module(apcupsd, 1.8.4)
> >
> >  ########################################
> >  #
> > @@ -29,7 +29,7 @@
> >  # Local policy
> >  #
> >
> > -allow apcupsd_t self:capability { dac_override setgid sys_tty_config
> > };
> > +allow apcupsd_t self:capability { dac_override setgid sys_tty_config
> > +net_bind_service };
> >  allow apcupsd_t self:process signal;
> >  allow apcupsd_t self:fifo_file rw_file_perms;  allow apcupsd_t
> > self:unix_stream_socket create_stream_socket_perms; @@ -58,13 +58,20
> > @@
> >  corenet_all_recvfrom_netlabel(apcupsd_t)
> >  corenet_tcp_sendrecv_generic_if(apcupsd_t)
> >  corenet_tcp_sendrecv_generic_node(apcupsd_t)
> > -corenet_tcp_sendrecv_all_ports(apcupsd_t)
> >  corenet_tcp_bind_generic_node(apcupsd_t)
> > +corenet_udp_sendrecv_generic_if(apcupsd_t)
> > +corenet_udp_sendrecv_generic_node(apcupsd_t)
> > +corenet_udp_bind_generic_node(apcupsd_t)
> >
> >  corenet_tcp_bind_apcupsd_port(apcupsd_t)
> >  corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
> > +corenet_tcp_sendrecv_apcupsd_port(apcupsd_t)
> >  corenet_tcp_connect_apcupsd_port(apcupsd_t)
> >
> > +corenet_udp_bind_snmp_port(apcupsd_t)
> > +corenet_sendrecv_snmp_server_packets(apcupsd_t)
> > +corenet_udp_sendrecv_snmp_port(apcupsd_t)
> > +
> >  dev_rw_generic_usb_dev(apcupsd_t)
> >
> >  files_read_etc_files(apcupsd_t)

Excellent - thanks.  It looks as if corenet_udp_bind_snmp_port already allows the capability net_bind_service.  Do you still want an RHEL 6 bug logged?


Moray.
“To err is human; to purr, feline.”





--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux