Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: Review Request: cyphesis - WorldForge game server


https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200976





------- Additional Comments From [EMAIL PROTECTED]  2006-08-05 19:02 EST -------
(In reply to comment #21)
> (In reply to comment #18)
> > When the -selinux subpackage is installed on a system with selinux disabled,
> > then semanage will spit out error messages of the sort:
> > 
> > libsepol.context_from_record: MLS is enabled, but no MLS context found
> > libsepol.context_from_record: could not create context structure
> > libsepol.port_from_record: could not create port structure for range 
> > 6767:6767
> (tcp)
> > libsepol.sepol_port_modify: could not load port range 6767 - 6767 (tcp)
> > libsemanage.dbase_policydb_modify: could not modify record value
> > libsemanage.semanage_base_merge_components: could not merge local 
> > modifications
> > into policy
> > /usr/sbin/semanage: Could not add port tcp/6767
> > 
> > Redirecting the output of semanage to /dev/null should silence these 
> > warnings.
> > 
> > The use of semanage isn't described in the selinux module guidelines, but
> > perhaps it should be, with a note to redirect stderr.
> 
> Perhaps that sort of thing should be on the parent page (SELinux) rather than
> the SELinux/PolicyModules page since it's not really specific to use with
> modules. The parent page will need a fair bit of editing as much of its 
> content
> is now in the PolicyModules page.


Putting the use of semanage on the parent page is fine, but the PolicyModules
page should probably include an example of its usage.

However, using semanage in %post and %preun might not be the best place, as the
port contexts won't be set if the admin starts with selinux turned off and later
turns it on:

(turn off selinux and reboot)
# yum install cyphesis cyphesis-selinux

(turn on selinux and reboot)
# service cyphesis start
(look in /var/log/messages:
Aug  5 16:09:45 localhost kernel: audit(1154819384.688:23): avc:  denied  {
name_bind } for  pid=2420 comm="cyphesis" src=6767
scontext=user_u:system_r:cyphesis_t:s0 tcontext=system_u:object_r:port_t:s0
tclass=tcp_socket

# semanage port -l | grep cyphesis
(no match)

Maybe semanage should be called to add/remove the port contexts in the init
script instead?  Or should semanage be able to set such contexts even if selinux
is disabled?

-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

_______________________________________________
Fedora-package-review mailing list
Fedora-package-review@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-package-review

Reply via email to