[Bug 200976] Review Request: cyphesis - WorldForge game server

bugzilla at redhat.com bugzilla at redhat.com
Sat Aug 5 23:12:02 UTC 2006 

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: Review Request: cyphesis - WorldForge game server


https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200976





------- Additional Comments From wart at kobold.org  2006-08-05 19:02 EST -------
(In reply to comment #21)
> (In reply to comment #18)
> > When the -selinux subpackage is installed on a system with selinux disabled,
> > then semanage will spit out error messages of the sort:
> > 
> > libsepol.context_from_record: MLS is enabled, but no MLS context found
> > libsepol.context_from_record: could not create context structure
> > libsepol.port_from_record: could not create port structure for range 6767:6767
> (tcp)
> > libsepol.sepol_port_modify: could not load port range 6767 - 6767 (tcp)
> > libsemanage.dbase_policydb_modify: could not modify record value
> > libsemanage.semanage_base_merge_components: could not merge local modifications
> > into policy
> > /usr/sbin/semanage: Could not add port tcp/6767
> > 
> > Redirecting the output of semanage to /dev/null should silence these warnings.
> > 
> > The use of semanage isn't described in the selinux module guidelines, but
> > perhaps it should be, with a note to redirect stderr.
> 
> Perhaps that sort of thing should be on the parent page (SELinux) rather than
> the SELinux/PolicyModules page since it's not really specific to use with
> modules. The parent page will need a fair bit of editing as much of its content
> is now in the PolicyModules page.


Putting the use of semanage on the parent page is fine, but the PolicyModules
page should probably include an example of its usage.

However, using semanage in %post and %preun might not be the best place, as the
port contexts won't be set if the admin starts with selinux turned off and later
turns it on:

(turn off selinux and reboot)
# yum install cyphesis cyphesis-selinux

(turn on selinux and reboot)
# service cyphesis start
(look in /var/log/messages:
Aug  5 16:09:45 localhost kernel: audit(1154819384.688:23): avc:  denied  {
name_bind } for  pid=2420 comm="cyphesis" src=6767
scontext=user_u:system_r:cyphesis_t:s0 tcontext=system_u:object_r:port_t:s0
tclass=tcp_socket

# semanage port -l | grep cyphesis
(no match)

Maybe semanage should be called to add/remove the port contexts in the init
script instead?  Or should semanage be able to set such contexts even if selinux
is disabled?

-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

More information about the Fedora-package-review mailing list