Looks like prelude.te provides the prewikka code.
grep prew *
prelude.fc:/usr/share/*prew*ikka/cgi-bin(/.*)?
gen_context(system_u:object_r:*prew*ikka_script_exec_t,s0)
prelude.te: apache_content_template(*prew*ikka)
prelude.te: apache_content_alias_template(*prew*ikka, *prew*ikka)
prelude.te: can_exec(*prew*ikka_script_t, *prew*ikka_script_exec_t)
prelude.te: files_search_tmp(*prew*ikka_script_t)
prelude.te: kernel_read_sysctl(*prew*ikka_script_t)
prelude.te: kernel_search_network_sysctl(*prew*ikka_script_t)
prelude.te: auth_use_nsswitch(*prew*ikka_script_t)
prelude.te: logging_send_syslog_msg(*prew*ikka_script_t)
prelude.te: apache_search_sys_content(*prew*ikka_script_t)
prelude.te: mysql_stream_connect(*prew*ikka_script_t)
prelude.te: mysql_tcp_connect(*prew*ikka_script_t)
prelude.te: postgresql_stream_connect(*prew*ikka_script_t)
prelude.te: postgresql_tcp_connect(*prew*ikka_script_t)
semodule -l | grep prelude
On 09/25/2015 06:51 PM, Paolo Galtieri wrote:
> Daniel,
> on the machine on which things work there is a prewikka.pp file, but
> on the one that fails there isn't. On the system
> that fails I have the following prewikka policy file (prewikkapol.te):
>
> module prewikka 1.0;
>
> require {
>
> type tmp_t;
>
> type init_var_run_t;
>
> type httpd_prewikka_script_t;
>
> type sysfs_t;
>
> class dir { read search };
>
> }
>
> #============= httpd_prewikka_script_t ==============
>
> allow httpd_prewikka_script_t init_var_run_t:dir search;
>
> allow httpd_prewikka_script_t sysfs_t:dir read;
>
> allow httpd_prewikka_script_t tmp_t:dir read;
>
> and the corresponding prewikkapol.pp file.
>
> On the system that works I have the following prewikka policy file
> (prewikka.te):
>
> module prewikka 1.0;
>
> require {
>
> type tmp_t;
>
> type init_var_run_t;
>
> type httpd_prewikka_script_t;
>
> type sysfs_t;
>
> class dir { read search };
>
> }
>
> #============= httpd_prewikka_script_t ==============
>
> allow httpd_prewikka_script_t init_var_run_t:dir search;
>
> allow httpd_prewikka_script_t sysfs_t:dir read;
>
> allow httpd_prewikka_script_t tmp_t:dir read;
>
> and the corresponding prewikka.pp file. So as far as I know the
> prewikka policy files are present, and neither says
> anything about httpd_prewikka_rw_content_t.
>
> Also if I run
>
> semodule -l
>
> the appropriate policy file is shown.
>
> I tried disabling the module:
>
> sudo semodule -d prewikkapol
> [sudo] password for pgaltieri:
> libsepol.context_from_record: type httpd_prewikka_rw_content_t is not
> defined (No such file or directory).
> libsepol.context_from_record: could not create context structure
> (Invalid argument).
> libsemanage.validate_handler: invalid context
> system_u:object_r:httpd_prewikka_rw_content_t:s0 specified for
> /usr/share/prewikka/htdocs/generated_images [all files] (Invalid
> argument).
> libsemanage.dbase_llist_iterate: could not iterate over records
> (Invalid argument).
> semodule: Failed!
>
> I tried to remove the module:
>
> sudo semodule -r prewikkapol
> libsepol.context_from_record: type httpd_prewikka_rw_content_t is not
> defined (No such file or directory).
> libsepol.context_from_record: could not create context structure
> (Invalid argument).
> libsemanage.validate_handler: invalid context
> system_u:object_r:httpd_prewikka_rw_content_t:s0 specified for
> /usr/share/prewikka/htdocs/generated_images [all files] (Invalid
> argument).
> libsemanage.dbase_llist_iterate: could not iterate over records
> (Invalid argument).
> semodule: Failed!
>
> It does appear though that setsebool still works despite the errors.
>
> Still confused though why I'm seeing the error.
>
> Thanks for the help,
>
> Paolo
>
>
> On 09/25/2015 12:26 PM, Daniel J Walsh wrote:
>> Looks like you might have a prewikka policy around?
>>
>> locate prewikka.pp
>>
>> Did you build a custom policy module?
>>
>> On 09/25/2015 02:30 PM, Paolo Galtieri wrote:
>>> Folks,
>>> I got an SElinux alert this morning. The suggestion to correct the
>>> problem was to do:
>>>
>>> setsebool -P unconfined_mozilla_plugin_transition 0
>>>
>>> When I did this I got the following response:
>>>
>>> libsepol.context_from_record: type httpd_prewikka_rw_content_t is not
>>> defined
>>> libsepol.context_from_record: could not create context structure
>>> libsepol.context_from_string: could not create context structure
>>> libsepol.sepol_context_to_sid: could not convert
>>> system_u:object_r:httpd_prewikka_rw_content_t:s0 to sid
>>> invalid context system_u:object_r:httpd_prewikka_rw_content_t:s0
>>> libsepol.context_from_record: type httpd_prewikka_rw_content_t is not
>>> defined
>>> libsepol.context_from_record: could not create context structure
>>> libsepol.context_from_string: could not create context structure
>>> libsepol.sepol_context_to_sid: could not convert
>>> system_u:object_r:httpd_prewikka_rw_content_t:s0 to sid
>>> invalid context system_u:object_r:httpd_prewikka_rw_content_t:s0
>>>
>>> I have 2 systems running F22, I got this response on one of the
>>> systems, but not the other. When I was running F19 on the affected
>>> system (prior to upgrading to F22) I did have the prewikka packages
>>> installed, but I have since removed them. However, it appears that
>>> some remnants of those packages remain.
>>>
>>> How do I fix this issue? I looked in the httpd config files and
>>> couldn't find any reference.
>>>
>>> Any help is appreciated.
>>>
>>> Paolo
>
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
