Summary: | sec-policy/selinux-puppet ldap use flag not honored | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Matthew Thode ( prometheanfire ) <prometheanfire> |
Component: | Hardened | Assignee: | Sven Vermeulen (RETIRED) <swift> |
Status: | VERIFIED FIXED | ||
Severity: | normal | CC: | prometheanfire, selinux |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Matthew Thode ( prometheanfire )
2011-08-02 15:06:14 UTC
Indeed, ldap connectivity isn't allowed (yet) by the policy. Consider this confirmed ;-) If you need a local workaround, create a file with the following contents: policy_module(localmod,1.0) require { type puppet_t; } corenet_tcp_connect_ldap_port(puppet_t) corenet_sendrecv_ldap_client_packets(puppet_t) Then run "make -f /usr/share/selinux/strict/include/Makefile localmod.pp" after which you can run "semodule -i localmod.pp" to load in the updated policy. Hmm I'm wondering if this is sufficient or not. Can you test that test module out to see if that helps? There is another interface available that allows send_msg and recv_msg but I'm not sure if that is needed here. Seems to be working in overlay In hardened-dev overlay. In portage tree (~arch) |