#acl PaulHowarth:read,write,admin,revert,delete All:read

=== Thursday 8th November 2007 ===

==== Local Packages ====

Completed populating the Fedora 8 repository with builds of
`city-fan.org-release`, `perl-HTTP-Size`, `weblint`, and `weblint++`

==== Fedora 8 and VMware Server ====

Upgraded my work desktop to Fedora 8 in the morning, and found I needed
a few extra steps to get VMware Server up and running:

{{{
# rpm -Uvh VMware-server-1.0.4-56528.i386.rpm
}}}

Before configuring VMware Server, it's necessary to install a few additional packages, patch the kernel modules, and make an SELinux tweak.
VMware defaults to using a reserved port (902) for the server; it's easier to make it play
nice with SELinux by using an unreserved port such as 4800.
{{{
# yum install gcc-c++ kernel-devel xinetd 'perl(ExtUtils::MakeMaker)'
# cd
# wget http://knihovny.cvut.cz/ftp/pub/vmware/vmware-any-any-update114.tar.gz
# semanage port -a -t inetd_child_port_t -p tcp 4800
# tar xf vmware-any-any-update114.tar.gz
# cd vmware-any-any-update114
# ./runme.pl
# restorecon -v /etc/services}}}

/!\ If you have a firewall enabled, you'll need to poke a hole in it to allow connections to port 4800 or whatever your chosen port is

==== SELinux in Fedora 8 ====

Came across a new (to me) type of SELinux denial whilst trying to get a `crontab` entry like this one to work in Fedora 8:
{{{
45 4 * * * /softlib/scripts/updates-sync | Mail -s "Fedora updates subset mirror report" phowarth
}}}
Even after adding all of the rules suggested by `audit2allow -R` in a local policy module, I was
still getting `Permission denied` errors with SELinux in enforcing mode, but it was working in permissive mode.

In `/var/log/audit/audit.log`, I found this:
{{{
type=SELINUX_ERR msg=audit(1194609955.230:176): security_compute_sid:  invalid context unconfined_u:unconfined_r:system_mail_t:s0 for scontext=unconfined_u:unconfined_r:unconfined_crond_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=process
}}}
After querying this on `fedora-selinux-list`, I found that `auditallow` doesn't currently cope with this
sort of denial (which is not an AVC denial), and what I needed to add was:
{{{
role unconfined_r types system_mail_t;
}}}
So the policy module I ended up with to allow my mail from `cron` was this:
{{{
policy_module(localmisc, 0.0.8) 

require {
        type system_mail_t;
        class netlink_route_socket { bind create getattr nlmsg_read read write };
}

#============= system_mail_t ==============
role unconfined_r types system_mail_t;
allow system_mail_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
unconfined_read_tmp_files(system_mail_t)}}}

----