Firefox on strict policy
Ken
mantaray_1 at cox.net
Sat Dec 2 20:05:40 UTC 2006
I used grep as well. Adding a boolean sounds like a great idea.
-Ken-
Daniel J Walsh wrote:
> Ken wrote:
>> Thank you for your response. I inadvertently sent my response to the
>> previous message to your address rather than the list, and later
>> posted it to the list. I noticed that you did not send this reply to
>> the list so I did not know if it was appropriate to post my response
>> on the list or not, and I chose not to. I have already written a
>> program/script which removed the"dontaudit" statements from the ".te"
>> files in the policy while I was in the process of troubleshooting
>> this problem. This was helpful, but I have noticed dontaudit
>> statements occurring in other files as well, and I am interested in
>> learning more about the enableaudit module. I searched my hard drive
>> for the source code and did not find it. Where can I find the source
>> code for the module?
>>
>> -Ken-
>>
> I have no problem if this is on list. Problem is I am not sure which
> list it belongs to.
> enableaudit.pp is created from the same source file as the rest of the
> code. Basically it uses the grep -v dontaudit out of the policy file
> and rebuilds. So I am sure you did the same thing. The plan is to
> eventually add some kind of boolean to turn on/off dontaudit rules.
>> Daniel J Walsh wrote:
>>> Ken wrote:
>>>> Thanks for the suggestion, but it was not labeling. It appears to
>>>> have had something to do with mls, although I have not had the time
>>>> to figure out exactly what. I changed all the mls levels to s0 and
>>>> the problem went away. It sure would be nice if there were a
>>>> feature to disable all "dontaudit" statements for policy debugging.
>>>>
>>> semodule -b /usr/share/selinux/mls/enableaudit.pp
>>>
>>>> -Ken-
>>>>
>>>> Daniel J Walsh wrote:
>>>>> Ken wrote:
>>>>>> I am attempting to get a strict policy working on my FC-6 system
>>>>>> (version 2.4.3-2.fc6). I have successfully created a user
>>>>>> account, and I can log both the root and the user account into
>>>>>> the GUI. I am attempting to get Firefox to work and I am having
>>>>>> difficulties. If I click on the Firefox icon, I see the program
>>>>>> listed as opening, and it stays that way for a few seconds and
>>>>>> then disappears. If I check the message log (var/log/messages),
>>>>>> there are no messages (either avc or other) generated as a result
>>>>>> of the attempt. This only happens when the policy is enforcing.
>>>>>> When the policy is is not enforcing, Firefox loads properly --
>>>>>> also with no messages. I have noticed that Firefox is not
>>>>>> writing to its .mozilla folder when the policy is enforcing, and
>>>>>> that it does write to several files in this folder when it loads
>>>>>> properly. This problem affects both my user account and the root
>>>>>> account. Can someone please explain why I am not receiving any
>>>>>> error messages (or any messages at all), and let me know what
>>>>>> needs to be changed in order to load Firefox?
>>>>>>
>>>>>> --
>>>>>> fedora-selinux-list mailing list
>>>>>> fedora-selinux-list at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>> check /var/log/audit/audit.log for avc messages.
>>>>>
>>>>> I would guess you have a labeling problem on your home dir.
>>>>>
>>>>> restorecon -R -v ~/
>>>>>
>>>
>>>
>
>
More information about the fedora-selinux-list
mailing list