problems with latest mls policy
Stefan
stefan at sf-net.com
Thu Sep 7 08:11:25 UTC 2006
Hi,
I did an update of the mls policy last night (the version before was
1,5 months old) and know cron can't change its context to logrotate.
Only two modules seem to be installed in /usr/share/selinux/mls:
base.pp and enableaudit.pp
If I install the strict policy there are a lot of policy modules
installed even logrotate.pp.
Someone any ideas?
The following packages are installed:
selinux-policy-2.3.7-2.fc5
selinux-policy-mls-2.3.7-2.fc5
selinux-policy-devel-2.3.7-2.fc5
Best regards,
Stefan
PS: Here is a list of all the avc denials:
allow user_crond_t NetworkManager_var_run_t:dir getattr;
allow user_crond_t acct_data_t:dir { getattr search };
allow user_crond_t acct_data_t:file getattr;
allow user_crond_t alsa_etc_rw_t:dir getattr;
allow user_crond_t apmd_log_t:file getattr;
allow user_crond_t auditd_log_t:dir getattr;
allow user_crond_t avahi_var_run_t:dir getattr;
allow user_crond_t bin_t:dir { add_name remove_name write };
allow user_crond_t bin_t:file { create relabelfrom relabelto rename
setattr unlink write };
allow user_crond_t binfmt_misc_fs_t:dir getattr;
allow user_crond_t bluetooth_conf_t:dir getattr;
allow user_crond_t boot_t:dir getattr;
allow user_crond_t cert_t:dir { getattr read search };
allow user_crond_t crack_db_t:dir getattr;
allow user_crond_t cron_spool_t:dir { getattr search };
allow user_crond_t cvs_data_t:dir getattr;
allow user_crond_t data_t:dir { getattr read search };
allow user_crond_t dbusd_etc_t:dir { getattr search };
allow user_crond_t default_context_t:dir { getattr read search };
allow user_crond_t default_t:dir getattr;
allow user_crond_t devlog_t:sock_file write;
allow user_crond_t devpts_t:dir getattr;
allow user_crond_t dhcpc_state_t:dir getattr;
allow user_crond_t dhcpd_state_t:dir { getattr read search };
allow user_crond_t etc_mail_t:dir getattr;
allow user_crond_t etc_runtime_t:dir getattr;
allow user_crond_t etc_t:dir { add_name remove_name write };
allow user_crond_t etc_t:file { create rename setattr unlink write };
allow user_crond_t file_context_t:dir { getattr read search };
allow user_crond_t firstboot_rw_t:dir { getattr search };
allow user_crond_t fonts_t:dir getattr;
allow user_crond_t home_root_t:dir read;
allow user_crond_t httpd_config_t:dir { getattr search };
allow user_crond_t httpd_log_t:dir { getattr read search };
allow user_crond_t httpd_log_t:file { getattr read };
allow user_crond_t httpd_modules_t:dir { getattr read search };
allow user_crond_t httpd_modules_t:file { getattr read };
allow user_crond_t httpd_sys_content_t:dir { getattr read search };
allow user_crond_t httpd_sys_script_exec_t:dir getattr;
allow user_crond_t httpd_var_lib_t:dir getattr;
allow user_crond_t hwdata_t:dir { getattr search };
allow user_crond_t initrc_tmp_t:dir getattr;
allow user_crond_t ipsec_conf_file_t:dir { getattr search };
allow user_crond_t ipsec_exec_t:file { relabelto rename unlink };
allow user_crond_t ipsec_key_file_t:dir getattr;
allow user_crond_t ipsec_var_run_t:dir getattr;
allow user_crond_t lib_t:dir { add_name remove_name write };
allow user_crond_t lib_t:file { create relabelfrom relabelto rename
setattr unlink write };
allow user_crond_t locate_var_lib_t:dir { add_name getattr read
remove_name search write };
allow user_crond_t locate_var_lib_t:file { create getattr read rename
setattr unlink write };
allow user_crond_t logrotate_var_lib_t:file { getattr read write };
allow user_crond_t logwatch_cache_t:dir { add_name create getattr
read remove_name rmdir search write };
allow user_crond_t logwatch_cache_t:file { create getattr ioctl read
unlink write };
allow user_crond_t lost_found_t:dir getattr;
allow user_crond_t lvm_etc_t:dir { getattr search };
allow user_crond_t lvm_lock_t:dir getattr;
allow user_crond_t lvm_metadata_t:dir getattr;
allow user_crond_t mail_spool_t:dir { getattr read };
allow user_crond_t mail_spool_t:lnk_file read;
allow user_crond_t man_t:dir { getattr read search setattr };
allow user_crond_t man_t:file { getattr read setattr write };
allow user_crond_t mdadm_var_run_t:dir getattr;
allow user_crond_t mnt_t:dir { getattr search };
allow user_crond_t modules_object_t:dir { getattr read search };
allow user_crond_t mqueue_spool_t:dir getattr;
allow user_crond_t mrtg_etc_t:dir getattr;
allow user_crond_t mrtg_lock_t:dir getattr;
allow user_crond_t mrtg_var_lib_t:dir getattr;
allow user_crond_t named_cache_t:dir getattr;
allow user_crond_t named_conf_t:dir { getattr read search };
allow user_crond_t named_var_run_t:dir { getattr read search };
allow user_crond_t named_zone_t:dir { getattr read search };
allow user_crond_t net_conf_t:file { getattr read };
allow user_crond_t netif_t:netif { rawip_recv rawip_send };
allow user_crond_t netutils_exec_t:file { relabelto rename unlink };
allow user_crond_t nmbd_t:process signal;
allow user_crond_t nmbd_var_run_t:file { getattr read };
allow user_crond_t node_t:node { rawip_recv rawip_send };
allow user_crond_t nscd_var_run_t:dir { getattr search };
allow user_crond_t ntp_drift_t:dir { getattr read search };
allow user_crond_t pam_var_console_t:dir getattr;
allow user_crond_t pam_var_run_t:dir getattr;
allow user_crond_t policy_config_t:dir { getattr read search };
allow user_crond_t postfix_etc_t:dir { getattr search };
allow user_crond_t postfix_etc_t:file { getattr read };
allow user_crond_t postfix_private_t:dir getattr;
allow user_crond_t postfix_public_t:dir { getattr search };
allow user_crond_t postfix_public_t:fifo_file { getattr write };
allow user_crond_t postfix_spool_bounce_t:dir getattr;
allow user_crond_t postfix_spool_flush_t:dir getattr;
allow user_crond_t postfix_spool_maildrop_t:dir { add_name getattr
read remove_name search write };
allow user_crond_t postfix_spool_maildrop_t:file { create getattr
rename setattr write };
allow user_crond_t postfix_spool_t:dir { getattr read search };
allow user_crond_t pppd_etc_t:dir { getattr search };
allow user_crond_t pppd_var_run_t:dir getattr;
allow user_crond_t prelink_log_t:file { append getattr write };
allow user_crond_t print_spool_t:dir getattr;
allow user_crond_t radvd_var_run_t:dir getattr;
allow user_crond_t rpm_exec_t:file { relabelto rename unlink };
allow user_crond_t rpm_log_t:file { append getattr read write };
allow user_crond_t rpm_var_lib_t:dir { getattr read search write };
allow user_crond_t rpm_var_lib_t:file { getattr lock read write };
allow user_crond_t samba_etc_t:dir getattr;
allow user_crond_t samba_log_t:dir { add_name getattr read
remove_name search write };
allow user_crond_t samba_log_t:file { create getattr read rename
setattr write };
allow user_crond_t samba_var_t:dir { getattr read search };
allow user_crond_t saslauthd_exec_t:file { relabelto rename unlink };
allow user_crond_t saslauthd_var_run_t:dir getattr;
allow user_crond_t sbin_t:dir { add_name remove_name write };
allow user_crond_t sbin_t:file { create relabelfrom relabelto rename
setattr unlink write };
allow user_crond_t security_t:dir read;
allow user_crond_t semanage_store_t:dir { getattr search };
allow user_crond_t sendmail_log_t:dir getattr;
allow user_crond_t shlib_t:file { relabelto rename unlink };
allow user_crond_t smbd_t:process signal;
allow user_crond_t smbd_var_run_t:file { getattr read };
allow user_crond_t src_t:dir getattr;
allow user_crond_t staff_home_dir_t:dir { getattr search };
allow user_crond_t staff_home_ssh_t:dir getattr;
allow user_crond_t stunnel_etc_t:dir getattr;
allow user_crond_t sysadm_home_ssh_t:dir getattr;
allow user_crond_t sysadm_home_t:dir { getattr read search };
allow user_crond_t sysctl_fs_t:dir { getattr search };
allow user_crond_t sysfs_t:dir getattr;
allow user_crond_t syslogd_t:unix_dgram_socket sendto;
allow user_crond_t system_cron_spool_t:dir getattr;
allow user_crond_t system_dbusd_var_run_t:dir getattr;
allow user_crond_t tdm2_etc_t:dir { getattr search };
allow user_crond_t tmp_t:dir { add_name read remove_name setattr
write };
allow user_crond_t tmp_t:file { append create getattr ioctl read
unlink write };
allow user_crond_t tmpfs_t:dir getattr;
allow user_crond_t self:capability { chown fowner fsetid setgid
setuid };
allow user_crond_t self:netlink_route_socket { bind create getattr
nlmsg_read read write };
allow user_crond_t self:process { setfscreate setrlimit };
allow user_crond_t self:tcp_socket { connect create read write };
allow user_crond_t self:udp_socket { create ioctl read write };
allow user_crond_t var_lib_nfs_t:dir { getattr read search };
allow user_crond_t var_lib_t:dir { getattr read search };
allow user_crond_t var_lib_t:file { getattr write };
allow user_crond_t var_lock_t:dir { add_name getattr read remove_name
search write };
allow user_crond_t var_lock_t:file { create unlink write };
allow user_crond_t var_log_t:dir read;
allow user_crond_t var_log_t:file { getattr read };
allow user_crond_t var_run_t:dir { add_name remove_name write };
allow user_crond_t var_run_t:file { create getattr unlink write };
allow user_crond_t var_spool_t:dir read;
allow user_crond_t var_spool_t:file { read setattr write };
allow user_crond_t var_t:dir read;
allow user_crond_t var_t:file { setattr write };
allow user_crond_t var_yp_t:dir getattr;
allow user_crond_t winbind_var_run_t:dir getattr;
allow user_crond_t wtmp_t:file getattr;
More information about the fedora-selinux-list
mailing list