How to apply new policy exactly?

Stephen Smalley sds at tycho.nsa.gov
Wed Sep 20 21:28:19 UTC 2006 

On Wed, 2006-09-20 at 11:06 +0800, Benjamin Tsai wrote:
> Thank you for the reply, I now a bit closer to the right track. :)
> 
> To work the build path around, I start with "audit2allow."
> With my box installed with selinux-policy-strict-2.3.7-2.fc5 and turned
> selinux mode to "permissive," I run audit2allow as follows:

Hmmm...I'm confused again.  I thought you said that you didn't want
strict policy per se, just policy for your own daemon.  Did you change
your mind?  Just want to be clear on your goals.

If you want strict, then the next question is whether that fc5 strict
policy package actually works.  Dan or Karl?  Last I looked, fc5 didn't
have a libsepol/checkpolicy combo that included the final
optionals-in-base fixes, and thus the modularized strict policy was
broken there.  

> #audit2allow -m dmesg -d > dmesg.te
> #checkmodule -M -m -o dmesg.mod dmesg.te
> #semodule_package -o dmesg.pp -m dmesg.mod
> #semodule -I dmesg.pp
> 
> Then I had the following errors:
> 
> /etc/selinux/strict/contexts/files/file_contexts: Multiple different
> specifications for /usr/bin/apt-get (system_u:object_r:rpm_exec_t:s0 and
> system_u:object_r:apt_exec_t:s0).
> /etc/selinux/strict/contexts/files/file_contexts: Multiple different
> specifications for /usr/bin/apt-shell (system_u:object_r:rpm_exec_t:s0
> and system_u:object_r:apt_exec_t:s0).
> 
> I googled out your reply on same errors in 2004 and it says:
> "You shouldn't enable both rpm.te and dpkg.te in the same policy; they
> conflict."
> 
> Without policy source, how can I disable either rpm.te or dpkg.te?
> Besides, I tried to mark rules related to rpm in my .te file, but it
> didn't fix the problem.

First, those are just warnings, not fatal errors, and they aren't likely
relevant to you.

Second, if rpm and dpkg were built modular, then you should just be able
to semodule -r them, e.g.
	semodule -r dpkg 

I don't think you want to disable rpm on a fedora system ;)

Third, your dmesg module has lots of rules that I don't think you really
want to allow, so you need to prune out most of it.  Looks like you were
trying to do privileged operations as a staff_r user rather than first
newrole'ing to sysadm_r, and like you didn't restorecon your home
directory after setting up your role for staff_r so that it had the
right type (staff_home_* instead of user_home_*).


-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list