Strict policy on FC6 and F7
Daniel J Walsh
dwalsh at redhat.com
Mon Aug 13 11:29:29 UTC 2007
Louis Lam wrote:
> Hi Dan,
>
> I'm using the stock policy for FC7 2.6.4-8, not the latest policy. I'm
> not too sure where to go and how to get the latest policy version. Do
> i take the latest policy version and remake the source RPM? Or are
> there pre-packaged rpms that I can use to upgrade?
>
You should be able to simply do a yum update.
> You didn't see this problem in RHEL 5? Do i need the local.te module
> if I use the "stock" RHEL 5? I tried switching to strict policy in
> RHEL 5 and cannot login with root. But I can log in as a normal user.
> Is it "normal" that this restriction be placed on root? Is the
> local.te trying to enable root login?
No this sounds like either a bug or a labeling problem in RHEL5. You
should be able to login as root. You might want to update to the U1
policy which is available on http://people.redhat.com/dwalsh/SELinux/RHEL5
>
> Thanks,
> Louis
>
> ----- Original Message ----
> From: Daniel J Walsh <dwalsh at redhat.com>
> To: Louis Lam <lshoujun at yahoo.com>
> Cc: shintaro_fujiwara <shin216 at xf7.so-net.ne.jp>; Hal
> <hal_bg at yahoo.com>; fedora-selinux-list at redhat.com; cpebenito at tresys.com
> Sent: Friday, August 10, 2007 11:17:42 PM
> Subject: Re: Strict policy on FC6 and F7
>
> Louis Lam wrote:
> > Hi,
> >
> > I'm still having problems compiling the local.te module. The problem
> > i'm facing seems to be different from Hal's:
> >
> > --------------------
> > local.te:11:ERROR 'permission nlsms_relay is not defined for class
> > netlink_audit_socket' at token '
> > ;' on line 80809:
> > allow local_login_t self:netlink_audit_socket { { create {
> > ioctl read getattr write setattr
> > append bind connect getopt setopt shutdown } } nlmsg_read
> nlsms_relay };
> > #line 11
> > /usr/bin/checkmodule: error(s) encountered while parsing configuration
> > make: *** [tmp/local.mod] Error 1
> > ---------------------
> >
> > My local.te file looks like this:
> > -------------
> > policy_module(local,1.0)
> >
> > require {
> >
> > type local_login_t;
> > class netlink_audit_socket { append bind connect shutdown
> > ioctl getattr setattr shutdown ge
> > topt setopt write nlmsg_relay nlmsg_read create read };
> > }
> >
> >
> > logging_send_audit_msg(local_login_t)
> > logging_set_loginuid(local_login_t)
> >
> > -------------
> >
> > Seems like the problem is with logging_set_loginuid macro. I'm not
> > sure how to solve this problem though.
> >
> > BTW here are some details on my environment:
> >
> > 1. I'm using the stock policy for FC7 2.6.4-8
> > 2. I did the compilation while running in targeted mode (will it
> affect?)
> > 3. The macro logging_set_loginuid is defined in the file
> > policy-20070501.patch
> >
> > Here is an extract of how logging_set_loginuid is defined in the patch :
> >
> > +########################################
> > +## <summary>
> > +## Set login uid
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`logging_set_loginuid',`
> > + gen_require(`
> > + attribute can_set_loginuid;
> > + attribute can_send_audit_msg;
> > + ')
> > +
> > + typeattribute $1 can_set_loginuid, can_send_audit_msg;
> > +
> > + allow $1 self:capability audit_control;
> > + allow $1 self:netlink_audit_socket { create_socket_perms
> > nlmsg_read nlsms_relay };
> > +')
> >
> > Hope it helps in solving the problem...
> >
> > Thanks,
> > Louis
> I am not seeing this in RHEL5, FC6, F7 or F8. So are you sure you are
> using the latest policy?
>
>
> Send instant messages to your online friends
> http://uk.messenger.yahoo.com
More information about the fedora-selinux-list
mailing list