audit2allow broken?

Hongwei Li hongwei at wustl.edu
Wed May 9 19:29:28 UTC 2007 

> On Wed, 2007-05-09 at 13:47 -0500, Hongwei Li wrote:
>> Hi,
>>
>> I have a fc6 linux box: kernel-2.6.20-1.2944.fc6,
>> selinux-policy-2.4.6-62.fc6
>> and selinux-policy-targeted-2.4.6-62.fc6, audit-1.4.2-5.fc6.
>> The system works and I was trying to add some settings to the selinux policy
>> by running audit2allow. It was okay before noon:
>>
>> # audit2allow -M local < /var/log/audit/audit.log
>> # semodule -i local.pp
>>
>> The new modules were added and it works. However, later, I can't do it
>> again,
>> but always get error:
>>
>> # audit2allow -M local < /var/log/audit/audit.log
>> compilation failed:
>> (unknown source)::ERROR 'syntax error' at token '' on line 6:
>>
>> /usr/bin/checkmodule:  error(s) encountered while parsing configuration
>> /usr/bin/checkmodule:  loading policy configuration from local.te
>>
>> and the file local.te has only one line:
>>
>> module local 1.0;
>>
>> not like before.  Can somebody tell what is wrong? "on line 6" of what file?
>> I reboot the system, still the same.
>
> What version of policycoreutils?
>
> The implication is that there were no avc denials
> in /var/log/audit/audit.log, and thus the generated module was empty.
> Possibly your audit logs were automatically rotated?
>
> You should really be using the -a option btw, e.g.
> 	audit2allow -a -M local
> That will pull all messages from audit, including older audit logs I
> believe.
>
> --
> Stephen Smalley
> National Security Agency
>

Yes, you are right -- there was no avc denials in the audit.log. Now, I set
enforced and try a squirrelmail plugin change_passwd, it creates some avc
denials, and then it works:

# audit2allow -a -M local
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i local.pp

However, it fails when I run:
# semodule -i local.pp
libsepol.check_assertion_helper: assertion on line 0 violated by allow httpd_t
shadow_t:file { read };
libsepol.check_assertions: 1 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed

Actually, this has been an old problem since fc5 linux (not in fc4 or earlier)
-- once set enforced, password cannot be changed from squirrelmail (web site),
modules with "shadow..." cannot be added. Is there anyway to change it?  The
reason is simple: my squirrelmail users need to change their password from
within squirrelmail (web site) and I want to set selinux enforced.

BTW, I have policycoreutils-1.34.1-7.fc6 and targeted policy.

I appreciate all the help!

Hongwei Li

More information about the fedora-selinux-list mailing list