selinux-policy-strict seems to fail with allowing remote access to the sshd on Fedora7 (2.6.21-1.3194.fc7). I've installed Fedora7 with all the package collections disabled for a minimal system in the installer, installed the necessary tools for selinux and the strict policy and enabled it. Installed sshd, touched /.autorelabel and rebooted (twice). When enabling the enforced mode, and try to ssh from the LAN, I get avc messages because of denied access ("permission denied" after entering the password on the client). I tried to make a module for allowing it but I get assertions when installing the modules. ####################################################### [root@area51 sshd]# cat MYsshd.te module MYsshd 1.0; require { type staff_t; type user_home_dir_t; type sshd_t; class file { write ioctl }; class capability { audit_control audit_write }; class netlink_audit_socket { create nlmsg_relay write read }; } #============= sshd_t ============== allow sshd_t self:capability { audit_control audit_write }; allow sshd_t self:netlink_audit_socket { create nlmsg_relay read write }; #============= staff_t ============= allow staff_t user_home_dir_t:file { write ioctl }; ------------------------------------------------------- [root@area51 sshd]# semodule -i MYsshd.pp libsepol.check_assertion_helper: assertion on line 0 violated by allow sshd_t sshd_t:netlink_audit_socket { nlmsg_relay }; libsepol.check_assertion_helper: assertion on line 0 violated by allow sshd_t sshd_t:capability { audit_write }; libsepol.check_assertion_helper: assertion on line 0 violated by allow sshd_t sshd_t:capability { audit_control }; libsepol.check_assertions: 3 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed! ####################################################### cat /var/log/messages | audit2allow -M MYautogen semodule -i MYautogen.pp ------------------------------------------------------- libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_t security_t:security { load_policy }; libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_xserver_t staff_xserver_t:netlink_audit_socket { nlmsg_relay }; libsepol.check_assertion_helper: assertion on line 0 violated by allow local_login_t local_login_t:netlink_audit_socket { nlmsg_relay }; libsepol.check_assertion_helper: assertion on line 0 violated by allow sshd_t sshd_t:netlink_audit_socket { nlmsg_relay }; libsepol.check_assertion_helper: assertion on line 0 violated by allow setfiles_t setfiles_t:netlink_audit_socket { nlmsg_relay }; libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_xserver_t staff_xserver_t:capability { audit_write }; libsepol.check_assertion_helper: assertion on line 0 violated by allow local_login_t local_login_t:capability { audit_write }; libsepol.check_assertion_helper: assertion on line 0 violated by allow sshd_t sshd_t:capability { audit_write }; libsepol.check_assertion_helper: assertion on line 0 violated by allow setfiles_t setfiles_t:capability { audit_write }; libsepol.check_assertion_helper: assertion on line 0 violated by allow local_login_t local_login_t:capability { audit_control }; libsepol.check_assertion_helper: assertion on line 0 violated by allow sshd_t sshd_t:capability { audit_control }; libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_t staff_t:capability { audit_control }; libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_t staff_t:capability { sys_module }; libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_xserver_t shadow_t:file { write create }; libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_t shadow_t:file { write create }; libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_xserver_t shadow_t:file { read }; libsepol.check_assertions: 16 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed!