[redhat-lspp] Re: Rawhide LSPP test kernels, GIT tree.
Stephen Smalley
sds at tycho.nsa.gov
Tue Nov 8 14:24:27 UTC 2005
On Tue, 2005-11-08 at 09:15 -0500, Steve Grubb wrote:
> So, I guess its not this kernel. However, we do have this RBAC requirement:
>
> FPT_FLS.1 Failure with Preservation of Secure State. RBAC states that if the
> Roles database is offline, corrupt, or unaccessable, the TSF shall preserve a
> secure state.
>
> Are we doing that? Previously, I saw these:
>
> /etc/selinux/targeted/contexts/files/file_contexts: line 1577 has invalid
> context system_u:object_r:sendmail_launch_lock_t
> /etc/selinux/targeted/contexts/files/file_contexts: line 1578 has invalid
> context system_u:object_r:sendmail_launch_lock_t
> /etc/selinux/targeted/contexts/files/file_contexts: Multiple same
> specifications for /sbin/lvm.static.
> Finished Transaction Test
> Transaction Test Succeeded
> Running Transaction
>
> Are we really meeting the requirement? The upgrade continued in spite of
> having a bad policy.
I'm not sure how invalid file contexts are related to the "roles
database." I don't think they are.
The warnings are from matchpathcon_init in libselinux; when it parses
the file_contexts configuration, it warns about any invalid entries and
skips them during processing. Such invalid entries are almost always a
result of undefined types, commonly from types in the strict policy not
being defined in the targeted policy. Should be detected upon policy
build, when setfiles -c is applied to validate that all file contexts
are defined by the policy.
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list