SE Linux policy

Luke Kenneth Casson Leighton lkcl at lkcl.net
Mon May 10 13:33:15 UTC 2004


> On Mon, 26 Apr 2004 20:05, Krzysztof Mazurczyk <kmazurczyk wskiz poznan
> pl> 
> wrote:
> > > > I have started playing with new SE Linux. I have it already
> > > > running.
> > > > BTW minor question: There are messages in log that
> > > > /sbin/unix_verify
> > > > is denied to do something. System is seemed to work well. Because
> > > > /sbin/unix_verify is from libpam-modules I'm not sure what to do -
> > > > ignore or add some rules to policy for /sbin/unix_verify.
> > >
> > > What access is denied?
> >
> > avc:  denied  { getattr } for  pid=1768 exe=/sbin/unix_verify
> > path=/proc/1768/mounts dev= ino=115867664 scontext=system_u:system_r:
> > system_chkpwd_t tcontext=system_u:system_r:system_chkpwd_t tclass=file
> 
> Allow this.  The main policy will be changed to allow this.
> 

russell, hi,

sorry to be picking up on this from not being on this mailing list,
and breaking the thread, but:

yes i have the same issue - what policy files do i need to update,
and with what?

or, where can i obtain an updated .deb from that contains the necessary
updates?

i can quite happily read and interpret the policy files but do not yet
have enough confidence to edit them.

pointers to a document that would tell me things like:

- to add a permission, go to file X and add what the scontext says to
it.  then go to file Y and add what the bit in brackets says.

etc. etc.

would be _very_ helpful.

sincerely,

l.





More information about the fedora-selinux-list mailing list