latest rawhide with strict policy and audit
Russell Coker
russell at coker.com.au
Thu Apr 14 10:37:08 UTC 2005
allow $1_t self:netlink_audit_socket { create bind write nlmsg_read read };
After updating the the latest rawhide stuff I needed the above rule in sshd.te
to allow sshd to work correctly (unified diff attached). The first two
accesses (create and bind) are needed to allow sshd to work to the stage of
permitting logins. The last three to stop it spewing messages.
What is this self:netlink_audit_socket access? What is the appropriate access
for such things?
newrole has the same issue, the file newrole.diff applies to
newrole_macros.te. Even after applying that patch I get an error as follows:
[root at community ~]# newrole -r sysadm_r
Authenticating root.
Password:
Error sending status request (Operation not permitted)
[root at community ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6
(disk),10(wheel) context=root:sysadm_r:sysadm_t
[root at community ~]#
I guess that this is in the new pam so local_login_t, xdm_t and other domains
will need similar changes.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ssh.diff
Type: text/x-diff
Size: 448 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20050414/e180dadb/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: newrole.diff
Type: text/x-diff
Size: 357 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20050414/e180dadb/attachment-0001.bin>
More information about the fedora-selinux-list
mailing list