failed to customize policy, SELinux won't let me
Stephen Smalley
sds at tycho.nsa.gov
Wed May 3 17:19:51 UTC 2006
On Wed, 2006-05-03 at 10:05 -0700, Florin Andrei wrote:
> On Wed, 2006-05-03 at 13:04 -0400, Stephen Smalley wrote:
>
> > Yes, I noticed this as well - semanage/semodule policy doesn't appear to
> > allow it to take input from user home directories presently. Nice from
> > an integrity point of view (don't take untrustworthy inputs), but likely
> > not workable for every day usage.
>
> Still not working:
>
> [root at stantz custom]# pwd
> /etc/selinux/custom
> [root at stantz custom]# ls -Z
> -rw-r--r-- root root user_u:object_r:selinux_config_t local.fc
> -rw-r--r-- root root user_u:object_r:selinux_config_t local.if
> -rw-r--r-- root root user_u:object_r:selinux_config_t local.pp
> -rw-r--r-- root root user_u:object_r:selinux_config_t local.te
> drwxr-xr-x root root user_u:object_r:selinux_config_t tmp
Actually, /usr/share/selinux is the standard location for modules to be
placed before running semodule on them, but that isn't directly relevant
to the denial you see below.
> [root at stantz custom]# semodule -i local.pp
> libsemanage.semanage_commit_sandbox: Error while
> renaming /etc/selinux/targeted/modules/active
> to /etc/selinux/targeted/modules/previous.
> semodule: Failed!
> [root at stantz custom]# tail -n 1 /var/log/messages
> May 3 10:02:51 stantz kernel: audit(1146675771.487:308): avc: denied
> { rename } for pid=3845 comm="semodule" name="active" dev=hda4
> ino=2319743 scontext=user_u:system_r:semanage_t:s0
> tcontext=user_u:object_r:selinux_config_t:s0 tclass=dir
Yes, this has shown up before - it indicates that
your /etc/selinux/targeted/modules tree has become mislabeled. Run
restorecon -R on it. I think that this has been corrected already in
updates?
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list