problems with latest mls policy
Daniel J Walsh
dwalsh at redhat.com
Fri Sep 8 18:11:37 UTC 2006
Stefan wrote:
> Hi,
>
> I did an update of the mls policy last night (the version before was
> 1,5 months old) and know cron can't change its context to logrotate.
> Only two modules seem to be installed in /usr/share/selinux/mls:
> base.pp and enableaudit.pp
THese are the only two.
> If I install the strict policy there are a lot of policy modules
> installed even logrotate.pp.
> Someone any ideas?
Strict policy is fully modularized, which is why there are so many. mls
is a much smaller subset of packages.
>
> The following packages are installed:
> selinux-policy-2.3.7-2.fc5
> selinux-policy-mls-2.3.7-2.fc5
> selinux-policy-devel-2.3.7-2.fc5
>
> Best regards,
> Stefan
>
> PS: Here is a list of all the avc denials:
> allow user_crond_t NetworkManager_var_run_t:dir getattr;
> allow user_crond_t acct_data_t:dir { getattr search };
> allow user_crond_t acct_data_t:file getattr;
> allow user_crond_t alsa_etc_rw_t:dir getattr;
> allow user_crond_t apmd_log_t:file getattr;
> allow user_crond_t auditd_log_t:dir getattr;
> allow user_crond_t avahi_var_run_t:dir getattr;
> allow user_crond_t bin_t:dir { add_name remove_name write };
> allow user_crond_t bin_t:file { create relabelfrom relabelto rename
> setattr unlink write };
> allow user_crond_t binfmt_misc_fs_t:dir getattr;
> allow user_crond_t bluetooth_conf_t:dir getattr;
> allow user_crond_t boot_t:dir getattr;
> allow user_crond_t cert_t:dir { getattr read search };
> allow user_crond_t crack_db_t:dir getattr;
> allow user_crond_t cron_spool_t:dir { getattr search };
> allow user_crond_t cvs_data_t:dir getattr;
> allow user_crond_t data_t:dir { getattr read search };
> allow user_crond_t dbusd_etc_t:dir { getattr search };
> allow user_crond_t default_context_t:dir { getattr read search };
> allow user_crond_t default_t:dir getattr;
> allow user_crond_t devlog_t:sock_file write;
> allow user_crond_t devpts_t:dir getattr;
> allow user_crond_t dhcpc_state_t:dir getattr;
> allow user_crond_t dhcpd_state_t:dir { getattr read search };
> allow user_crond_t etc_mail_t:dir getattr;
> allow user_crond_t etc_runtime_t:dir getattr;
> allow user_crond_t etc_t:dir { add_name remove_name write };
> allow user_crond_t etc_t:file { create rename setattr unlink write };
> allow user_crond_t file_context_t:dir { getattr read search };
> allow user_crond_t firstboot_rw_t:dir { getattr search };
> allow user_crond_t fonts_t:dir getattr;
> allow user_crond_t home_root_t:dir read;
> allow user_crond_t httpd_config_t:dir { getattr search };
> allow user_crond_t httpd_log_t:dir { getattr read search };
> allow user_crond_t httpd_log_t:file { getattr read };
> allow user_crond_t httpd_modules_t:dir { getattr read search };
> allow user_crond_t httpd_modules_t:file { getattr read };
> allow user_crond_t httpd_sys_content_t:dir { getattr read search };
> allow user_crond_t httpd_sys_script_exec_t:dir getattr;
> allow user_crond_t httpd_var_lib_t:dir getattr;
> allow user_crond_t hwdata_t:dir { getattr search };
> allow user_crond_t initrc_tmp_t:dir getattr;
> allow user_crond_t ipsec_conf_file_t:dir { getattr search };
> allow user_crond_t ipsec_exec_t:file { relabelto rename unlink };
> allow user_crond_t ipsec_key_file_t:dir getattr;
> allow user_crond_t ipsec_var_run_t:dir getattr;
> allow user_crond_t lib_t:dir { add_name remove_name write };
> allow user_crond_t lib_t:file { create relabelfrom relabelto rename
> setattr unlink write };
> allow user_crond_t locate_var_lib_t:dir { add_name getattr read
> remove_name search write };
> allow user_crond_t locate_var_lib_t:file { create getattr read rename
> setattr unlink write };
> allow user_crond_t logrotate_var_lib_t:file { getattr read write };
> allow user_crond_t logwatch_cache_t:dir { add_name create getattr read
> remove_name rmdir search write };
> allow user_crond_t logwatch_cache_t:file { create getattr ioctl read
> unlink write };
> allow user_crond_t lost_found_t:dir getattr;
> allow user_crond_t lvm_etc_t:dir { getattr search };
> allow user_crond_t lvm_lock_t:dir getattr;
> allow user_crond_t lvm_metadata_t:dir getattr;
> allow user_crond_t mail_spool_t:dir { getattr read };
> allow user_crond_t mail_spool_t:lnk_file read;
> allow user_crond_t man_t:dir { getattr read search setattr };
> allow user_crond_t man_t:file { getattr read setattr write };
> allow user_crond_t mdadm_var_run_t:dir getattr;
> allow user_crond_t mnt_t:dir { getattr search };
> allow user_crond_t modules_object_t:dir { getattr read search };
> allow user_crond_t mqueue_spool_t:dir getattr;
> allow user_crond_t mrtg_etc_t:dir getattr;
> allow user_crond_t mrtg_lock_t:dir getattr;
> allow user_crond_t mrtg_var_lib_t:dir getattr;
> allow user_crond_t named_cache_t:dir getattr;
> allow user_crond_t named_conf_t:dir { getattr read search };
> allow user_crond_t named_var_run_t:dir { getattr read search };
> allow user_crond_t named_zone_t:dir { getattr read search };
> allow user_crond_t net_conf_t:file { getattr read };
> allow user_crond_t netif_t:netif { rawip_recv rawip_send };
> allow user_crond_t netutils_exec_t:file { relabelto rename unlink };
> allow user_crond_t nmbd_t:process signal;
> allow user_crond_t nmbd_var_run_t:file { getattr read };
> allow user_crond_t node_t:node { rawip_recv rawip_send };
> allow user_crond_t nscd_var_run_t:dir { getattr search };
> allow user_crond_t ntp_drift_t:dir { getattr read search };
> allow user_crond_t pam_var_console_t:dir getattr;
> allow user_crond_t pam_var_run_t:dir getattr;
> allow user_crond_t policy_config_t:dir { getattr read search };
> allow user_crond_t postfix_etc_t:dir { getattr search };
> allow user_crond_t postfix_etc_t:file { getattr read };
> allow user_crond_t postfix_private_t:dir getattr;
> allow user_crond_t postfix_public_t:dir { getattr search };
> allow user_crond_t postfix_public_t:fifo_file { getattr write };
> allow user_crond_t postfix_spool_bounce_t:dir getattr;
> allow user_crond_t postfix_spool_flush_t:dir getattr;
> allow user_crond_t postfix_spool_maildrop_t:dir { add_name getattr
> read remove_name search write };
> allow user_crond_t postfix_spool_maildrop_t:file { create getattr
> rename setattr write };
> allow user_crond_t postfix_spool_t:dir { getattr read search };
> allow user_crond_t pppd_etc_t:dir { getattr search };
> allow user_crond_t pppd_var_run_t:dir getattr;
> allow user_crond_t prelink_log_t:file { append getattr write };
> allow user_crond_t print_spool_t:dir getattr;
> allow user_crond_t radvd_var_run_t:dir getattr;
> allow user_crond_t rpm_exec_t:file { relabelto rename unlink };
> allow user_crond_t rpm_log_t:file { append getattr read write };
> allow user_crond_t rpm_var_lib_t:dir { getattr read search write };
> allow user_crond_t rpm_var_lib_t:file { getattr lock read write };
> allow user_crond_t samba_etc_t:dir getattr;
> allow user_crond_t samba_log_t:dir { add_name getattr read remove_name
> search write };
> allow user_crond_t samba_log_t:file { create getattr read rename
> setattr write };
> allow user_crond_t samba_var_t:dir { getattr read search };
> allow user_crond_t saslauthd_exec_t:file { relabelto rename unlink };
> allow user_crond_t saslauthd_var_run_t:dir getattr;
> allow user_crond_t sbin_t:dir { add_name remove_name write };
> allow user_crond_t sbin_t:file { create relabelfrom relabelto rename
> setattr unlink write };
> allow user_crond_t security_t:dir read;
> allow user_crond_t semanage_store_t:dir { getattr search };
> allow user_crond_t sendmail_log_t:dir getattr;
> allow user_crond_t shlib_t:file { relabelto rename unlink };
> allow user_crond_t smbd_t:process signal;
> allow user_crond_t smbd_var_run_t:file { getattr read };
> allow user_crond_t src_t:dir getattr;
> allow user_crond_t staff_home_dir_t:dir { getattr search };
> allow user_crond_t staff_home_ssh_t:dir getattr;
> allow user_crond_t stunnel_etc_t:dir getattr;
> allow user_crond_t sysadm_home_ssh_t:dir getattr;
> allow user_crond_t sysadm_home_t:dir { getattr read search };
> allow user_crond_t sysctl_fs_t:dir { getattr search };
> allow user_crond_t sysfs_t:dir getattr;
> allow user_crond_t syslogd_t:unix_dgram_socket sendto;
> allow user_crond_t system_cron_spool_t:dir getattr;
> allow user_crond_t system_dbusd_var_run_t:dir getattr;
> allow user_crond_t tdm2_etc_t:dir { getattr search };
> allow user_crond_t tmp_t:dir { add_name read remove_name setattr write };
> allow user_crond_t tmp_t:file { append create getattr ioctl read
> unlink write };
> allow user_crond_t tmpfs_t:dir getattr;
> allow user_crond_t self:capability { chown fowner fsetid setgid setuid };
> allow user_crond_t self:netlink_route_socket { bind create getattr
> nlmsg_read read write };
> allow user_crond_t self:process { setfscreate setrlimit };
> allow user_crond_t self:tcp_socket { connect create read write };
> allow user_crond_t self:udp_socket { create ioctl read write };
> allow user_crond_t var_lib_nfs_t:dir { getattr read search };
> allow user_crond_t var_lib_t:dir { getattr read search };
> allow user_crond_t var_lib_t:file { getattr write };
> allow user_crond_t var_lock_t:dir { add_name getattr read remove_name
> search write };
> allow user_crond_t var_lock_t:file { create unlink write };
> allow user_crond_t var_log_t:dir read;
> allow user_crond_t var_log_t:file { getattr read };
> allow user_crond_t var_run_t:dir { add_name remove_name write };
> allow user_crond_t var_run_t:file { create getattr unlink write };
> allow user_crond_t var_spool_t:dir read;
> allow user_crond_t var_spool_t:file { read setattr write };
> allow user_crond_t var_t:dir read;
> allow user_crond_t var_t:file { setattr write };
> allow user_crond_t var_yp_t:dir getattr;
> allow user_crond_t winbind_var_run_t:dir getattr;
> allow user_crond_t wtmp_t:file getattr;
>
Please attach you message log.
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list