How to apply new policy exactly?

Benjamin Tsai benjamin.tsai at intervideo.com
Thu Sep 21 02:26:24 UTC 2006


sorry I didn't make myself clear ... enough.
Me thought if I want to build and load my own policy successfully, I
should "feel" and confirm that the build path works on my box in
advance. 
I shall have a valid .te file, and with that, I can compile/load it
without errors and see it working correctly. That's why I start with
audit2allow, it's merely a test for me.  =)

As for the warning, yes I did see my module installed through semodule
-l. However, why is the warning? It's fc5 in my box, instead of debian,
surely I don't have dpkg installed. Besides, I checked with semodule and
didn't see dpkg. It's so weird to see a warning of something I don't
have. 

By the way, thank you so much for clarifying my problems. =)

-----Original Message-----
From: Stephen Smalley [mailto:sds at tycho.nsa.gov] 
Sent: Thursday, September 21, 2006 5:28 AM
To: Benjamin Tsai
Cc: Christopher J. PeBenito; Daniel J Walsh; Karl MacMillan; Joshua
Brindle; fedora-selinux-list at redhat.com
Subject: RE: How to apply new policy exactly?

On Wed, 2006-09-20 at 11:06 +0800, Benjamin Tsai wrote:
> Thank you for the reply, I now a bit closer to the right track. :)
> 
> To work the build path around, I start with "audit2allow."
> With my box installed with selinux-policy-strict-2.3.7-2.fc5 and
turned
> selinux mode to "permissive," I run audit2allow as follows:

Hmmm...I'm confused again.  I thought you said that you didn't want
strict policy per se, just policy for your own daemon.  Did you change
your mind?  Just want to be clear on your goals.

If you want strict, then the next question is whether that fc5 strict
policy package actually works.  Dan or Karl?  Last I looked, fc5 didn't
have a libsepol/checkpolicy combo that included the final
optionals-in-base fixes, and thus the modularized strict policy was
broken there.  

> #audit2allow -m dmesg -d > dmesg.te
> #checkmodule -M -m -o dmesg.mod dmesg.te
> #semodule_package -o dmesg.pp -m dmesg.mod
> #semodule -I dmesg.pp
> 
> Then I had the following errors:
> 
> /etc/selinux/strict/contexts/files/file_contexts: Multiple different
> specifications for /usr/bin/apt-get (system_u:object_r:rpm_exec_t:s0
and
> system_u:object_r:apt_exec_t:s0).
> /etc/selinux/strict/contexts/files/file_contexts: Multiple different
> specifications for /usr/bin/apt-shell (system_u:object_r:rpm_exec_t:s0
> and system_u:object_r:apt_exec_t:s0).
> 
> I googled out your reply on same errors in 2004 and it says:
> "You shouldn't enable both rpm.te and dpkg.te in the same policy; they
> conflict."
> 
> Without policy source, how can I disable either rpm.te or dpkg.te?
> Besides, I tried to mark rules related to rpm in my .te file, but it
> didn't fix the problem.

First, those are just warnings, not fatal errors, and they aren't likely
relevant to you.

Second, if rpm and dpkg were built modular, then you should just be able
to semodule -r them, e.g.
	semodule -r dpkg 

I don't think you want to disable rpm on a fedora system ;)

Third, your dmesg module has lots of rules that I don't think you really
want to allow, so you need to prune out most of it.  Looks like you were
trying to do privileged operations as a staff_r user rather than first
newrole'ing to sysadm_r, and like you didn't restorecon your home
directory after setting up your role for staff_r so that it had the
right type (staff_home_* instead of user_home_*).


-- 
Stephen Smalley
National Security Agency





More information about the fedora-selinux-list mailing list