Strict policy on FC6 and F7

Stephen Smalley sds at tycho.nsa.gov
Fri Aug 10 12:04:49 UTC 2007 

On Thu, 2007-08-09 at 19:36 -0700, Louis Lam wrote:
> Hi,
> 
> I'm still having problems compiling the local.te module. The problem
> i'm facing seems to be different from Hal's:
> 
> --------------------
> local.te:11:ERROR 'permission nlsms_relay is not defined for class
> netlink_audit_socket' at token '
> ;' on line 80809:
>         allow local_login_t self:netlink_audit_socket { { create
> { ioctl read getattr write setattr
>  append bind connect getopt setopt shutdown } } nlmsg_read
> nlsms_relay };

Looks like a typo in the policy includes to me (nlsms_relay vs.
nlmsg_relay).  

> #line 11
> /usr/bin/checkmodule:  error(s) encountered while parsing
> configuration
> make: *** [tmp/local.mod] Error 1
> ---------------------
> 
> My local.te file looks like this:
> -------------
> policy_module(local,1.0)
> 
> require {
> 
>         type local_login_t;
>         class netlink_audit_socket { append bind connect shutdown
> ioctl getattr setattr shutdown ge
> topt setopt write nlmsg_relay nlmsg_read create read };
> }
> 
> 
> logging_send_audit_msg(local_login_t)
> logging_set_loginuid(local_login_t)
> 
> -------------
> 
> Seems like the problem is with logging_set_loginuid macro. I'm not
> sure how to solve this problem though.
> 
> BTW here are some details on my environment:
> 
> 1. I'm using the stock policy for FC7 2.6.4-8
> 2. I did the compilation while running in targeted mode (will it
> affect?)
> 3. The macro logging_set_loginuid is defined in the file
> policy-20070501.patch
> 
> Here is an extract of how logging_set_loginuid is defined in the
> patch :
> 
> +########################################
> +## <summary>
> +##     Set login uid
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +#
> +interface(`logging_set_loginuid',`
> +       gen_require(`
> +               attribute can_set_loginuid;
> +               attribute can_send_audit_msg;
> +       ')
> +
> +       typeattribute $1 can_set_loginuid, can_send_audit_msg;
> +
> +       allow $1 self:capability audit_control;
> +       allow $1 self:netlink_audit_socket { create_socket_perms
> nlmsg_read nlsms_relay };
> +')

Looks like the typo is there, and that interface doesn't seem to be
present in the upstream refpolicy.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list