Strict policy on FC6 and F7
Daniel J Walsh
dwalsh at redhat.com
Fri Aug 10 15:16:12 UTC 2007
shintaro_fujiwara wrote:
> I think F7 strict policy is broken.
> Let's wait for a while until SELinux guys fix it.
> I decided to play with FC6 this time.
>
>
> 2007-08-08 (水) の 14:43 -0700 に Hal さんは書きました:
>
>> Authentication failed again:(
>> but meanwhile I have checked firefox on strict policy on FC7 it does not work.
>>
>> --- shintaro_fujiwara <shin216 at xf7.so-net.ne.jp> wrote:
>>
>>
>>> 2007-08-08 (æ°´) ã® 13:32 -0700 ã« Hal ã•ã‚“ã¯æ›¸ãã¾ã—ãŸ:
>>>
>>>> Well
>>>> I manged to compile the module, but
>>>> it does not work for me.
>>>> Compiled,loaded,set enforcing and: "authentication failed" again.
>>>>
>>>> I do not know if I am stupid, but I can not get a long with this Selinux...
>>>>
>>>> Does this nodule work for you guys????
>>>>
>>>> hal
>>>>
>>>> --- "Christopher J. PeBenito" <cpebenito at tresys.com> wrote:
>>>>
>>>>
>>>>> On Wed, 2007-08-08 at 12:39 -0700, Hal wrote:
>>>>>
>>>>>> I have tryed with
>>>>>> logging_send_audit_msgs(local_login_t)
>>>>>>
>>>>>> But still:
>>>>>> [root at localhost hal]# make -f /usr/share/selinux/devel/Makefile
>>>>>>
>>> local.pp
>>>
>>>>>> Compiling strict local module
>>>>>> /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp
>>>>>> local.te:9:ERROR 'unknown class capability used in rule' at token ';'
>>>>>>
>>> on
>>>
>>>>> line
>>>>>
>>>>>> 81105:
>>>>>> #line 9
>>>>>> allow local_login_t self:capability audit_write;
>>>>>>
>>> Because we did not write
>>>
>>> class capability { audit_write };
>>>
>>> in require brace.
>>>
>>> write it and try again.
>>> Did you make it?
>>>
>>>
>>> As a matter of fact, I have another problem on strict policy.
>>> I ended up breaking F7 altogether eliminating libselinux with --nodeps.
>>> Now I'm trying to upgrade FC6 to F7.
>>> You can upgrade FC6 to F7, if you are tired of your process on F7.
>>> Do not stop trying strict policy.Never surrender.
>>> It's rewarding, and SELinux guys will guide you to the right place.
>>>
>>>
>>>
>>>>>> /usr/bin/checkmodule: error(s) encountered while parsing configuration
>>>>>> make: *** [tmp/local.mod] Error 1
>>>>>>
>>>>>> I really have no idea what all this means.
>>>>>> there is nowhere "allow" in local.te. if it is in this macros at the
>>>>>>
>>> end...
>>>
>>>>>> Do I need to install the policy source and edit it?
>>>>>>
>>>>> It is in the interface. You need to change this:
>>>>>
>>>>>
>>>>>>>> module local 1.0;
>>>>>>>>
>>>>> to this:
>>>>>
>>>>> policy_module(local,1.0)
>>>>>
>>>>> It will automatically require all of the kernel object classes.
>>>>>
>>>>> --
>>>>> Chris PeBenito
>>>>> Tresys Technology, LLC
>>>>> (410) 290-1411 x150
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>> ____________________________________________________________________________________
>>
>>>> Luggage? GPS? Comic books?
>>>> Check out fitting gifts for grads at Yahoo! Search
>>>> http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz
>>>>
>>>> --
>>>> fedora-selinux-list mailing list
>>>> fedora-selinux-list at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>
>>>
>>
>>
>> ____________________________________________________________________________________
>> Sick sense of humor? Visit Yahoo! TV's
>> Comedy with an Edge to see what's on, when.
>> http://tv.yahoo.com/collections/222
>>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
I am not sure what is broken on Firefox on Strict policy as of Fedora
7. I have begun the merge of strict and targeted in rawhide Fedora Core
8/Test1. I have done some rewriting of the Mozilla/Firefox policy.
There were several problems in the existing policy and several problems
in the way the OS is designed. Mainly these dealt with the use of the
/tmp file system by gnome.
I have rewritten the mozilla policy to use one of three booleans.
firefox no network access (r/only)
Firefox with network access (R/O on homedir)
Firefox with network access (r/w on homedir)
firefox currently transitions form the user domain to
userdoman_mozilla_t. So for example
user_t - > user_mozilla_t. But I am allowing firefox to r/w user_tmp_t
as well as user_mozilla_tmp_t.
This allows firefox to interact with X sockets, gdm_files, iceauth
files, orbitz files. Trying to lock this down does not
work.
So if you want to use a locked down firefox, I would recommend looking
at Fedora 8 Test1, and setting up a xguest user.
xguest users can only access the web via firefox and are totally locked
down.
More information about the fedora-selinux-list
mailing list