Strict policy on FC6 and F7
Daniel J Walsh
dwalsh at redhat.com
Mon Aug 13 11:32:55 UTC 2007
Louis Lam wrote:
> Hi,
>
> I've fixed the typo problem on nlsms_relay. Now the module compiles ok, but I can't load it via
> semodule, i'm getting this error:
>
> semodule -vi local.pp
>
> libsepol.permission_copy_callback: Module local depends on permission nlsms_relay in class
> netlink_
> audit_socket, not satisfied
> libsemanage.semanage_link_sandbox: Link packages failed
> semodule: Failed!
>
> My local.te looks like this now,
>
> ----------------------------
>
> policy_module(local,1.0)
>
> require {
>
> type local_login_t;
> class netlink_audit_socket { append bind connect shutdown ioctl getattr setattr shutdown
> ge
> topt setopt write nlsms_relay nlmsg_read create read };
> }
>
should be nlmsg_relay
NetLinkMeSsaGe :^)
> logging_send_audit_msg(local_login_t)
> logging_set_loginuid(local_login_t)
>
> -----------------------
>
> I don't quite understand why there is a dependancy not satisfied.
>
> Thanks,
> Louis
>
> --- Stephen Smalley <sds at tycho.nsa.gov> wrote:
>
>
>> On Thu, 2007-08-09 at 19:36 -0700, Louis Lam wrote:
>>
>>> Hi,
>>>
>>> I'm still having problems compiling the local.te module. The problem
>>> i'm facing seems to be different from Hal's:
>>>
>>> --------------------
>>> local.te:11:ERROR 'permission nlsms_relay is not defined for class
>>> netlink_audit_socket' at token '
>>> ;' on line 80809:
>>> allow local_login_t self:netlink_audit_socket { { create
>>> { ioctl read getattr write setattr
>>> append bind connect getopt setopt shutdown } } nlmsg_read
>>> nlsms_relay };
>>>
>> Looks like a typo in the policy includes to me (nlsms_relay vs.
>> nlmsg_relay).
>>
>>
>>> #line 11
>>> /usr/bin/checkmodule: error(s) encountered while parsing
>>> configuration
>>> make: *** [tmp/local.mod] Error 1
>>> ---------------------
>>>
>>> My local.te file looks like this:
>>> -------------
>>> policy_module(local,1.0)
>>>
>>> require {
>>>
>>> type local_login_t;
>>> class netlink_audit_socket { append bind connect shutdown
>>> ioctl getattr setattr shutdown ge
>>> topt setopt write nlmsg_relay nlmsg_read create read };
>>> }
>>>
>>>
>>> logging_send_audit_msg(local_login_t)
>>> logging_set_loginuid(local_login_t)
>>>
>>> -------------
>>>
>>> Seems like the problem is with logging_set_loginuid macro. I'm not
>>> sure how to solve this problem though.
>>>
>>> BTW here are some details on my environment:
>>>
>>> 1. I'm using the stock policy for FC7 2.6.4-8
>>> 2. I did the compilation while running in targeted mode (will it
>>> affect?)
>>> 3. The macro logging_set_loginuid is defined in the file
>>> policy-20070501.patch
>>>
>>> Here is an extract of how logging_set_loginuid is defined in the
>>> patch :
>>>
>>> +########################################
>>> +## <summary>
>>> +## Set login uid
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain allowed access.
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`logging_set_loginuid',`
>>> + gen_require(`
>>> + attribute can_set_loginuid;
>>> + attribute can_send_audit_msg;
>>> + ')
>>> +
>>> + typeattribute $1 can_set_loginuid, can_send_audit_msg;
>>> +
>>> + allow $1 self:capability audit_control;
>>> + allow $1 self:netlink_audit_socket { create_socket_perms
>>> nlmsg_read nlsms_relay };
>>>
>>> +')
>>>
>> Looks like the typo is there, and that interface doesn't seem to be
>> present in the upstream refpolicy.
>>
>> --
>> Stephen Smalley
>> National Security Agency
>>
>>
>>
>
>
> Send instant messages to your online friends http://uk.messenger.yahoo.com
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
More information about the fedora-selinux-list
mailing list