Strict policy on FC6 and F7

Daniel J Walsh dwalsh at redhat.com
Wed Aug 15 11:05:28 UTC 2007 

Louis Lam wrote:
> Hi Dan,
>
> For RHEL5, I've upgraded the selinux policy rpms to version 2.4.6-79. I've updated only the
> following rpms
>
> selinux-policy
> selinux-policy-devel
> selinux-policy-targeted
> selinux-policy-strict
>
> But I left the libselinux libraries alone since the rpm upgrade went through without complains. I
> can't use YUM because my system is not directly connected to the internet.
>
> But I'm still faced with the problem of not being able to logon as root at runlevel 5, gui login.
> Do I still need the login.te module? Or is it advisable to upgrade the selinux libraries as well?
>
>   
What error are you seeing at the gui login?
> Thanks,
> Louis
>
> --- Daniel J Walsh <dwalsh at redhat.com> wrote:
>
>   
>> Louis Lam wrote:
>>     
>>> Hi Dan,
>>>
>>> I'm using the stock policy for FC7 2.6.4-8, not the latest policy. I'm 
>>> not too sure where to go and how to get the latest policy version. Do 
>>> i take the latest policy version and remake the source RPM? Or are 
>>> there pre-packaged rpms that I can use to upgrade?
>>>
>>>       
>> You should be able to simply do a yum update.
>>     
>>> You didn't see this problem in RHEL 5? Do i need the local.te module 
>>> if I use the "stock" RHEL 5? I tried switching to strict policy in 
>>> RHEL 5 and cannot login with root. But I can log in as a normal user. 
>>> Is it "normal" that this restriction be placed on root? Is the 
>>> local.te trying to enable root login?
>>>       
>> No this sounds like either a bug or a labeling problem in RHEL5.  You 
>> should be able to login as root.  You might want to update to the U1 
>> policy which is available on http://people.redhat.com/dwalsh/SELinux/RHEL5
>>     
>>> Thanks,
>>> Louis
>>>
>>> ----- Original Message ----
>>> From: Daniel J Walsh <dwalsh at redhat.com>
>>> To: Louis Lam <lshoujun at yahoo.com>
>>> Cc: shintaro_fujiwara <shin216 at xf7.so-net.ne.jp>; Hal 
>>> <hal_bg at yahoo.com>; fedora-selinux-list at redhat.com; cpebenito at tresys.com
>>> Sent: Friday, August 10, 2007 11:17:42 PM
>>> Subject: Re: Strict policy on FC6 and F7
>>>
>>> Louis Lam wrote:
>>>       
>>>> Hi,
>>>>
>>>> I'm still having problems compiling the local.te module. The problem
>>>> i'm facing seems to be different from Hal's:
>>>>
>>>> --------------------
>>>> local.te:11:ERROR 'permission nlsms_relay is not defined for class
>>>> netlink_audit_socket' at token '
>>>> ;' on line 80809:
>>>>         allow local_login_t self:netlink_audit_socket { { create {
>>>> ioctl read getattr write setattr
>>>>  append bind connect getopt setopt shutdown } } nlmsg_read 
>>>>         
>>> nlsms_relay };
>>>       
>>>> #line 11
>>>> /usr/bin/checkmodule:  error(s) encountered while parsing configuration
>>>> make: *** [tmp/local.mod] Error 1
>>>> ---------------------
>>>>
>>>> My local.te file looks like this:
>>>> -------------
>>>> policy_module(local,1.0)
>>>>
>>>> require {
>>>>
>>>>         type local_login_t;
>>>>         class netlink_audit_socket { append bind connect shutdown
>>>> ioctl getattr setattr shutdown ge
>>>> topt setopt write nlmsg_relay nlmsg_read create read };
>>>> }
>>>>
>>>>
>>>> logging_send_audit_msg(local_login_t)
>>>> logging_set_loginuid(local_login_t)
>>>>
>>>> -------------
>>>>
>>>> Seems like the problem is with logging_set_loginuid macro. I'm not
>>>> sure how to solve this problem though.
>>>>
>>>> BTW here are some details on my environment:
>>>>
>>>> 1. I'm using the stock policy for FC7 2.6.4-8
>>>> 2. I did the compilation while running in targeted mode (will it 
>>>>         
>>> affect?)
>>>       
>>>> 3. The macro logging_set_loginuid is defined in the file
>>>> policy-20070501.patch
>>>>
>>>> Here is an extract of how logging_set_loginuid is defined in the patch :
>>>>
>>>> +########################################
>>>> +## <summary>
>>>> +##     Set login uid
>>>> +## </summary>
>>>> +## <param name="domain">
>>>> +##     <summary>
>>>> +##     Domain allowed access.
>>>> +##     </summary>
>>>> +## </param>
>>>> +#
>>>> +interface(`logging_set_loginuid',`
>>>> +       gen_require(`
>>>> +               attribute can_set_loginuid;
>>>> +               attribute can_send_audit_msg;
>>>> +       ')
>>>> +
>>>> +       typeattribute $1 can_set_loginuid, can_send_audit_msg;
>>>> +
>>>> +       allow $1 self:capability audit_control;
>>>> +       allow $1 self:netlink_audit_socket { create_socket_perms
>>>> nlmsg_read nlsms_relay };
>>>> +')
>>>>
>>>> Hope it helps in solving the problem...
>>>>
>>>> Thanks,
>>>> Louis
>>>>         
>>> I am not seeing this in RHEL5, FC6, F7 or F8.  So are you sure you are
>>> using the latest policy?
>>>
>>>
>>> Send instant messages to your online friends 
>>> http://uk.messenger.yahoo.com 
>>>       
>>     
>
>
> Send instant messages to your online friends http://uk.messenger.yahoo.com 
>

More information about the fedora-selinux-list mailing list