Debian testing +selinux

Justin Conover justin.conover at
Mon Jul 23 14:09:03 UTC 2007

I'm not sure if there is a regular selinux mailing list or not, I mainly use
Fedora but thought someone here might be able to help.

I'm playing with selinux on Debian Testing and decided to try and write a
policy from following the fc5 faq

Here is what I have done:

comatose:~# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 21
Policy from config file:        refpolicy-targeted

comatose:~# audit2allow -m local -l -i /var/log/audit/audit.log > local.te
comatose:~# checkmodule -M -m -o local.mod local.te
checkmodule:  loading policy configuration from local.te
checkmodule:  policy configuration loaded
checkmodule:  writing binary representation (version 6) to local.mod
comatose:~# semodule_package -o local.pp -m local.mod
comatose:~# semodule -i local.pp
libsepol.check_assertion_helper: assertion on line 0 violated by allow
hald_t memory_device_t:chr_file { read };
libsepol.check_assertions: 1 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed
semodule:  Failed!

comatose:~# cat local.te

module local 1.0;

require {
        type unconfined_t;
        type lib_t;
        type xserver_log_t;
        type mount_t;
        type var_run_t;
        type syslogd_t;
        type etc_runtime_t;
        type initrc_t;
        type xdm_t;
        type udev_t;
        type device_t;
        type hald_t;
        type xdm_xserver_t;
        type memory_device_t;
        type insmod_t;
        type dhcpc_t;
        type var_t;
        type etc_t;
        type security_t;
        class fifo_file write;
        class process { execstack execmem signal };
        class unix_stream_socket { read write };
        class chr_file read;
        class fd use;
        class file { write rename getattr append read create unlink
execute_no_trans };
        class filesystem getattr;
        class dir { write remove_name create add_name rmdir };

#============= dhcpc_t ==============
allow dhcpc_t etc_runtime_t:file unlink;

#============= hald_t ==============
allow hald_t memory_device_t:chr_file read;
allow hald_t var_t:file { read getattr };

#============= insmod_t ==============
allow insmod_t xdm_t:fd use;
allow insmod_t xdm_xserver_t:unix_stream_socket { read write };
allow insmod_t xserver_log_t:file write;

#============= mount_t ==============
allow mount_t security_t:filesystem getattr;

#============= syslogd_t ==============
allow syslogd_t device_t:fifo_file write;

#============= udev_t ==============
allow udev_t etc_t:dir { write remove_name add_name };
allow udev_t etc_t:file { write rename create unlink append };
allow udev_t initrc_t:process signal;
allow udev_t lib_t:file execute_no_trans;
allow udev_t var_run_t:dir { create rmdir };

#============= unconfined_t ==============
allow unconfined_t self:process { execstack execmem };
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the fedora-selinux-list mailing list