selinux-policy-strict bug

Paul S nnm.one at gmail.com
Tue Jun 5 22:48:30 UTC 2007 

selinux-policy-strict seems to fail with allowing remote access to the sshd
on Fedora7 (2.6.21-1.3194.fc7). I've installed Fedora7 with all the package
collections disabled for a minimal system in the installer, installed the
necessary tools for selinux and the strict policy and enabled it. Installed
sshd, touched /.autorelabel and rebooted (twice). When enabling the enforced
mode, and try to ssh from the LAN, I get avc messages because of denied
access ("permission denied" after entering the password on the client). I
tried to make a module for allowing it but I get assertions when installing
the modules.

#######################################################

[root at area51 sshd]# cat MYsshd.te
module MYsshd 1.0;

require {
        type staff_t;
        type user_home_dir_t;
        type sshd_t;
        class file { write ioctl };
        class capability { audit_control audit_write };
        class netlink_audit_socket { create nlmsg_relay write read };
}

#============= sshd_t ==============
allow sshd_t self:capability { audit_control audit_write };
allow sshd_t self:netlink_audit_socket { create nlmsg_relay read write };

#============= staff_t =============
allow staff_t user_home_dir_t:file { write ioctl };

-------------------------------------------------------

[root at area51 sshd]# semodule -i MYsshd.pp
libsepol.check_assertion_helper: assertion on line 0 violated by allow
sshd_t sshd_t:netlink_audit_socket { nlmsg_relay };
libsepol.check_assertion_helper: assertion on line 0 violated by allow
sshd_t sshd_t:capability { audit_write };
libsepol.check_assertion_helper: assertion on line 0 violated by allow
sshd_t sshd_t:capability { audit_control };
libsepol.check_assertions: 3 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed
semodule:  Failed!

#######################################################

cat /var/log/messages | audit2allow -M MYautogen
semodule -i MYautogen.pp

-------------------------------------------------------

libsepol.check_assertion_helper: assertion on line 0 violated by allow
staff_t security_t:security { load_policy };
libsepol.check_assertion_helper: assertion on line 0 violated by allow
staff_xserver_t staff_xserver_t:netlink_audit_socket { nlmsg_relay };
libsepol.check_assertion_helper: assertion on line 0 violated by allow
local_login_t local_login_t:netlink_audit_socket { nlmsg_relay };
libsepol.check_assertion_helper: assertion on line 0 violated by allow
sshd_t sshd_t:netlink_audit_socket { nlmsg_relay };
libsepol.check_assertion_helper: assertion on line 0 violated by allow
setfiles_t setfiles_t:netlink_audit_socket { nlmsg_relay };
libsepol.check_assertion_helper: assertion on line 0 violated by allow
staff_xserver_t staff_xserver_t:capability { audit_write };
libsepol.check_assertion_helper: assertion on line 0 violated by allow
local_login_t local_login_t:capability { audit_write };
libsepol.check_assertion_helper: assertion on line 0 violated by allow
sshd_t sshd_t:capability { audit_write };
libsepol.check_assertion_helper: assertion on line 0 violated by allow
setfiles_t setfiles_t:capability { audit_write };
libsepol.check_assertion_helper: assertion on line 0 violated by allow
local_login_t local_login_t:capability { audit_control };
libsepol.check_assertion_helper: assertion on line 0 violated by allow
sshd_t sshd_t:capability { audit_control };
libsepol.check_assertion_helper: assertion on line 0 violated by allow
staff_t staff_t:capability { audit_control };
libsepol.check_assertion_helper: assertion on line 0 violated by allow
staff_t staff_t:capability { sys_module };
libsepol.check_assertion_helper: assertion on line 0 violated by allow
staff_xserver_t shadow_t:file { write create };
libsepol.check_assertion_helper: assertion on line 0 violated by allow
staff_t shadow_t:file { write create };
libsepol.check_assertion_helper: assertion on line 0 violated by allow
staff_xserver_t shadow_t:file { read };
libsepol.check_assertions: 16 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed
semodule:  Failed!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20070606/b8ab6ecc/attachment.htm>

More information about the fedora-selinux-list mailing list