selinux-policy-strict bug
Stephen Smalley
sds at tycho.nsa.gov
Wed Jun 6 12:53:11 UTC 2007
On Wed, 2007-06-06 at 00:48 +0200, Paul S wrote:
> selinux-policy-strict seems to fail with allowing remote access to the
> sshd on Fedora7 (2.6.21-1.3194.fc7). I've installed Fedora7 with all
> the package collections disabled for a minimal system in the
> installer, installed the necessary tools for selinux and the strict
> policy and enabled it. Installed sshd, touched /.autorelabel and
> rebooted (twice). When enabling the enforced mode, and try to ssh from
> the LAN, I get avc messages because of denied access ("permission
> denied" after entering the password on the client). I tried to make a
> module for allowing it but I get assertions when installing the
> modules.
Already reported, try updating to latest policy.
Or add:
require {
attribute can_set_loginuid;
attribute can_send_audit_msg;
}
typeattribute sshd_t can_set_loginuid, can_send_audit_msg;
to your .te file.
>
> #######################################################
>
> [root at area51 sshd]# cat MYsshd.te
> module MYsshd 1.0;
>
> require {
> type staff_t;
> type user_home_dir_t;
> type sshd_t;
> class file { write ioctl };
> class capability { audit_control audit_write };
> class netlink_audit_socket { create nlmsg_relay write read };
> }
>
> #============= sshd_t ==============
> allow sshd_t self:capability { audit_control audit_write };
> allow sshd_t self:netlink_audit_socket { create nlmsg_relay read
> write };
>
> #============= staff_t =============
> allow staff_t user_home_dir_t:file { write ioctl };
>
> -------------------------------------------------------
>
> [root at area51 sshd]# semodule -i MYsshd.pp
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> sshd_t sshd_t:netlink_audit_socket { nlmsg_relay };
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> sshd_t sshd_t:capability { audit_write };
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> sshd_t sshd_t:capability { audit_control };
> libsepol.check_assertions: 3 assertion violations occured
> libsemanage.semanage_expand_sandbox: Expand module failed
> semodule: Failed!
>
> #######################################################
>
> cat /var/log/messages | audit2allow -M MYautogen
> semodule -i MYautogen.pp
>
> -------------------------------------------------------
>
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> staff_t security_t:security { load_policy };
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> staff_xserver_t staff_xserver_t:netlink_audit_socket { nlmsg_relay };
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> local_login_t local_login_t:netlink_audit_socket { nlmsg_relay };
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> sshd_t sshd_t:netlink_audit_socket { nlmsg_relay };
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> setfiles_t setfiles_t:netlink_audit_socket { nlmsg_relay };
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> staff_xserver_t staff_xserver_t:capability { audit_write };
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> local_login_t local_login_t:capability { audit_write };
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> sshd_t sshd_t:capability { audit_write };
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> setfiles_t setfiles_t:capability { audit_write };
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> local_login_t local_login_t:capability { audit_control };
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> sshd_t sshd_t:capability { audit_control };
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> staff_t staff_t:capability { audit_control };
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> staff_t staff_t:capability { sys_module };
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> staff_xserver_t shadow_t:file { write create };
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> staff_t shadow_t:file { write create };
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> staff_xserver_t shadow_t:file { read };
> libsepol.check_assertions: 16 assertion violations occured
> libsemanage.semanage_expand_sandbox: Expand module failed
> semodule: Failed!
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list