* Can't login in F7 strict
@ 2007-06-03 1:20 Shintaro Fujiwara
2007-06-05 12:48 ` Stephen Smalley
2007-06-05 21:36 ` Shintaro Fujiwara
0 siblings, 2 replies; 13+ messages in thread
From: Shintaro Fujiwara @ 2007-06-03 1:20 UTC (permalink / raw)
To: selinux
Hello.
I'm trying to work out on F7 strict policy.
My server is now FC6, so I'm trying to change it 7.
I yum installed every selinux related packages.
I made localaudit.pp typing
#audit2allow -i /var/log/audit/audit.log -m localaudit > localaudit.te
at /usr/share/selinux/devel
#semodule -i localaudit.pp
violation reported by libsepol.chek_assertions
local_login_t local_login_t:netlink_audit_socket { nlmsg_relay };
local_login_t local_login_t:capability { audit_write };
local_login_t local_login_t:capability { audit_control };
So,I commented those lines on localaudit.te including require brace.
This time I succeeded installing localaudit.pp.
I restarted my machine setting Enforcing/strict.
During the startup process, I could see Keymap had failed.
I can't login from console.
I typed like a US key not jp106, still I can't.
You made strict policy not logging in from console?
What should I do?
homepage http://intrajp.no-ip.com/
SELinux Forum JP http://intrajp.no-ip.com/xoops
SELinux Wiki JP http://intrajp.no-ip.com/pukiwiki
my blog JP http://intrajp.no-ip.com/nucleus
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread* Re: Can't login in F7 strict 2007-06-03 1:20 Can't login in F7 strict Shintaro Fujiwara @ 2007-06-05 12:48 ` Stephen Smalley 2007-06-05 21:36 ` Shintaro Fujiwara 1 sibling, 0 replies; 13+ messages in thread From: Stephen Smalley @ 2007-06-05 12:48 UTC (permalink / raw) To: Shintaro Fujiwara; +Cc: selinux, Christopher J. PeBenito, Daniel J Walsh On Sun, 2007-06-03 at 10:20 +0900, Shintaro Fujiwara wrote: > Hello. > > I'm trying to work out on F7 strict policy. > My server is now FC6, so I'm trying to change it 7. > > I yum installed every selinux related packages. > I made localaudit.pp typing > #audit2allow -i /var/log/audit/audit.log -m localaudit > localaudit.te > at /usr/share/selinux/devel > #semodule -i localaudit.pp > violation reported by libsepol.chek_assertions > > local_login_t local_login_t:netlink_audit_socket { nlmsg_relay }; > local_login_t local_login_t:capability { audit_write }; > local_login_t local_login_t:capability { audit_control }; These permissions should be allowed in the base policy, so this seems like a bug in your specific policy. They appear to be allowed in the base policy. As far as assertions go, please see prior explanations. Policy contains a set of neverallow rules to catch certain error cases or sensitive permissions, and to override them you typically have to add a type attribute to the type to indicate that it is supposed to be privileged to override the restriction. That is usually done via a suitable refpolicy interface. You can also disable all assertion checking, but that isn't recommended. > > So,I commented those lines on localaudit.te including require brace. > This time I succeeded installing localaudit.pp. > > I restarted my machine setting Enforcing/strict. > During the startup process, I could see Keymap had failed. > I can't login from console. > I typed like a US key not jp106, still I can't. > > You made strict policy not logging in from console? > What should I do? > > > homepage http://intrajp.no-ip.com/ > SELinux Forum JP http://intrajp.no-ip.com/xoops > SELinux Wiki JP http://intrajp.no-ip.com/pukiwiki > my blog JP http://intrajp.no-ip.com/nucleus > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with > the words "unsubscribe selinux" without quotes as the message. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Can't login in F7 strict 2007-06-03 1:20 Can't login in F7 strict Shintaro Fujiwara 2007-06-05 12:48 ` Stephen Smalley @ 2007-06-05 21:36 ` Shintaro Fujiwara 2007-06-05 22:01 ` Daniel J Walsh 2007-06-06 12:21 ` Stephen Smalley 1 sibling, 2 replies; 13+ messages in thread From: Shintaro Fujiwara @ 2007-06-05 21:36 UTC (permalink / raw) To: selinux; +Cc: sds, cpebenito, dwalsh I used interfaces, still error occurs when I install localaudit.pp. libsepol.permission_copy_callback: Module localaudit depends on permission nlsms_relay in class netlink_audit_socket, not satisfied libsemanage.semanage_link_sandbox; Link packages failed semodule: Failed ! module localaudit 1.0; require { type local_login_t .... class netlink_audio_socket { ......nlsms_relay .....}; .... } logging_send_audit_msg(local_login_t) logging_set_loginuid(local_login_t) Almost, but anyway, still I can not install my module (very basic one I guess...;) 2007/6/3, Shintaro Fujiwara <shintaro.fujiwara@gmail.com>: > Hello. > > I'm trying to work out on F7 strict policy. > My server is now FC6, so I'm trying to change it 7. > > I yum installed every selinux related packages. > I made localaudit.pp typing > #audit2allow -i /var/log/audit/audit.log -m localaudit > localaudit.te > at /usr/share/selinux/devel > #semodule -i localaudit.pp > violation reported by libsepol.chek_assertions > > local_login_t local_login_t:netlink_audit_socket { nlmsg_relay }; > local_login_t local_login_t:capability { audit_write }; > local_login_t local_login_t:capability { audit_control }; > > So,I commented those lines on localaudit.te including require brace. > This time I succeeded installing localaudit.pp. > > I restarted my machine setting Enforcing/strict. > During the startup process, I could see Keymap had failed. > I can't login from console. > I typed like a US key not jp106, still I can't. > > You made strict policy not logging in from console? > What should I do? > > > homepage http://intrajp.no-ip.com/ > SELinux Forum JP http://intrajp.no-ip.com/xoops > SELinux Wiki JP http://intrajp.no-ip.com/pukiwiki > my blog JP http://intrajp.no-ip.com/nucleus > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Can't login in F7 strict 2007-06-05 21:36 ` Shintaro Fujiwara @ 2007-06-05 22:01 ` Daniel J Walsh 2007-06-05 23:30 ` Shintaro Fujiwara 2007-06-06 12:21 ` Stephen Smalley 1 sibling, 1 reply; 13+ messages in thread From: Daniel J Walsh @ 2007-06-05 22:01 UTC (permalink / raw) To: Shintaro Fujiwara; +Cc: selinux, sds, cpebenito Shintaro Fujiwara wrote: > I used interfaces, still error occurs when I install localaudit.pp. > > libsepol.permission_copy_callback: Module localaudit depends on > permission nlsms_relay in class netlink_audit_socket, not satisfied > libsemanage.semanage_link_sandbox; Link packages failed > semodule: Failed ! > > module localaudit 1.0; > > require { > type local_login_t > .... > class netlink_audio_socket { ......nlsms_relay .....}; netlink_audit_socket not audio. > .... > } > logging_send_audit_msg(local_login_t) > logging_set_loginuid(local_login_t) > > Almost, but anyway, still I can not install my module (very basic one > I guess...;) > > > 2007/6/3, Shintaro Fujiwara <shintaro.fujiwara@gmail.com>: >> Hello. >> >> I'm trying to work out on F7 strict policy. >> My server is now FC6, so I'm trying to change it 7. >> >> I yum installed every selinux related packages. >> I made localaudit.pp typing >> #audit2allow -i /var/log/audit/audit.log -m localaudit > localaudit.te >> at /usr/share/selinux/devel >> #semodule -i localaudit.pp >> violation reported by libsepol.chek_assertions >> >> local_login_t local_login_t:netlink_audit_socket { nlmsg_relay }; >> local_login_t local_login_t:capability { audit_write }; >> local_login_t local_login_t:capability { audit_control }; >> >> So,I commented those lines on localaudit.te including require brace. >> This time I succeeded installing localaudit.pp. >> >> I restarted my machine setting Enforcing/strict. >> During the startup process, I could see Keymap had failed. >> I can't login from console. >> I typed like a US key not jp106, still I can't. >> >> You made strict policy not logging in from console? >> What should I do? >> >> >> homepage http://intrajp.no-ip.com/ >> SELinux Forum JP http://intrajp.no-ip.com/xoops >> SELinux Wiki JP http://intrajp.no-ip.com/pukiwiki >> my blog JP http://intrajp.no-ip.com/nucleus >> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Can't login in F7 strict 2007-06-05 22:01 ` Daniel J Walsh @ 2007-06-05 23:30 ` Shintaro Fujiwara 0 siblings, 0 replies; 13+ messages in thread From: Shintaro Fujiwara @ 2007-06-05 23:30 UTC (permalink / raw) To: Daniel J Walsh; +Cc: selinux, sds, cpebenito Yes, you are right. I transcribed looking at monitor in short time at morning, so I miss-typed.. I can't look at it now, but I'm sure I typed properly. Because I could made module all right. The problem is, I can't install it... When you really need interfaces in local modules, why not audit2allow generate interfaces ? It's quite natural that Least permissions permitted, though. I tryied such a project last year, but Karl making progress on that I believe, so isn't it a nice idea that macro oriented policy alternates call oriented one ? Or we can go to SEEdit ...? Officer,System-Informations,Signal School,JGSDF 2007/6/6, Daniel J Walsh <dwalsh@redhat.com>: > Shintaro Fujiwara wrote: > > I used interfaces, still error occurs when I install localaudit.pp. > > > > libsepol.permission_copy_callback: Module localaudit depends on > > permission nlsms_relay in class netlink_audit_socket, not satisfied > > libsemanage.semanage_link_sandbox; Link packages failed > > semodule: Failed ! > > > > module localaudit 1.0; > > > > require { > > type local_login_t > > .... > > class netlink_audio_socket { ......nlsms_relay .....}; > netlink_audit_socket not audio. > > .... > > } > > logging_send_audit_msg(local_login_t) > > logging_set_loginuid(local_login_t) > > > > Almost, but anyway, still I can not install my module (very basic one > > I guess...;) > > > > > > 2007/6/3, Shintaro Fujiwara <shintaro.fujiwara@gmail.com>: > >> Hello. > >> > >> I'm trying to work out on F7 strict policy. > >> My server is now FC6, so I'm trying to change it 7. > >> > >> I yum installed every selinux related packages. > >> I made localaudit.pp typing > >> #audit2allow -i /var/log/audit/audit.log -m localaudit > localaudit.te > >> at /usr/share/selinux/devel > >> #semodule -i localaudit.pp > >> violation reported by libsepol.chek_assertions > >> > >> local_login_t local_login_t:netlink_audit_socket { nlmsg_relay }; > >> local_login_t local_login_t:capability { audit_write }; > >> local_login_t local_login_t:capability { audit_control }; > >> > >> So,I commented those lines on localaudit.te including require brace. > >> This time I succeeded installing localaudit.pp. > >> > >> I restarted my machine setting Enforcing/strict. > >> During the startup process, I could see Keymap had failed. > >> I can't login from console. > >> I typed like a US key not jp106, still I can't. > >> > >> You made strict policy not logging in from console? > >> What should I do? > >> > >> > >> homepage http://intrajp.no-ip.com/ > >> SELinux Forum JP http://intrajp.no-ip.com/xoops > >> SELinux Wiki JP http://intrajp.no-ip.com/pukiwiki > >> my blog JP http://intrajp.no-ip.com/nucleus > >> > > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Can't login in F7 strict 2007-06-05 21:36 ` Shintaro Fujiwara 2007-06-05 22:01 ` Daniel J Walsh @ 2007-06-06 12:21 ` Stephen Smalley 2007-06-06 21:27 ` Shintaro Fujiwara 1 sibling, 1 reply; 13+ messages in thread From: Stephen Smalley @ 2007-06-06 12:21 UTC (permalink / raw) To: Shintaro Fujiwara; +Cc: selinux, cpebenito, dwalsh On Wed, 2007-06-06 at 06:36 +0900, Shintaro Fujiwara wrote: > I used interfaces, still error occurs when I install localaudit.pp. > > libsepol.permission_copy_callback: Module localaudit depends on > permission nlsms_relay in class netlink_audit_socket, not satisfied > libsemanage.semanage_link_sandbox; Link packages failed > semodule: Failed ! > > module localaudit 1.0; > > require { > type local_login_t > .... > class netlink_audio_socket { ......nlsms_relay .....}; > .... > } > logging_send_audit_msg(local_login_t) > logging_set_loginuid(local_login_t) > > Almost, but anyway, still I can not install my module (very basic one > I guess...;) >From other discussions on fedora-selinux-list, it seems that there are some bugs in that policy; try updating to the latest one in updates-testing. > > > 2007/6/3, Shintaro Fujiwara <shintaro.fujiwara@gmail.com>: > > Hello. > > > > I'm trying to work out on F7 strict policy. > > My server is now FC6, so I'm trying to change it 7. > > > > I yum installed every selinux related packages. > > I made localaudit.pp typing > > #audit2allow -i /var/log/audit/audit.log -m localaudit > localaudit.te > > at /usr/share/selinux/devel > > #semodule -i localaudit.pp > > violation reported by libsepol.chek_assertions > > > > local_login_t local_login_t:netlink_audit_socket { nlmsg_relay }; > > local_login_t local_login_t:capability { audit_write }; > > local_login_t local_login_t:capability { audit_control }; > > > > So,I commented those lines on localaudit.te including require brace. > > This time I succeeded installing localaudit.pp. > > > > I restarted my machine setting Enforcing/strict. > > During the startup process, I could see Keymap had failed. > > I can't login from console. > > I typed like a US key not jp106, still I can't. > > > > You made strict policy not logging in from console? > > What should I do? > > > > > > homepage http://intrajp.no-ip.com/ > > SELinux Forum JP http://intrajp.no-ip.com/xoops > > SELinux Wiki JP http://intrajp.no-ip.com/pukiwiki > > my blog JP http://intrajp.no-ip.com/nucleus > > -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Can't login in F7 strict 2007-06-06 12:21 ` Stephen Smalley @ 2007-06-06 21:27 ` Shintaro Fujiwara 2007-06-07 10:11 ` Shintaro Fujiwara 0 siblings, 1 reply; 13+ messages in thread From: Shintaro Fujiwara @ 2007-06-06 21:27 UTC (permalink / raw) To: Stephen Smalley; +Cc: selinux, cpebenito, dwalsh This morning, (in Japan) I could yum update selinux policies to 2.6.4-13.fc7 . During the process, security:context sysadm_u:sysadm_r:initrc_t:s0 is invalid libsepol.context_from_record:type unconfined_execmem_ecec_t is not defined libsepol.context_from_record:could not create context structure libsepol.context_from_string:could not create context structure libsepol.sepol_context_to_sid:could not convert system_u:object_r:unconfined_execmem_exec_t:s0 to sid /etc/selinux/strict/contexts/files/file_contexts: line 597 has invalid context system_u:object_r:unconfined_execmem_exec_t:s0 libsemanage.semanage_install_active:setfiles returned error code 1. libsepol.sepol_genbools_array:boolean httpd_can_sendmail no longer in policy security:context sysadm_u:sysadm_r:initrc_t:s0 is invalid semodule: Failed! Is this another bug on 2.6.4-13 ? Thank you very much for your endevours. 2007/6/6, Stephen Smalley <sds@tycho.nsa.gov>: > On Wed, 2007-06-06 at 06:36 +0900, Shintaro Fujiwara wrote: > > I used interfaces, still error occurs when I install localaudit.pp. > > > > libsepol.permission_copy_callback: Module localaudit depends on > > permission nlsms_relay in class netlink_audit_socket, not satisfied > > libsemanage.semanage_link_sandbox; Link packages failed > > semodule: Failed ! > > > > module localaudit 1.0; > > > > require { > > type local_login_t > > .... > > class netlink_audio_socket { ......nlsms_relay .....}; > > .... > > } > > logging_send_audit_msg(local_login_t) > > logging_set_loginuid(local_login_t) > > > > Almost, but anyway, still I can not install my module (very basic one > > I guess...;) > > >From other discussions on fedora-selinux-list, it seems that there are > some bugs in that policy; try updating to the latest one in > updates-testing. > > > > > > > 2007/6/3, Shintaro Fujiwara <shintaro.fujiwara@gmail.com>: > > > Hello. > > > > > > I'm trying to work out on F7 strict policy. > > > My server is now FC6, so I'm trying to change it 7. > > > > > > I yum installed every selinux related packages. > > > I made localaudit.pp typing > > > #audit2allow -i /var/log/audit/audit.log -m localaudit > localaudit.te > > > at /usr/share/selinux/devel > > > #semodule -i localaudit.pp > > > violation reported by libsepol.chek_assertions > > > > > > local_login_t local_login_t:netlink_audit_socket { nlmsg_relay }; > > > local_login_t local_login_t:capability { audit_write }; > > > local_login_t local_login_t:capability { audit_control }; > > > > > > So,I commented those lines on localaudit.te including require brace. > > > This time I succeeded installing localaudit.pp. > > > > > > I restarted my machine setting Enforcing/strict. > > > During the startup process, I could see Keymap had failed. > > > I can't login from console. > > > I typed like a US key not jp106, still I can't. > > > > > > You made strict policy not logging in from console? > > > What should I do? > > > > > > > > > homepage http://intrajp.no-ip.com/ > > > SELinux Forum JP http://intrajp.no-ip.com/xoops > > > SELinux Wiki JP http://intrajp.no-ip.com/pukiwiki > > > my blog JP http://intrajp.no-ip.com/nucleus > > > > -- > Stephen Smalley > National Security Agency > > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Can't login in F7 strict 2007-06-06 21:27 ` Shintaro Fujiwara @ 2007-06-07 10:11 ` Shintaro Fujiwara 2007-06-11 17:28 ` Daniel J Walsh 0 siblings, 1 reply; 13+ messages in thread From: Shintaro Fujiwara @ 2007-06-07 10:11 UTC (permalink / raw) To: Stephen Smalley; +Cc: selinux, cpebenito, dwalsh With the latest policy, I could install and could login my machine. Thanks ! But another problem... Keymap(jp106) fails... Is this the only problem for not English speaking people and how should we fix it ? I can use my jp106 keybord as US keybord but invconvinient... Is there still bug in policy or not ? 2007/6/7, Shintaro Fujiwara <shintaro.fujiwara@gmail.com>: > This morning, (in Japan) I could yum update selinux policies to 2.6.4-13.fc7 . > During the process, > > security:context sysadm_u:sysadm_r:initrc_t:s0 is invalid > libsepol.context_from_record:type unconfined_execmem_ecec_t is not defined > libsepol.context_from_record:could not create context structure > libsepol.context_from_string:could not create context structure > libsepol.sepol_context_to_sid:could not convert > system_u:object_r:unconfined_execmem_exec_t:s0 to sid > /etc/selinux/strict/contexts/files/file_contexts: line 597 has invalid > context system_u:object_r:unconfined_execmem_exec_t:s0 > libsemanage.semanage_install_active:setfiles returned error code 1. > libsepol.sepol_genbools_array:boolean httpd_can_sendmail no longer in policy > security:context sysadm_u:sysadm_r:initrc_t:s0 is invalid > semodule: Failed! > > Is this another bug on 2.6.4-13 ? > > > Thank you very much for your endevours. > > > > 2007/6/6, Stephen Smalley <sds@tycho.nsa.gov>: > > On Wed, 2007-06-06 at 06:36 +0900, Shintaro Fujiwara wrote: > > > I used interfaces, still error occurs when I install localaudit.pp. > > > > > > libsepol.permission_copy_callback: Module localaudit depends on > > > permission nlsms_relay in class netlink_audit_socket, not satisfied > > > libsemanage.semanage_link_sandbox; Link packages failed > > > semodule: Failed ! > > > > > > module localaudit 1.0; > > > > > > require { > > > type local_login_t > > > .... > > > class netlink_audio_socket { ......nlsms_relay .....}; > > > .... > > > } > > > logging_send_audit_msg(local_login_t) > > > logging_set_loginuid(local_login_t) > > > > > > Almost, but anyway, still I can not install my module (very basic one > > > I guess...;) > > > > >From other discussions on fedora-selinux-list, it seems that there are > > some bugs in that policy; try updating to the latest one in > > updates-testing. > > > > > > > > > > > 2007/6/3, Shintaro Fujiwara <shintaro.fujiwara@gmail.com>: > > > > Hello. > > > > > > > > I'm trying to work out on F7 strict policy. > > > > My server is now FC6, so I'm trying to change it 7. > > > > > > > > I yum installed every selinux related packages. > > > > I made localaudit.pp typing > > > > #audit2allow -i /var/log/audit/audit.log -m localaudit > localaudit.te > > > > at /usr/share/selinux/devel > > > > #semodule -i localaudit.pp > > > > violation reported by libsepol.chek_assertions > > > > > > > > local_login_t local_login_t:netlink_audit_socket { nlmsg_relay }; > > > > local_login_t local_login_t:capability { audit_write }; > > > > local_login_t local_login_t:capability { audit_control }; > > > > > > > > So,I commented those lines on localaudit.te including require brace. > > > > This time I succeeded installing localaudit.pp. > > > > > > > > I restarted my machine setting Enforcing/strict. > > > > During the startup process, I could see Keymap had failed. > > > > I can't login from console. > > > > I typed like a US key not jp106, still I can't. > > > > > > > > You made strict policy not logging in from console? > > > > What should I do? > > > > > > > > > > > > homepage http://intrajp.no-ip.com/ > > > > SELinux Forum JP http://intrajp.no-ip.com/xoops > > > > SELinux Wiki JP http://intrajp.no-ip.com/pukiwiki > > > > my blog JP http://intrajp.no-ip.com/nucleus > > > > > > -- > > Stephen Smalley > > National Security Agency > > > > > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Can't login in F7 strict 2007-06-07 10:11 ` Shintaro Fujiwara @ 2007-06-11 17:28 ` Daniel J Walsh 2007-06-11 21:45 ` Shintaro Fujiwara 0 siblings, 1 reply; 13+ messages in thread From: Daniel J Walsh @ 2007-06-11 17:28 UTC (permalink / raw) To: Shintaro Fujiwara; +Cc: Stephen Smalley, selinux, cpebenito Shintaro Fujiwara wrote: > With the latest policy, I could install and could login my machine. > > Thanks ! > > But another problem... > > Keymap(jp106) fails... > > Is this the only problem for not English speaking people and how > should we fix it ? > I can use my jp106 keybord as US keybord but invconvinient... > > Is there still bug in policy or not ? > Most likely a bug in policy, Please report it and attach your audit.log -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Can't login in F7 strict 2007-06-11 17:28 ` Daniel J Walsh @ 2007-06-11 21:45 ` Shintaro Fujiwara 2007-06-12 12:25 ` Daniel J Walsh 0 siblings, 1 reply; 13+ messages in thread From: Shintaro Fujiwara @ 2007-06-11 21:45 UTC (permalink / raw) To: Daniel J Walsh; +Cc: sds, selinux, cpebenito There really aren't any denied messages concerning it ... There really are no problem if I attach my log allright, but no use... But I copied .te files I made from both logs (audit.log and messages). Are there any clue in here ? Or, Should I install enableaudit.pp and listen to all the log or not ? ##########here's module i made from audit.log############## module localaudit 1.0; require { type default_t; type system_cron_spool_t; type local_login_t; type system_dbusd_var_run_t; type sysadm_su_t; type crond_t; class capability { setuid setgid }; class dir { read search }; } #============= crond_t ============== allow crond_t system_cron_spool_t:dir read; #============= local_login_t ============== allow local_login_t default_t:dir search; allow local_login_t system_dbusd_var_run_t:dir search; #============= sysadm_su_t ============== allow sysadm_su_t default_t:dir search; allow sysadm_su_t self:capability { setuid setgid }; ##########here's module i made from /var/log/messages############## module localmessages 1.0; require { type default_t; type sysctl_net_unix_t; type init_t; type initrc_t; type file_t; type restorecon_t; type sysctl_vm_t; type kernel_t; type lvm_control_t; type loadkeys_t; type proc_kcore_t; type sysctl_irq_t; type sysctl_net_t; type sysctl_hotplug_t; type mount_t; type nscd_var_run_t; type setfiles_t; type proc_xen_t; type proc_kmsg_t; type proc_mdstat_t; type sysctl_modprobe_t; type sysctl_dev_t; type fsadm_t; type udev_t; type lvm_t; type sysctl_kernel_t; type proc_net_t; type local_login_t; type sshd_t; class capability { audit_write audit_control }; class chr_file write; class lnk_file getattr; class dir { getattr read search }; class file { read lock getattr unlink }; class netlink_audit_socket { create ioctl setattr getattr append write nlmsg_relay nlmsg_read create read bind connect setopt getopt shutdown }; } #============= initrc_t ============== allow initrc_t lvm_control_t:chr_file write; #============= loadkeys_t ============== allow loadkeys_t nscd_var_run_t:dir search; #============= udev_t ============== allow udev_t default_t:dir search; #============= fsadm_t ============== allow fsadm_t file_t:file { read getattr }; #============= init_t ============== allow init_t file_t:file { read lock getattr }; #============= initrc_t ============== allow initrc_t file_t:file read; #============= lvm_t ============== allow lvm_t file_t:file { read getattr }; #============= mount_t ============== allow mount_t file_t:file unlink; #============= restorecon_t ============== allow restorecon_t file_t:file read; #============= setfiles_t ============== allow setfiles_t file_t:file read; allow setfiles_t init_t:dir { read getattr search }; allow setfiles_t init_t:file getattr; allow setfiles_t init_t:lnk_file getattr; allow setfiles_t initrc_t:dir { read getattr search }; allow setfiles_t initrc_t:file getattr; allow setfiles_t initrc_t:lnk_file getattr; allow setfiles_t kernel_t:dir { read getattr search }; allow setfiles_t kernel_t:file getattr; allow setfiles_t kernel_t:lnk_file getattr; allow setfiles_t proc_kcore_t:file getattr; allow setfiles_t proc_kmsg_t:file getattr; allow setfiles_t proc_mdstat_t:file getattr; allow setfiles_t proc_net_t:dir { read getattr search }; allow setfiles_t proc_net_t:file getattr; allow setfiles_t proc_xen_t:dir { read getattr search }; allow setfiles_t proc_xen_t:file getattr; ###############edited by me################################ #allow setfiles_t self:capability audit_write; #allow setfiles_t self:netlink_audit_socket { write nlmsg_relay create read }; ########################################################### allow setfiles_t sysctl_dev_t:dir { read getattr search }; allow setfiles_t sysctl_dev_t:file getattr; allow setfiles_t sysctl_hotplug_t:file getattr; allow setfiles_t sysctl_irq_t:dir { read getattr search }; allow setfiles_t sysctl_irq_t:file getattr; allow setfiles_t sysctl_kernel_t:dir { read getattr search }; allow setfiles_t sysctl_kernel_t:file getattr; allow setfiles_t sysctl_modprobe_t:file getattr; allow setfiles_t sysctl_net_t:dir { read getattr search }; allow setfiles_t sysctl_net_t:file getattr; allow setfiles_t sysctl_net_unix_t:dir { read getattr search }; allow setfiles_t sysctl_net_unix_t:file getattr; allow setfiles_t sysctl_vm_t:dir { read getattr search }; allow setfiles_t sysctl_vm_t:file getattr; allow setfiles_t udev_t:dir { read getattr search }; allow setfiles_t udev_t:file getattr; allow setfiles_t udev_t:lnk_file getattr; #============= udev_t ============== allow udev_t file_t:file { read getattr }; ###############added by me################################ #============= local_login_t ============== logging_send_audit_msg(local_login_t) logging_set_loginuid(local_login_t) #============= sshd_t ============== logging_send_audit_msg(sshd_t) logging_set_loginuid(sshd_t) 2007/6/12, Daniel J Walsh <dwalsh@redhat.com>: > Shintaro Fujiwara wrote: > > With the latest policy, I could install and could login my machine. > > > > Thanks ! > > > > But another problem... > > > > Keymap(jp106) fails... > > > > Is this the only problem for not English speaking people and how > > should we fix it ? > > I can use my jp106 keybord as US keybord but invconvinient... > > > > Is there still bug in policy or not ? > > > Most likely a bug in policy, Please report it and attach your audit.log > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Can't login in F7 strict 2007-06-11 21:45 ` Shintaro Fujiwara @ 2007-06-12 12:25 ` Daniel J Walsh 2007-06-12 20:16 ` Shintaro Fujiwara 0 siblings, 1 reply; 13+ messages in thread From: Daniel J Walsh @ 2007-06-12 12:25 UTC (permalink / raw) To: Shintaro Fujiwara; +Cc: sds, selinux, cpebenito Shintaro Fujiwara wrote: > There really aren't any denied messages concerning it ... > There really are no problem if I attach my log allright, but no use... > But I copied .te files I made from both logs (audit.log and messages). > Are there any clue in here ? > Or, > Should I install enableaudit.pp and listen to all the log or not ? > > > ##########here's module i made from audit.log############## > module localaudit 1.0; > > require { > type default_t; > type system_cron_spool_t; > type local_login_t; > type system_dbusd_var_run_t; > type sysadm_su_t; > type crond_t; > class capability { setuid setgid }; > class dir { read search }; > } > > #============= crond_t ============== > allow crond_t system_cron_spool_t:dir read; > > #============= local_login_t ============== > allow local_login_t default_t:dir search; default_t is caused by a mislabeled /root. restorecon -R -v /root > allow local_login_t system_dbusd_var_run_t:dir search; > > #============= sysadm_su_t ============== > allow sysadm_su_t default_t:dir search; > allow sysadm_su_t self:capability { setuid setgid }; > Latest policy should have this. > > ##########here's module i made from /var/log/messages############## > module localmessages 1.0; > > require { > type default_t; > type sysctl_net_unix_t; > type init_t; > type initrc_t; > type file_t; > type restorecon_t; > type sysctl_vm_t; > type kernel_t; > type lvm_control_t; > type loadkeys_t; > type proc_kcore_t; > type sysctl_irq_t; > type sysctl_net_t; > type sysctl_hotplug_t; > type mount_t; > type nscd_var_run_t; > type setfiles_t; > type proc_xen_t; > type proc_kmsg_t; > type proc_mdstat_t; > type sysctl_modprobe_t; > type sysctl_dev_t; > type fsadm_t; > type udev_t; > type lvm_t; > type sysctl_kernel_t; > type proc_net_t; > type local_login_t; > type sshd_t; > class capability { audit_write audit_control }; > class chr_file write; > class lnk_file getattr; > class dir { getattr read search }; > class file { read lock getattr unlink }; > class netlink_audit_socket { create ioctl setattr getattr > append write nlmsg_relay nlmsg_read create read bind connect setopt > getopt shutdown }; > } > > #============= initrc_t ============== > allow initrc_t lvm_control_t:chr_file write; > What program caused this? Should probably be labeled lvm_exec_t > #============= loadkeys_t ============== > allow loadkeys_t nscd_var_run_t:dir search; > > #============= udev_t ============== > allow udev_t default_t:dir search; > #============= fsadm_t ============== > allow fsadm_t file_t:file { read getattr }; These should not exist file_t means you have unlabled files on your system > > #============= init_t ============== > allow init_t file_t:file { read lock getattr }; > > #============= initrc_t ============== > allow initrc_t file_t:file read; > > #============= lvm_t ============== > allow lvm_t file_t:file { read getattr }; > > #============= mount_t ============== > allow mount_t file_t:file unlink; > > #============= restorecon_t ============== > allow restorecon_t file_t:file read; > > #============= setfiles_t ============== > allow setfiles_t file_t:file read; > allow setfiles_t init_t:dir { read getattr search }; > allow setfiles_t init_t:file getattr; > allow setfiles_t init_t:lnk_file getattr; > allow setfiles_t initrc_t:dir { read getattr search }; > allow setfiles_t initrc_t:file getattr; > allow setfiles_t initrc_t:lnk_file getattr; > allow setfiles_t kernel_t:dir { read getattr search }; > allow setfiles_t kernel_t:file getattr; > allow setfiles_t kernel_t:lnk_file getattr; > allow setfiles_t proc_kcore_t:file getattr; > allow setfiles_t proc_kmsg_t:file getattr; > allow setfiles_t proc_mdstat_t:file getattr; > allow setfiles_t proc_net_t:dir { read getattr search }; > allow setfiles_t proc_net_t:file getattr; > allow setfiles_t proc_xen_t:dir { read getattr search }; > allow setfiles_t proc_xen_t:file getattr; Should all be dontaudit, this is caused by running restorecon or setfiles on /proc > ###############edited by me################################ > #allow setfiles_t self:capability audit_write; > #allow setfiles_t self:netlink_audit_socket { write nlmsg_relay create > read }; > ########################################################### > allow setfiles_t sysctl_dev_t:dir { read getattr search }; > allow setfiles_t sysctl_dev_t:file getattr; > allow setfiles_t sysctl_hotplug_t:file getattr; > allow setfiles_t sysctl_irq_t:dir { read getattr search }; > allow setfiles_t sysctl_irq_t:file getattr; > allow setfiles_t sysctl_kernel_t:dir { read getattr search }; > allow setfiles_t sysctl_kernel_t:file getattr; > allow setfiles_t sysctl_modprobe_t:file getattr; > allow setfiles_t sysctl_net_t:dir { read getattr search }; > allow setfiles_t sysctl_net_t:file getattr; > allow setfiles_t sysctl_net_unix_t:dir { read getattr search }; > allow setfiles_t sysctl_net_unix_t:file getattr; > allow setfiles_t sysctl_vm_t:dir { read getattr search }; > allow setfiles_t sysctl_vm_t:file getattr; > allow setfiles_t udev_t:dir { read getattr search }; > allow setfiles_t udev_t:file getattr; > allow setfiles_t udev_t:lnk_file getattr; > > #============= udev_t ============== > allow udev_t file_t:file { read getattr }; > > ###############added by me################################ > > #============= local_login_t ============== > logging_send_audit_msg(local_login_t) > logging_set_loginuid(local_login_t) Latest policy should have these > > #============= sshd_t ============== > logging_send_audit_msg(sshd_t) > logging_set_loginuid(sshd_t) > > > 2007/6/12, Daniel J Walsh <dwalsh@redhat.com>: >> Shintaro Fujiwara wrote: >> > With the latest policy, I could install and could login my machine. >> > >> > Thanks ! >> > >> > But another problem... >> > >> > Keymap(jp106) fails... >> > >> > Is this the only problem for not English speaking people and how >> > should we fix it ? >> > I can use my jp106 keybord as US keybord but invconvinient... >> > >> > Is there still bug in policy or not ? >> > >> Most likely a bug in policy, Please report it and attach your audit.log >> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Can't login in F7 strict 2007-06-12 12:25 ` Daniel J Walsh @ 2007-06-12 20:16 ` Shintaro Fujiwara 2007-06-13 10:58 ` Shintaro Fujiwara 0 siblings, 1 reply; 13+ messages in thread From: Shintaro Fujiwara @ 2007-06-12 20:16 UTC (permalink / raw) To: Daniel J Walsh; +Cc: sds, selinux, cpebenito Thank you very much for your kind advices. I will relabel my system and regenerate my own policy with the latest selinux-policy properly. Especially I will check something should not be allowed from initrc_t... And delete lines setfiles (I restoreconed my home directory for the use of stuff_u) stuff. Thanks ! ################################################## Officer, System-Informations, Signal School, JGSDF ################################################### 2007/6/12, Daniel J Walsh <dwalsh@redhat.com>: > Shintaro Fujiwara wrote: > > There really aren't any denied messages concerning it ... > > There really are no problem if I attach my log allright, but no use... > > But I copied .te files I made from both logs (audit.log and messages). > > Are there any clue in here ? > > Or, > > Should I install enableaudit.pp and listen to all the log or not ? > > > > > > ##########here's module i made from audit.log############## > > module localaudit 1.0; > > > > require { > > type default_t; > > type system_cron_spool_t; > > type local_login_t; > > type system_dbusd_var_run_t; > > type sysadm_su_t; > > type crond_t; > > class capability { setuid setgid }; > > class dir { read search }; > > } > > > > #============= crond_t ============== > > allow crond_t system_cron_spool_t:dir read; > > > > #============= local_login_t ============== > > allow local_login_t default_t:dir search; > default_t is caused by a mislabeled /root. restorecon -R -v /root > > allow local_login_t system_dbusd_var_run_t:dir search; > > > > #============= sysadm_su_t ============== > > allow sysadm_su_t default_t:dir search; > > allow sysadm_su_t self:capability { setuid setgid }; > > > Latest policy should have this. > > > > ##########here's module i made from /var/log/messages############## > > module localmessages 1.0; > > > > require { > > type default_t; > > type sysctl_net_unix_t; > > type init_t; > > type initrc_t; > > type file_t; > > type restorecon_t; > > type sysctl_vm_t; > > type kernel_t; > > type lvm_control_t; > > type loadkeys_t; > > type proc_kcore_t; > > type sysctl_irq_t; > > type sysctl_net_t; > > type sysctl_hotplug_t; > > type mount_t; > > type nscd_var_run_t; > > type setfiles_t; > > type proc_xen_t; > > type proc_kmsg_t; > > type proc_mdstat_t; > > type sysctl_modprobe_t; > > type sysctl_dev_t; > > type fsadm_t; > > type udev_t; > > type lvm_t; > > type sysctl_kernel_t; > > type proc_net_t; > > type local_login_t; > > type sshd_t; > > class capability { audit_write audit_control }; > > class chr_file write; > > class lnk_file getattr; > > class dir { getattr read search }; > > class file { read lock getattr unlink }; > > class netlink_audit_socket { create ioctl setattr getattr > > append write nlmsg_relay nlmsg_read create read bind connect setopt > > getopt shutdown }; > > } > > > > #============= initrc_t ============== > > allow initrc_t lvm_control_t:chr_file write; > > > What program caused this? Should probably be labeled lvm_exec_t > > #============= loadkeys_t ============== > > allow loadkeys_t nscd_var_run_t:dir search; > > > > #============= udev_t ============== > > allow udev_t default_t:dir search; > > #============= fsadm_t ============== > > allow fsadm_t file_t:file { read getattr }; > These should not exist file_t means you have unlabled files on your system > > > > #============= init_t ============== > > allow init_t file_t:file { read lock getattr }; > > > > #============= initrc_t ============== > > allow initrc_t file_t:file read; > > > > #============= lvm_t ============== > > allow lvm_t file_t:file { read getattr }; > > > > #============= mount_t ============== > > allow mount_t file_t:file unlink; > > > > #============= restorecon_t ============== > > allow restorecon_t file_t:file read; > > > > #============= setfiles_t ============== > > allow setfiles_t file_t:file read; > > allow setfiles_t init_t:dir { read getattr search }; > > allow setfiles_t init_t:file getattr; > > allow setfiles_t init_t:lnk_file getattr; > > allow setfiles_t initrc_t:dir { read getattr search }; > > allow setfiles_t initrc_t:file getattr; > > allow setfiles_t initrc_t:lnk_file getattr; > > allow setfiles_t kernel_t:dir { read getattr search }; > > allow setfiles_t kernel_t:file getattr; > > allow setfiles_t kernel_t:lnk_file getattr; > > allow setfiles_t proc_kcore_t:file getattr; > > allow setfiles_t proc_kmsg_t:file getattr; > > allow setfiles_t proc_mdstat_t:file getattr; > > allow setfiles_t proc_net_t:dir { read getattr search }; > > allow setfiles_t proc_net_t:file getattr; > > allow setfiles_t proc_xen_t:dir { read getattr search }; > > allow setfiles_t proc_xen_t:file getattr; > Should all be dontaudit, this is caused by running restorecon or > setfiles on /proc > > ###############edited by me################################ > > #allow setfiles_t self:capability audit_write; > > #allow setfiles_t self:netlink_audit_socket { write nlmsg_relay create > > read }; > > ########################################################### > > allow setfiles_t sysctl_dev_t:dir { read getattr search }; > > allow setfiles_t sysctl_dev_t:file getattr; > > allow setfiles_t sysctl_hotplug_t:file getattr; > > allow setfiles_t sysctl_irq_t:dir { read getattr search }; > > allow setfiles_t sysctl_irq_t:file getattr; > > allow setfiles_t sysctl_kernel_t:dir { read getattr search }; > > allow setfiles_t sysctl_kernel_t:file getattr; > > allow setfiles_t sysctl_modprobe_t:file getattr; > > allow setfiles_t sysctl_net_t:dir { read getattr search }; > > allow setfiles_t sysctl_net_t:file getattr; > > allow setfiles_t sysctl_net_unix_t:dir { read getattr search }; > > allow setfiles_t sysctl_net_unix_t:file getattr; > > allow setfiles_t sysctl_vm_t:dir { read getattr search }; > > allow setfiles_t sysctl_vm_t:file getattr; > > allow setfiles_t udev_t:dir { read getattr search }; > > allow setfiles_t udev_t:file getattr; > > allow setfiles_t udev_t:lnk_file getattr; > > > > #============= udev_t ============== > > allow udev_t file_t:file { read getattr }; > > > > ###############added by me################################ > > > > #============= local_login_t ============== > > logging_send_audit_msg(local_login_t) > > logging_set_loginuid(local_login_t) > Latest policy should have these > > > > #============= sshd_t ============== > > logging_send_audit_msg(sshd_t) > > logging_set_loginuid(sshd_t) > > > > > > 2007/6/12, Daniel J Walsh <dwalsh@redhat.com>: > >> Shintaro Fujiwara wrote: > >> > With the latest policy, I could install and could login my machine. > >> > > >> > Thanks ! > >> > > >> > But another problem... > >> > > >> > Keymap(jp106) fails... > >> > > >> > Is this the only problem for not English speaking people and how > >> > should we fix it ? > >> > I can use my jp106 keybord as US keybord but invconvinient... > >> > > >> > Is there still bug in policy or not ? > >> > > >> Most likely a bug in policy, Please report it and attach your audit.log > >> > > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Can't login in F7 strict 2007-06-12 20:16 ` Shintaro Fujiwara @ 2007-06-13 10:58 ` Shintaro Fujiwara 0 siblings, 0 replies; 13+ messages in thread From: Shintaro Fujiwara @ 2007-06-13 10:58 UTC (permalink / raw) To: Daniel J Walsh; +Cc: sds, selinux, cpebenito not stuff_u but staff_u ...;) I miss-spelled,again...;) I relabeled my system and lesser the problem. I will wok on it. Thanks. 2007/6/13, Shintaro Fujiwara <shintaro.fujiwara@gmail.com>: > Thank you very much for your kind advices. > > I will relabel my system and regenerate my own policy > with the latest selinux-policy properly. > Especially I will check something should not be allowed from initrc_t... > And delete lines setfiles (I restoreconed my home directory for the > use of stuff_u) stuff. > > Thanks ! > > ################################################## > > Officer, System-Informations, Signal School, JGSDF > > ################################################### > > > 2007/6/12, Daniel J Walsh <dwalsh@redhat.com>: > > Shintaro Fujiwara wrote: > > > There really aren't any denied messages concerning it ... > > > There really are no problem if I attach my log allright, but no use... > > > But I copied .te files I made from both logs (audit.log and messages). > > > Are there any clue in here ? > > > Or, > > > Should I install enableaudit.pp and listen to all the log or not ? > > > > > > > > > ##########here's module i made from audit.log############## > > > module localaudit 1.0; > > > > > > require { > > > type default_t; > > > type system_cron_spool_t; > > > type local_login_t; > > > type system_dbusd_var_run_t; > > > type sysadm_su_t; > > > type crond_t; > > > class capability { setuid setgid }; > > > class dir { read search }; > > > } > > > > > > #============= crond_t ============== > > > allow crond_t system_cron_spool_t:dir read; > > > > > > #============= local_login_t ============== > > > allow local_login_t default_t:dir search; > > default_t is caused by a mislabeled /root. restorecon -R -v /root > > > allow local_login_t system_dbusd_var_run_t:dir search; > > > > > > #============= sysadm_su_t ============== > > > allow sysadm_su_t default_t:dir search; > > > allow sysadm_su_t self:capability { setuid setgid }; > > > > > Latest policy should have this. > > > > > > ##########here's module i made from /var/log/messages############## > > > module localmessages 1.0; > > > > > > require { > > > type default_t; > > > type sysctl_net_unix_t; > > > type init_t; > > > type initrc_t; > > > type file_t; > > > type restorecon_t; > > > type sysctl_vm_t; > > > type kernel_t; > > > type lvm_control_t; > > > type loadkeys_t; > > > type proc_kcore_t; > > > type sysctl_irq_t; > > > type sysctl_net_t; > > > type sysctl_hotplug_t; > > > type mount_t; > > > type nscd_var_run_t; > > > type setfiles_t; > > > type proc_xen_t; > > > type proc_kmsg_t; > > > type proc_mdstat_t; > > > type sysctl_modprobe_t; > > > type sysctl_dev_t; > > > type fsadm_t; > > > type udev_t; > > > type lvm_t; > > > type sysctl_kernel_t; > > > type proc_net_t; > > > type local_login_t; > > > type sshd_t; > > > class capability { audit_write audit_control }; > > > class chr_file write; > > > class lnk_file getattr; > > > class dir { getattr read search }; > > > class file { read lock getattr unlink }; > > > class netlink_audit_socket { create ioctl setattr getattr > > > append write nlmsg_relay nlmsg_read create read bind connect setopt > > > getopt shutdown }; > > > } > > > > > > #============= initrc_t ============== > > > allow initrc_t lvm_control_t:chr_file write; > > > > > What program caused this? Should probably be labeled lvm_exec_t > > > #============= loadkeys_t ============== > > > allow loadkeys_t nscd_var_run_t:dir search; > > > > > > #============= udev_t ============== > > > allow udev_t default_t:dir search; > > > #============= fsadm_t ============== > > > allow fsadm_t file_t:file { read getattr }; > > These should not exist file_t means you have unlabled files on your system > > > > > > #============= init_t ============== > > > allow init_t file_t:file { read lock getattr }; > > > > > > #============= initrc_t ============== > > > allow initrc_t file_t:file read; > > > > > > #============= lvm_t ============== > > > allow lvm_t file_t:file { read getattr }; > > > > > > #============= mount_t ============== > > > allow mount_t file_t:file unlink; > > > > > > #============= restorecon_t ============== > > > allow restorecon_t file_t:file read; > > > > > > #============= setfiles_t ============== > > > allow setfiles_t file_t:file read; > > > allow setfiles_t init_t:dir { read getattr search }; > > > allow setfiles_t init_t:file getattr; > > > allow setfiles_t init_t:lnk_file getattr; > > > allow setfiles_t initrc_t:dir { read getattr search }; > > > allow setfiles_t initrc_t:file getattr; > > > allow setfiles_t initrc_t:lnk_file getattr; > > > allow setfiles_t kernel_t:dir { read getattr search }; > > > allow setfiles_t kernel_t:file getattr; > > > allow setfiles_t kernel_t:lnk_file getattr; > > > allow setfiles_t proc_kcore_t:file getattr; > > > allow setfiles_t proc_kmsg_t:file getattr; > > > allow setfiles_t proc_mdstat_t:file getattr; > > > allow setfiles_t proc_net_t:dir { read getattr search }; > > > allow setfiles_t proc_net_t:file getattr; > > > allow setfiles_t proc_xen_t:dir { read getattr search }; > > > allow setfiles_t proc_xen_t:file getattr; > > Should all be dontaudit, this is caused by running restorecon or > > setfiles on /proc > > > ###############edited by me################################ > > > #allow setfiles_t self:capability audit_write; > > > #allow setfiles_t self:netlink_audit_socket { write nlmsg_relay create > > > read }; > > > ########################################################### > > > allow setfiles_t sysctl_dev_t:dir { read getattr search }; > > > allow setfiles_t sysctl_dev_t:file getattr; > > > allow setfiles_t sysctl_hotplug_t:file getattr; > > > allow setfiles_t sysctl_irq_t:dir { read getattr search }; > > > allow setfiles_t sysctl_irq_t:file getattr; > > > allow setfiles_t sysctl_kernel_t:dir { read getattr search }; > > > allow setfiles_t sysctl_kernel_t:file getattr; > > > allow setfiles_t sysctl_modprobe_t:file getattr; > > > allow setfiles_t sysctl_net_t:dir { read getattr search }; > > > allow setfiles_t sysctl_net_t:file getattr; > > > allow setfiles_t sysctl_net_unix_t:dir { read getattr search }; > > > allow setfiles_t sysctl_net_unix_t:file getattr; > > > allow setfiles_t sysctl_vm_t:dir { read getattr search }; > > > allow setfiles_t sysctl_vm_t:file getattr; > > > allow setfiles_t udev_t:dir { read getattr search }; > > > allow setfiles_t udev_t:file getattr; > > > allow setfiles_t udev_t:lnk_file getattr; > > > > > > #============= udev_t ============== > > > allow udev_t file_t:file { read getattr }; > > > > > > ###############added by me################################ > > > > > > #============= local_login_t ============== > > > logging_send_audit_msg(local_login_t) > > > logging_set_loginuid(local_login_t) > > Latest policy should have these > > > > > > #============= sshd_t ============== > > > logging_send_audit_msg(sshd_t) > > > logging_set_loginuid(sshd_t) > > > > > > > > > 2007/6/12, Daniel J Walsh <dwalsh@redhat.com>: > > >> Shintaro Fujiwara wrote: > > >> > With the latest policy, I could install and could login my machine. > > >> > > > >> > Thanks ! > > >> > > > >> > But another problem... > > >> > > > >> > Keymap(jp106) fails... > > >> > > > >> > Is this the only problem for not English speaking people and how > > >> > should we fix it ? > > >> > I can use my jp106 keybord as US keybord but invconvinient... > > >> > > > >> > Is there still bug in policy or not ? > > >> > > > >> Most likely a bug in policy, Please report it and attach your audit.log > > >> > > > > > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2007-06-13 10:58 UTC | newest] Thread overview: 13+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2007-06-03 1:20 Can't login in F7 strict Shintaro Fujiwara 2007-06-05 12:48 ` Stephen Smalley 2007-06-05 21:36 ` Shintaro Fujiwara 2007-06-05 22:01 ` Daniel J Walsh 2007-06-05 23:30 ` Shintaro Fujiwara 2007-06-06 12:21 ` Stephen Smalley 2007-06-06 21:27 ` Shintaro Fujiwara 2007-06-07 10:11 ` Shintaro Fujiwara 2007-06-11 17:28 ` Daniel J Walsh 2007-06-11 21:45 ` Shintaro Fujiwara 2007-06-12 12:25 ` Daniel J Walsh 2007-06-12 20:16 ` Shintaro Fujiwara 2007-06-13 10:58 ` Shintaro Fujiwara
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.