Can't login in F7 strict

Can't login in F7 strict

[Shintaro Fujiwara]

Hello.

I'm trying to work out on F7 strict policy.
My server is now FC6, so I'm trying to change it 7.

I yum installed every selinux related packages.
I made localaudit.pp typing
#audit2allow -i /var/log/audit/audit.log -m localaudit > localaudit.te
at /usr/share/selinux/devel
#semodule -i localaudit.pp
violation reported by libsepol.chek_assertions

local_login_t local_login_t:netlink_audit_socket { nlmsg_relay };
local_login_t local_login_t:capability { audit_write };
local_login_t local_login_t:capability { audit_control };

So,I commented those lines on localaudit.te including require brace.
This time I succeeded installing localaudit.pp.

I restarted my machine setting Enforcing/strict.
During the startup process, I could see Keymap had failed.
I can't login from console.
I typed like a US key not jp106, still I can't.

You made strict policy not logging in from console?
What should I do?


homepage http://intrajp.no-ip.com/
SELinux Forum JP http://intrajp.no-ip.com/xoops
SELinux Wiki JP http://intrajp.no-ip.com/pukiwiki
my blog JP http://intrajp.no-ip.com/nucleus

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Can't login in F7 strict

[Stephen Smalley]

On Sun, 2007-06-03 at 10:20 +0900, Shintaro Fujiwara wrote:
> Hello.
> 
> I'm trying to work out on F7 strict policy.
> My server is now FC6, so I'm trying to change it 7.
> 
> I yum installed every selinux related packages.
> I made localaudit.pp typing
> #audit2allow -i /var/log/audit/audit.log -m localaudit > localaudit.te
> at /usr/share/selinux/devel
> #semodule -i localaudit.pp
> violation reported by libsepol.chek_assertions
> 
> local_login_t local_login_t:netlink_audit_socket { nlmsg_relay };
> local_login_t local_login_t:capability { audit_write };
> local_login_t local_login_t:capability { audit_control };

These permissions should be allowed in the base policy, so this seems
like a bug in your specific policy.  They appear to be allowed in the
base policy.

As far as assertions go, please see prior explanations.  Policy contains
a set of neverallow rules to catch certain error cases or sensitive
permissions, and to override them you typically have to add a type
attribute to the type to indicate that it is supposed to be privileged
to override the restriction.  That is usually done via a suitable
refpolicy interface.

You can also disable all assertion checking, but that isn't recommended.

> 
> So,I commented those lines on localaudit.te including require brace.
> This time I succeeded installing localaudit.pp.
> 
> I restarted my machine setting Enforcing/strict.
> During the startup process, I could see Keymap had failed.
> I can't login from console.
> I typed like a US key not jp106, still I can't.
> 
> You made strict policy not logging in from console?
> What should I do?
> 
> 
> homepage http://intrajp.no-ip.com/
> SELinux Forum JP http://intrajp.no-ip.com/xoops
> SELinux Wiki JP http://intrajp.no-ip.com/pukiwiki
> my blog JP http://intrajp.no-ip.com/nucleus
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Can't login in F7 strict

[Shintaro Fujiwara]

I used interfaces, still error occurs when I install localaudit.pp.

libsepol.permission_copy_callback: Module localaudit depends on
permission nlsms_relay in class netlink_audit_socket, not satisfied
libsemanage.semanage_link_sandbox; Link packages failed
semodule: Failed !

module localaudit 1.0;

require {
    type local_login_t
    ....
    class netlink_audio_socket { ......nlsms_relay .....};
    ....
}
logging_send_audit_msg(local_login_t)
logging_set_loginuid(local_login_t)

Almost, but anyway, still I can not install my module (very basic one
I guess...;)


2007/6/3, Shintaro Fujiwara <shintaro.fujiwara@gmail.com>:
> Hello.
>
> I'm trying to work out on F7 strict policy.
> My server is now FC6, so I'm trying to change it 7.
>
> I yum installed every selinux related packages.
> I made localaudit.pp typing
> #audit2allow -i /var/log/audit/audit.log -m localaudit > localaudit.te
> at /usr/share/selinux/devel
> #semodule -i localaudit.pp
> violation reported by libsepol.chek_assertions
>
> local_login_t local_login_t:netlink_audit_socket { nlmsg_relay };
> local_login_t local_login_t:capability { audit_write };
> local_login_t local_login_t:capability { audit_control };
>
> So,I commented those lines on localaudit.te including require brace.
> This time I succeeded installing localaudit.pp.
>
> I restarted my machine setting Enforcing/strict.
> During the startup process, I could see Keymap had failed.
> I can't login from console.
> I typed like a US key not jp106, still I can't.
>
> You made strict policy not logging in from console?
> What should I do?
>
>
> homepage http://intrajp.no-ip.com/
> SELinux Forum JP http://intrajp.no-ip.com/xoops
> SELinux Wiki JP http://intrajp.no-ip.com/pukiwiki
> my blog JP http://intrajp.no-ip.com/nucleus
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Can't login in F7 strict

[Daniel J Walsh]

Shintaro Fujiwara wrote:
> I used interfaces, still error occurs when I install localaudit.pp.
>
> libsepol.permission_copy_callback: Module localaudit depends on
> permission nlsms_relay in class netlink_audit_socket, not satisfied
> libsemanage.semanage_link_sandbox; Link packages failed
> semodule: Failed !
>
> module localaudit 1.0;
>
> require {
>    type local_login_t
>    ....
>    class netlink_audio_socket { ......nlsms_relay .....};
netlink_audit_socket not audio.
>    ....
> }
> logging_send_audit_msg(local_login_t)
> logging_set_loginuid(local_login_t)
>
> Almost, but anyway, still I can not install my module (very basic one
> I guess...;)
>
>
> 2007/6/3, Shintaro Fujiwara <shintaro.fujiwara@gmail.com>:
>> Hello.
>>
>> I'm trying to work out on F7 strict policy.
>> My server is now FC6, so I'm trying to change it 7.
>>
>> I yum installed every selinux related packages.
>> I made localaudit.pp typing
>> #audit2allow -i /var/log/audit/audit.log -m localaudit > localaudit.te
>> at /usr/share/selinux/devel
>> #semodule -i localaudit.pp
>> violation reported by libsepol.chek_assertions
>>
>> local_login_t local_login_t:netlink_audit_socket { nlmsg_relay };
>> local_login_t local_login_t:capability { audit_write };
>> local_login_t local_login_t:capability { audit_control };
>>
>> So,I commented those lines on localaudit.te including require brace.
>> This time I succeeded installing localaudit.pp.
>>
>> I restarted my machine setting Enforcing/strict.
>> During the startup process, I could see Keymap had failed.
>> I can't login from console.
>> I typed like a US key not jp106, still I can't.
>>
>> You made strict policy not logging in from console?
>> What should I do?
>>
>>
>> homepage http://intrajp.no-ip.com/
>> SELinux Forum JP http://intrajp.no-ip.com/xoops
>> SELinux Wiki JP http://intrajp.no-ip.com/pukiwiki
>> my blog JP http://intrajp.no-ip.com/nucleus
>>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Can't login in F7 strict

[Shintaro Fujiwara]

Yes, you are right.

I transcribed looking at monitor in short time at morning, so I miss-typed..
I can't look at it now, but I'm sure I typed properly.
Because I could made module all right.
The problem is, I can't install it...

When you really need interfaces in local modules, why not audit2allow
generate interfaces ?
It's quite natural that Least permissions permitted, though.
I tryied such a project last year, but Karl making progress on that I
believe, so isn't it a nice idea that macro oriented policy alternates
call oriented one ?
Or we can go to SEEdit ...?


Officer,System-Informations,Signal School,JGSDF



2007/6/6, Daniel J Walsh <dwalsh@redhat.com>:
> Shintaro Fujiwara wrote:
> > I used interfaces, still error occurs when I install localaudit.pp.
> >
> > libsepol.permission_copy_callback: Module localaudit depends on
> > permission nlsms_relay in class netlink_audit_socket, not satisfied
> > libsemanage.semanage_link_sandbox; Link packages failed
> > semodule: Failed !
> >
> > module localaudit 1.0;
> >
> > require {
> >    type local_login_t
> >    ....
> >    class netlink_audio_socket { ......nlsms_relay .....};
> netlink_audit_socket not audio.
> >    ....
> > }
> > logging_send_audit_msg(local_login_t)
> > logging_set_loginuid(local_login_t)
> >
> > Almost, but anyway, still I can not install my module (very basic one
> > I guess...;)
> >
> >
> > 2007/6/3, Shintaro Fujiwara <shintaro.fujiwara@gmail.com>:
> >> Hello.
> >>
> >> I'm trying to work out on F7 strict policy.
> >> My server is now FC6, so I'm trying to change it 7.
> >>
> >> I yum installed every selinux related packages.
> >> I made localaudit.pp typing
> >> #audit2allow -i /var/log/audit/audit.log -m localaudit > localaudit.te
> >> at /usr/share/selinux/devel
> >> #semodule -i localaudit.pp
> >> violation reported by libsepol.chek_assertions
> >>
> >> local_login_t local_login_t:netlink_audit_socket { nlmsg_relay };
> >> local_login_t local_login_t:capability { audit_write };
> >> local_login_t local_login_t:capability { audit_control };
> >>
> >> So,I commented those lines on localaudit.te including require brace.
> >> This time I succeeded installing localaudit.pp.
> >>
> >> I restarted my machine setting Enforcing/strict.
> >> During the startup process, I could see Keymap had failed.
> >> I can't login from console.
> >> I typed like a US key not jp106, still I can't.
> >>
> >> You made strict policy not logging in from console?
> >> What should I do?
> >>
> >>
> >> homepage http://intrajp.no-ip.com/
> >> SELinux Forum JP http://intrajp.no-ip.com/xoops
> >> SELinux Wiki JP http://intrajp.no-ip.com/pukiwiki
> >> my blog JP http://intrajp.no-ip.com/nucleus
> >>
>
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Can't login in F7 strict

[Stephen Smalley]

On Wed, 2007-06-06 at 06:36 +0900, Shintaro Fujiwara wrote:
> I used interfaces, still error occurs when I install localaudit.pp.
> 
> libsepol.permission_copy_callback: Module localaudit depends on
> permission nlsms_relay in class netlink_audit_socket, not satisfied
> libsemanage.semanage_link_sandbox; Link packages failed
> semodule: Failed !
> 
> module localaudit 1.0;
> 
> require {
>     type local_login_t
>     ....
>     class netlink_audio_socket { ......nlsms_relay .....};
>     ....
> }
> logging_send_audit_msg(local_login_t)
> logging_set_loginuid(local_login_t)
> 
> Almost, but anyway, still I can not install my module (very basic one
> I guess...;)

>From other discussions on fedora-selinux-list, it seems that there are
some bugs in that policy; try updating to the latest one in
updates-testing.

> 
> 
> 2007/6/3, Shintaro Fujiwara <shintaro.fujiwara@gmail.com>:
> > Hello.
> >
> > I'm trying to work out on F7 strict policy.
> > My server is now FC6, so I'm trying to change it 7.
> >
> > I yum installed every selinux related packages.
> > I made localaudit.pp typing
> > #audit2allow -i /var/log/audit/audit.log -m localaudit > localaudit.te
> > at /usr/share/selinux/devel
> > #semodule -i localaudit.pp
> > violation reported by libsepol.chek_assertions
> >
> > local_login_t local_login_t:netlink_audit_socket { nlmsg_relay };
> > local_login_t local_login_t:capability { audit_write };
> > local_login_t local_login_t:capability { audit_control };
> >
> > So,I commented those lines on localaudit.te including require brace.
> > This time I succeeded installing localaudit.pp.
> >
> > I restarted my machine setting Enforcing/strict.
> > During the startup process, I could see Keymap had failed.
> > I can't login from console.
> > I typed like a US key not jp106, still I can't.
> >
> > You made strict policy not logging in from console?
> > What should I do?
> >
> >
> > homepage http://intrajp.no-ip.com/
> > SELinux Forum JP http://intrajp.no-ip.com/xoops
> > SELinux Wiki JP http://intrajp.no-ip.com/pukiwiki
> > my blog JP http://intrajp.no-ip.com/nucleus
> >
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Can't login in F7 strict

[Shintaro Fujiwara]

This morning, (in Japan) I could yum update selinux policies to 2.6.4-13.fc7 .
During the process,

security:context sysadm_u:sysadm_r:initrc_t:s0 is invalid
libsepol.context_from_record:type unconfined_execmem_ecec_t is not defined
libsepol.context_from_record:could not create context structure
libsepol.context_from_string:could not create context structure
libsepol.sepol_context_to_sid:could not convert
system_u:object_r:unconfined_execmem_exec_t:s0 to sid
/etc/selinux/strict/contexts/files/file_contexts: line 597 has invalid
context system_u:object_r:unconfined_execmem_exec_t:s0
libsemanage.semanage_install_active:setfiles returned error code 1.
libsepol.sepol_genbools_array:boolean httpd_can_sendmail no longer in policy
security:context sysadm_u:sysadm_r:initrc_t:s0 is invalid
semodule: Failed!

Is this another bug on 2.6.4-13 ?


Thank you very much for your endevours.



2007/6/6, Stephen Smalley <sds@tycho.nsa.gov>:
> On Wed, 2007-06-06 at 06:36 +0900, Shintaro Fujiwara wrote:
> > I used interfaces, still error occurs when I install localaudit.pp.
> >
> > libsepol.permission_copy_callback: Module localaudit depends on
> > permission nlsms_relay in class netlink_audit_socket, not satisfied
> > libsemanage.semanage_link_sandbox; Link packages failed
> > semodule: Failed !
> >
> > module localaudit 1.0;
> >
> > require {
> >     type local_login_t
> >     ....
> >     class netlink_audio_socket { ......nlsms_relay .....};
> >     ....
> > }
> > logging_send_audit_msg(local_login_t)
> > logging_set_loginuid(local_login_t)
> >
> > Almost, but anyway, still I can not install my module (very basic one
> > I guess...;)
>
> >From other discussions on fedora-selinux-list, it seems that there are
> some bugs in that policy; try updating to the latest one in
> updates-testing.
>
> >
> >
> > 2007/6/3, Shintaro Fujiwara <shintaro.fujiwara@gmail.com>:
> > > Hello.
> > >
> > > I'm trying to work out on F7 strict policy.
> > > My server is now FC6, so I'm trying to change it 7.
> > >
> > > I yum installed every selinux related packages.
> > > I made localaudit.pp typing
> > > #audit2allow -i /var/log/audit/audit.log -m localaudit > localaudit.te
> > > at /usr/share/selinux/devel
> > > #semodule -i localaudit.pp
> > > violation reported by libsepol.chek_assertions
> > >
> > > local_login_t local_login_t:netlink_audit_socket { nlmsg_relay };
> > > local_login_t local_login_t:capability { audit_write };
> > > local_login_t local_login_t:capability { audit_control };
> > >
> > > So,I commented those lines on localaudit.te including require brace.
> > > This time I succeeded installing localaudit.pp.
> > >
> > > I restarted my machine setting Enforcing/strict.
> > > During the startup process, I could see Keymap had failed.
> > > I can't login from console.
> > > I typed like a US key not jp106, still I can't.
> > >
> > > You made strict policy not logging in from console?
> > > What should I do?
> > >
> > >
> > > homepage http://intrajp.no-ip.com/
> > > SELinux Forum JP http://intrajp.no-ip.com/xoops
> > > SELinux Wiki JP http://intrajp.no-ip.com/pukiwiki
> > > my blog JP http://intrajp.no-ip.com/nucleus
> > >
> --
> Stephen Smalley
> National Security Agency
>
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Can't login in F7 strict

[Shintaro Fujiwara]

With the latest policy, I could install and could login my machine.

Thanks !

But another problem...

Keymap(jp106) fails...

Is this the only problem for not English speaking people and how
should we fix it ?
I can use my jp106 keybord as US keybord but invconvinient...

Is there still bug in policy or not ?


2007/6/7, Shintaro Fujiwara <shintaro.fujiwara@gmail.com>:
> This morning, (in Japan) I could yum update selinux policies to 2.6.4-13.fc7 .
> During the process,
>
> security:context sysadm_u:sysadm_r:initrc_t:s0 is invalid
> libsepol.context_from_record:type unconfined_execmem_ecec_t is not defined
> libsepol.context_from_record:could not create context structure
> libsepol.context_from_string:could not create context structure
> libsepol.sepol_context_to_sid:could not convert
> system_u:object_r:unconfined_execmem_exec_t:s0 to sid
> /etc/selinux/strict/contexts/files/file_contexts: line 597 has invalid
> context system_u:object_r:unconfined_execmem_exec_t:s0
> libsemanage.semanage_install_active:setfiles returned error code 1.
> libsepol.sepol_genbools_array:boolean httpd_can_sendmail no longer in policy
> security:context sysadm_u:sysadm_r:initrc_t:s0 is invalid
> semodule: Failed!
>
> Is this another bug on 2.6.4-13 ?
>
>
> Thank you very much for your endevours.
>
>
>
> 2007/6/6, Stephen Smalley <sds@tycho.nsa.gov>:
> > On Wed, 2007-06-06 at 06:36 +0900, Shintaro Fujiwara wrote:
> > > I used interfaces, still error occurs when I install localaudit.pp.
> > >
> > > libsepol.permission_copy_callback: Module localaudit depends on
> > > permission nlsms_relay in class netlink_audit_socket, not satisfied
> > > libsemanage.semanage_link_sandbox; Link packages failed
> > > semodule: Failed !
> > >
> > > module localaudit 1.0;
> > >
> > > require {
> > >     type local_login_t
> > >     ....
> > >     class netlink_audio_socket { ......nlsms_relay .....};
> > >     ....
> > > }
> > > logging_send_audit_msg(local_login_t)
> > > logging_set_loginuid(local_login_t)
> > >
> > > Almost, but anyway, still I can not install my module (very basic one
> > > I guess...;)
> >
> > >From other discussions on fedora-selinux-list, it seems that there are
> > some bugs in that policy; try updating to the latest one in
> > updates-testing.
> >
> > >
> > >
> > > 2007/6/3, Shintaro Fujiwara <shintaro.fujiwara@gmail.com>:
> > > > Hello.
> > > >
> > > > I'm trying to work out on F7 strict policy.
> > > > My server is now FC6, so I'm trying to change it 7.
> > > >
> > > > I yum installed every selinux related packages.
> > > > I made localaudit.pp typing
> > > > #audit2allow -i /var/log/audit/audit.log -m localaudit > localaudit.te
> > > > at /usr/share/selinux/devel
> > > > #semodule -i localaudit.pp
> > > > violation reported by libsepol.chek_assertions
> > > >
> > > > local_login_t local_login_t:netlink_audit_socket { nlmsg_relay };
> > > > local_login_t local_login_t:capability { audit_write };
> > > > local_login_t local_login_t:capability { audit_control };
> > > >
> > > > So,I commented those lines on localaudit.te including require brace.
> > > > This time I succeeded installing localaudit.pp.
> > > >
> > > > I restarted my machine setting Enforcing/strict.
> > > > During the startup process, I could see Keymap had failed.
> > > > I can't login from console.
> > > > I typed like a US key not jp106, still I can't.
> > > >
> > > > You made strict policy not logging in from console?
> > > > What should I do?
> > > >
> > > >
> > > > homepage http://intrajp.no-ip.com/
> > > > SELinux Forum JP http://intrajp.no-ip.com/xoops
> > > > SELinux Wiki JP http://intrajp.no-ip.com/pukiwiki
> > > > my blog JP http://intrajp.no-ip.com/nucleus
> > > >
> > --
> > Stephen Smalley
> > National Security Agency
> >
> >
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Can't login in F7 strict

[Daniel J Walsh]

Shintaro Fujiwara wrote:
> With the latest policy, I could install and could login my machine.
>
> Thanks !
>
> But another problem...
>
> Keymap(jp106) fails...
>
> Is this the only problem for not English speaking people and how
> should we fix it ?
> I can use my jp106 keybord as US keybord but invconvinient...
>
> Is there still bug in policy or not ?
>
Most likely a bug in policy,  Please report it and attach your audit.log

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Can't login in F7 strict

[Shintaro Fujiwara]

There really aren't any denied messages concerning it ...
There really are no problem if I attach my log allright, but no use...
But I copied .te files I made from both logs (audit.log and messages).
Are there any clue in here ?
Or,
Should I install enableaudit.pp and listen to all the log or not ?


##########here's module i made from audit.log##############
module localaudit 1.0;

require {
        type default_t;
        type system_cron_spool_t;
        type local_login_t;
        type system_dbusd_var_run_t;
        type sysadm_su_t;
        type crond_t;
        class capability { setuid setgid };
        class dir { read search };
}

#============= crond_t ==============
allow crond_t system_cron_spool_t:dir read;

#============= local_login_t ==============
allow local_login_t default_t:dir search;
allow local_login_t system_dbusd_var_run_t:dir search;

#============= sysadm_su_t ==============
allow sysadm_su_t default_t:dir search;
allow sysadm_su_t self:capability { setuid setgid };


##########here's module i made from /var/log/messages##############
module localmessages 1.0;

require {
        type default_t;
        type sysctl_net_unix_t;
        type init_t;
        type initrc_t;
        type file_t;
        type restorecon_t;
        type sysctl_vm_t;
        type kernel_t;
        type lvm_control_t;
        type loadkeys_t;
        type proc_kcore_t;
        type sysctl_irq_t;
        type sysctl_net_t;
        type sysctl_hotplug_t;
        type mount_t;
        type nscd_var_run_t;
        type setfiles_t;
        type proc_xen_t;
        type proc_kmsg_t;
        type proc_mdstat_t;
        type sysctl_modprobe_t;
        type sysctl_dev_t;
        type fsadm_t;
        type udev_t;
        type lvm_t;
        type sysctl_kernel_t;
        type proc_net_t;
        type local_login_t;
        type sshd_t;
        class capability { audit_write audit_control };
        class chr_file write;
        class lnk_file getattr;
        class dir { getattr read search };
        class file { read lock getattr unlink };
        class netlink_audit_socket { create ioctl setattr getattr
append write nlmsg_relay nlmsg_read create read bind connect setopt
getopt shutdown };
}

#============= initrc_t ==============
allow initrc_t lvm_control_t:chr_file write;

#============= loadkeys_t ==============
allow loadkeys_t nscd_var_run_t:dir search;

#============= udev_t ==============
allow udev_t default_t:dir search;
#============= fsadm_t ==============
allow fsadm_t file_t:file { read getattr };

#============= init_t ==============
allow init_t file_t:file { read lock getattr };

#============= initrc_t ==============
allow initrc_t file_t:file read;

#============= lvm_t ==============
allow lvm_t file_t:file { read getattr };

#============= mount_t ==============
allow mount_t file_t:file unlink;

#============= restorecon_t ==============
allow restorecon_t file_t:file read;

#============= setfiles_t ==============
allow setfiles_t file_t:file read;
allow setfiles_t init_t:dir { read getattr search };
allow setfiles_t init_t:file getattr;
allow setfiles_t init_t:lnk_file getattr;
allow setfiles_t initrc_t:dir { read getattr search };
allow setfiles_t initrc_t:file getattr;
allow setfiles_t initrc_t:lnk_file getattr;
allow setfiles_t kernel_t:dir { read getattr search };
allow setfiles_t kernel_t:file getattr;
allow setfiles_t kernel_t:lnk_file getattr;
allow setfiles_t proc_kcore_t:file getattr;
allow setfiles_t proc_kmsg_t:file getattr;
allow setfiles_t proc_mdstat_t:file getattr;
allow setfiles_t proc_net_t:dir { read getattr search };
allow setfiles_t proc_net_t:file getattr;
allow setfiles_t proc_xen_t:dir { read getattr search };
allow setfiles_t proc_xen_t:file getattr;
###############edited by me################################
#allow setfiles_t self:capability audit_write;
#allow setfiles_t self:netlink_audit_socket { write nlmsg_relay create read };
###########################################################
allow setfiles_t sysctl_dev_t:dir { read getattr search };
allow setfiles_t sysctl_dev_t:file getattr;
allow setfiles_t sysctl_hotplug_t:file getattr;
allow setfiles_t sysctl_irq_t:dir { read getattr search };
allow setfiles_t sysctl_irq_t:file getattr;
allow setfiles_t sysctl_kernel_t:dir { read getattr search };
allow setfiles_t sysctl_kernel_t:file getattr;
allow setfiles_t sysctl_modprobe_t:file getattr;
allow setfiles_t sysctl_net_t:dir { read getattr search };
allow setfiles_t sysctl_net_t:file getattr;
allow setfiles_t sysctl_net_unix_t:dir { read getattr search };
allow setfiles_t sysctl_net_unix_t:file getattr;
allow setfiles_t sysctl_vm_t:dir { read getattr search };
allow setfiles_t sysctl_vm_t:file getattr;
allow setfiles_t udev_t:dir { read getattr search };
allow setfiles_t udev_t:file getattr;
allow setfiles_t udev_t:lnk_file getattr;

#============= udev_t ==============
allow udev_t file_t:file { read getattr };

###############added by me################################

#============= local_login_t ==============
logging_send_audit_msg(local_login_t)
logging_set_loginuid(local_login_t)

#============= sshd_t ==============
logging_send_audit_msg(sshd_t)
logging_set_loginuid(sshd_t)


2007/6/12, Daniel J Walsh <dwalsh@redhat.com>:
> Shintaro Fujiwara wrote:
> > With the latest policy, I could install and could login my machine.
> >
> > Thanks !
> >
> > But another problem...
> >
> > Keymap(jp106) fails...
> >
> > Is this the only problem for not English speaking people and how
> > should we fix it ?
> > I can use my jp106 keybord as US keybord but invconvinient...
> >
> > Is there still bug in policy or not ?
> >
> Most likely a bug in policy,  Please report it and attach your audit.log
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Can't login in F7 strict

[Daniel J Walsh]

Shintaro Fujiwara wrote:
> There really aren't any denied messages concerning it ...
> There really are no problem if I attach my log allright, but no use...
> But I copied .te files I made from both logs (audit.log and messages).
> Are there any clue in here ?
> Or,
> Should I install enableaudit.pp and listen to all the log or not ?
>
>
> ##########here's module i made from audit.log##############
> module localaudit 1.0;
>
> require {
>        type default_t;
>        type system_cron_spool_t;
>        type local_login_t;
>        type system_dbusd_var_run_t;
>        type sysadm_su_t;
>        type crond_t;
>        class capability { setuid setgid };
>        class dir { read search };
> }
>
> #============= crond_t ==============
> allow crond_t system_cron_spool_t:dir read;
>
> #============= local_login_t ==============
> allow local_login_t default_t:dir search;
default_t is caused by a mislabeled /root.  restorecon -R -v /root
> allow local_login_t system_dbusd_var_run_t:dir search;
>
> #============= sysadm_su_t ==============
> allow sysadm_su_t default_t:dir search;
> allow sysadm_su_t self:capability { setuid setgid };
>
Latest policy should have this.
>
> ##########here's module i made from /var/log/messages##############
> module localmessages 1.0;
>
> require {
>        type default_t;
>        type sysctl_net_unix_t;
>        type init_t;
>        type initrc_t;
>        type file_t;
>        type restorecon_t;
>        type sysctl_vm_t;
>        type kernel_t;
>        type lvm_control_t;
>        type loadkeys_t;
>        type proc_kcore_t;
>        type sysctl_irq_t;
>        type sysctl_net_t;
>        type sysctl_hotplug_t;
>        type mount_t;
>        type nscd_var_run_t;
>        type setfiles_t;
>        type proc_xen_t;
>        type proc_kmsg_t;
>        type proc_mdstat_t;
>        type sysctl_modprobe_t;
>        type sysctl_dev_t;
>        type fsadm_t;
>        type udev_t;
>        type lvm_t;
>        type sysctl_kernel_t;
>        type proc_net_t;
>        type local_login_t;
>        type sshd_t;
>        class capability { audit_write audit_control };
>        class chr_file write;
>        class lnk_file getattr;
>        class dir { getattr read search };
>        class file { read lock getattr unlink };
>        class netlink_audit_socket { create ioctl setattr getattr
> append write nlmsg_relay nlmsg_read create read bind connect setopt
> getopt shutdown };
> }
>
> #============= initrc_t ==============
> allow initrc_t lvm_control_t:chr_file write;
>
What program caused this?  Should probably be labeled lvm_exec_t
> #============= loadkeys_t ==============
> allow loadkeys_t nscd_var_run_t:dir search;
>
> #============= udev_t ==============
> allow udev_t default_t:dir search;
> #============= fsadm_t ==============
> allow fsadm_t file_t:file { read getattr };
These should not exist file_t means you have unlabled files on your system
>
> #============= init_t ==============
> allow init_t file_t:file { read lock getattr };
>
> #============= initrc_t ==============
> allow initrc_t file_t:file read;
>
> #============= lvm_t ==============
> allow lvm_t file_t:file { read getattr };
>
> #============= mount_t ==============
> allow mount_t file_t:file unlink;
>
> #============= restorecon_t ==============
> allow restorecon_t file_t:file read;
>
> #============= setfiles_t ==============
> allow setfiles_t file_t:file read;
> allow setfiles_t init_t:dir { read getattr search };
> allow setfiles_t init_t:file getattr;
> allow setfiles_t init_t:lnk_file getattr;
> allow setfiles_t initrc_t:dir { read getattr search };
> allow setfiles_t initrc_t:file getattr;
> allow setfiles_t initrc_t:lnk_file getattr;
> allow setfiles_t kernel_t:dir { read getattr search };
> allow setfiles_t kernel_t:file getattr;
> allow setfiles_t kernel_t:lnk_file getattr;
> allow setfiles_t proc_kcore_t:file getattr;
> allow setfiles_t proc_kmsg_t:file getattr;
> allow setfiles_t proc_mdstat_t:file getattr;
> allow setfiles_t proc_net_t:dir { read getattr search };
> allow setfiles_t proc_net_t:file getattr;
> allow setfiles_t proc_xen_t:dir { read getattr search };
> allow setfiles_t proc_xen_t:file getattr;
Should all be dontaudit, this is caused by running restorecon or 
setfiles on /proc
> ###############edited by me################################
> #allow setfiles_t self:capability audit_write;
> #allow setfiles_t self:netlink_audit_socket { write nlmsg_relay create 
> read };
> ###########################################################
> allow setfiles_t sysctl_dev_t:dir { read getattr search };
> allow setfiles_t sysctl_dev_t:file getattr;
> allow setfiles_t sysctl_hotplug_t:file getattr;
> allow setfiles_t sysctl_irq_t:dir { read getattr search };
> allow setfiles_t sysctl_irq_t:file getattr;
> allow setfiles_t sysctl_kernel_t:dir { read getattr search };
> allow setfiles_t sysctl_kernel_t:file getattr;
> allow setfiles_t sysctl_modprobe_t:file getattr;
> allow setfiles_t sysctl_net_t:dir { read getattr search };
> allow setfiles_t sysctl_net_t:file getattr;
> allow setfiles_t sysctl_net_unix_t:dir { read getattr search };
> allow setfiles_t sysctl_net_unix_t:file getattr;
> allow setfiles_t sysctl_vm_t:dir { read getattr search };
> allow setfiles_t sysctl_vm_t:file getattr;
> allow setfiles_t udev_t:dir { read getattr search };
> allow setfiles_t udev_t:file getattr;
> allow setfiles_t udev_t:lnk_file getattr;
>
> #============= udev_t ==============
> allow udev_t file_t:file { read getattr };
>
> ###############added by me################################
>
> #============= local_login_t ==============
> logging_send_audit_msg(local_login_t)
> logging_set_loginuid(local_login_t)
Latest policy should have these
>
> #============= sshd_t ==============
> logging_send_audit_msg(sshd_t)
> logging_set_loginuid(sshd_t)
>
>
> 2007/6/12, Daniel J Walsh <dwalsh@redhat.com>:
>> Shintaro Fujiwara wrote:
>> > With the latest policy, I could install and could login my machine.
>> >
>> > Thanks !
>> >
>> > But another problem...
>> >
>> > Keymap(jp106) fails...
>> >
>> > Is this the only problem for not English speaking people and how
>> > should we fix it ?
>> > I can use my jp106 keybord as US keybord but invconvinient...
>> >
>> > Is there still bug in policy or not ?
>> >
>> Most likely a bug in policy,  Please report it and attach your audit.log
>>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Can't login in F7 strict

[Shintaro Fujiwara]

Thank you very much for your kind advices.

I will relabel my system and regenerate my own policy
 with the latest selinux-policy properly.
Especially I will check something should not be allowed from initrc_t...
And delete lines setfiles (I restoreconed my home directory for the
use of stuff_u) stuff.

Thanks !

##################################################

Officer, System-Informations, Signal School, JGSDF

###################################################


2007/6/12, Daniel J Walsh <dwalsh@redhat.com>:
> Shintaro Fujiwara wrote:
> > There really aren't any denied messages concerning it ...
> > There really are no problem if I attach my log allright, but no use...
> > But I copied .te files I made from both logs (audit.log and messages).
> > Are there any clue in here ?
> > Or,
> > Should I install enableaudit.pp and listen to all the log or not ?
> >
> >
> > ##########here's module i made from audit.log##############
> > module localaudit 1.0;
> >
> > require {
> >        type default_t;
> >        type system_cron_spool_t;
> >        type local_login_t;
> >        type system_dbusd_var_run_t;
> >        type sysadm_su_t;
> >        type crond_t;
> >        class capability { setuid setgid };
> >        class dir { read search };
> > }
> >
> > #============= crond_t ==============
> > allow crond_t system_cron_spool_t:dir read;
> >
> > #============= local_login_t ==============
> > allow local_login_t default_t:dir search;
> default_t is caused by a mislabeled /root.  restorecon -R -v /root
> > allow local_login_t system_dbusd_var_run_t:dir search;
> >
> > #============= sysadm_su_t ==============
> > allow sysadm_su_t default_t:dir search;
> > allow sysadm_su_t self:capability { setuid setgid };
> >
> Latest policy should have this.
> >
> > ##########here's module i made from /var/log/messages##############
> > module localmessages 1.0;
> >
> > require {
> >        type default_t;
> >        type sysctl_net_unix_t;
> >        type init_t;
> >        type initrc_t;
> >        type file_t;
> >        type restorecon_t;
> >        type sysctl_vm_t;
> >        type kernel_t;
> >        type lvm_control_t;
> >        type loadkeys_t;
> >        type proc_kcore_t;
> >        type sysctl_irq_t;
> >        type sysctl_net_t;
> >        type sysctl_hotplug_t;
> >        type mount_t;
> >        type nscd_var_run_t;
> >        type setfiles_t;
> >        type proc_xen_t;
> >        type proc_kmsg_t;
> >        type proc_mdstat_t;
> >        type sysctl_modprobe_t;
> >        type sysctl_dev_t;
> >        type fsadm_t;
> >        type udev_t;
> >        type lvm_t;
> >        type sysctl_kernel_t;
> >        type proc_net_t;
> >        type local_login_t;
> >        type sshd_t;
> >        class capability { audit_write audit_control };
> >        class chr_file write;
> >        class lnk_file getattr;
> >        class dir { getattr read search };
> >        class file { read lock getattr unlink };
> >        class netlink_audit_socket { create ioctl setattr getattr
> > append write nlmsg_relay nlmsg_read create read bind connect setopt
> > getopt shutdown };
> > }
> >
> > #============= initrc_t ==============
> > allow initrc_t lvm_control_t:chr_file write;
> >
> What program caused this?  Should probably be labeled lvm_exec_t
> > #============= loadkeys_t ==============
> > allow loadkeys_t nscd_var_run_t:dir search;
> >
> > #============= udev_t ==============
> > allow udev_t default_t:dir search;
> > #============= fsadm_t ==============
> > allow fsadm_t file_t:file { read getattr };
> These should not exist file_t means you have unlabled files on your system
> >
> > #============= init_t ==============
> > allow init_t file_t:file { read lock getattr };
> >
> > #============= initrc_t ==============
> > allow initrc_t file_t:file read;
> >
> > #============= lvm_t ==============
> > allow lvm_t file_t:file { read getattr };
> >
> > #============= mount_t ==============
> > allow mount_t file_t:file unlink;
> >
> > #============= restorecon_t ==============
> > allow restorecon_t file_t:file read;
> >
> > #============= setfiles_t ==============
> > allow setfiles_t file_t:file read;
> > allow setfiles_t init_t:dir { read getattr search };
> > allow setfiles_t init_t:file getattr;
> > allow setfiles_t init_t:lnk_file getattr;
> > allow setfiles_t initrc_t:dir { read getattr search };
> > allow setfiles_t initrc_t:file getattr;
> > allow setfiles_t initrc_t:lnk_file getattr;
> > allow setfiles_t kernel_t:dir { read getattr search };
> > allow setfiles_t kernel_t:file getattr;
> > allow setfiles_t kernel_t:lnk_file getattr;
> > allow setfiles_t proc_kcore_t:file getattr;
> > allow setfiles_t proc_kmsg_t:file getattr;
> > allow setfiles_t proc_mdstat_t:file getattr;
> > allow setfiles_t proc_net_t:dir { read getattr search };
> > allow setfiles_t proc_net_t:file getattr;
> > allow setfiles_t proc_xen_t:dir { read getattr search };
> > allow setfiles_t proc_xen_t:file getattr;
> Should all be dontaudit, this is caused by running restorecon or
> setfiles on /proc
> > ###############edited by me################################
> > #allow setfiles_t self:capability audit_write;
> > #allow setfiles_t self:netlink_audit_socket { write nlmsg_relay create
> > read };
> > ###########################################################
> > allow setfiles_t sysctl_dev_t:dir { read getattr search };
> > allow setfiles_t sysctl_dev_t:file getattr;
> > allow setfiles_t sysctl_hotplug_t:file getattr;
> > allow setfiles_t sysctl_irq_t:dir { read getattr search };
> > allow setfiles_t sysctl_irq_t:file getattr;
> > allow setfiles_t sysctl_kernel_t:dir { read getattr search };
> > allow setfiles_t sysctl_kernel_t:file getattr;
> > allow setfiles_t sysctl_modprobe_t:file getattr;
> > allow setfiles_t sysctl_net_t:dir { read getattr search };
> > allow setfiles_t sysctl_net_t:file getattr;
> > allow setfiles_t sysctl_net_unix_t:dir { read getattr search };
> > allow setfiles_t sysctl_net_unix_t:file getattr;
> > allow setfiles_t sysctl_vm_t:dir { read getattr search };
> > allow setfiles_t sysctl_vm_t:file getattr;
> > allow setfiles_t udev_t:dir { read getattr search };
> > allow setfiles_t udev_t:file getattr;
> > allow setfiles_t udev_t:lnk_file getattr;
> >
> > #============= udev_t ==============
> > allow udev_t file_t:file { read getattr };
> >
> > ###############added by me################################
> >
> > #============= local_login_t ==============
> > logging_send_audit_msg(local_login_t)
> > logging_set_loginuid(local_login_t)
> Latest policy should have these
> >
> > #============= sshd_t ==============
> > logging_send_audit_msg(sshd_t)
> > logging_set_loginuid(sshd_t)
> >
> >
> > 2007/6/12, Daniel J Walsh <dwalsh@redhat.com>:
> >> Shintaro Fujiwara wrote:
> >> > With the latest policy, I could install and could login my machine.
> >> >
> >> > Thanks !
> >> >
> >> > But another problem...
> >> >
> >> > Keymap(jp106) fails...
> >> >
> >> > Is this the only problem for not English speaking people and how
> >> > should we fix it ?
> >> > I can use my jp106 keybord as US keybord but invconvinient...
> >> >
> >> > Is there still bug in policy or not ?
> >> >
> >> Most likely a bug in policy,  Please report it and attach your audit.log
> >>
>
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Can't login in F7 strict

[Shintaro Fujiwara]

not stuff_u but staff_u ...;)
I miss-spelled,again...;)

I relabeled my system and lesser the problem.
I will wok on it.
Thanks.

2007/6/13, Shintaro Fujiwara <shintaro.fujiwara@gmail.com>:
> Thank you very much for your kind advices.
>
> I will relabel my system and regenerate my own policy
>  with the latest selinux-policy properly.
> Especially I will check something should not be allowed from initrc_t...
> And delete lines setfiles (I restoreconed my home directory for the
> use of stuff_u) stuff.
>
> Thanks !
>
> ##################################################
>
> Officer, System-Informations, Signal School, JGSDF
>
> ###################################################
>
>
> 2007/6/12, Daniel J Walsh <dwalsh@redhat.com>:
> > Shintaro Fujiwara wrote:
> > > There really aren't any denied messages concerning it ...
> > > There really are no problem if I attach my log allright, but no use...
> > > But I copied .te files I made from both logs (audit.log and messages).
> > > Are there any clue in here ?
> > > Or,
> > > Should I install enableaudit.pp and listen to all the log or not ?
> > >
> > >
> > > ##########here's module i made from audit.log##############
> > > module localaudit 1.0;
> > >
> > > require {
> > >        type default_t;
> > >        type system_cron_spool_t;
> > >        type local_login_t;
> > >        type system_dbusd_var_run_t;
> > >        type sysadm_su_t;
> > >        type crond_t;
> > >        class capability { setuid setgid };
> > >        class dir { read search };
> > > }
> > >
> > > #============= crond_t ==============
> > > allow crond_t system_cron_spool_t:dir read;
> > >
> > > #============= local_login_t ==============
> > > allow local_login_t default_t:dir search;
> > default_t is caused by a mislabeled /root.  restorecon -R -v /root
> > > allow local_login_t system_dbusd_var_run_t:dir search;
> > >
> > > #============= sysadm_su_t ==============
> > > allow sysadm_su_t default_t:dir search;
> > > allow sysadm_su_t self:capability { setuid setgid };
> > >
> > Latest policy should have this.
> > >
> > > ##########here's module i made from /var/log/messages##############
> > > module localmessages 1.0;
> > >
> > > require {
> > >        type default_t;
> > >        type sysctl_net_unix_t;
> > >        type init_t;
> > >        type initrc_t;
> > >        type file_t;
> > >        type restorecon_t;
> > >        type sysctl_vm_t;
> > >        type kernel_t;
> > >        type lvm_control_t;
> > >        type loadkeys_t;
> > >        type proc_kcore_t;
> > >        type sysctl_irq_t;
> > >        type sysctl_net_t;
> > >        type sysctl_hotplug_t;
> > >        type mount_t;
> > >        type nscd_var_run_t;
> > >        type setfiles_t;
> > >        type proc_xen_t;
> > >        type proc_kmsg_t;
> > >        type proc_mdstat_t;
> > >        type sysctl_modprobe_t;
> > >        type sysctl_dev_t;
> > >        type fsadm_t;
> > >        type udev_t;
> > >        type lvm_t;
> > >        type sysctl_kernel_t;
> > >        type proc_net_t;
> > >        type local_login_t;
> > >        type sshd_t;
> > >        class capability { audit_write audit_control };
> > >        class chr_file write;
> > >        class lnk_file getattr;
> > >        class dir { getattr read search };
> > >        class file { read lock getattr unlink };
> > >        class netlink_audit_socket { create ioctl setattr getattr
> > > append write nlmsg_relay nlmsg_read create read bind connect setopt
> > > getopt shutdown };
> > > }
> > >
> > > #============= initrc_t ==============
> > > allow initrc_t lvm_control_t:chr_file write;
> > >
> > What program caused this?  Should probably be labeled lvm_exec_t
> > > #============= loadkeys_t ==============
> > > allow loadkeys_t nscd_var_run_t:dir search;
> > >
> > > #============= udev_t ==============
> > > allow udev_t default_t:dir search;
> > > #============= fsadm_t ==============
> > > allow fsadm_t file_t:file { read getattr };
> > These should not exist file_t means you have unlabled files on your system
> > >
> > > #============= init_t ==============
> > > allow init_t file_t:file { read lock getattr };
> > >
> > > #============= initrc_t ==============
> > > allow initrc_t file_t:file read;
> > >
> > > #============= lvm_t ==============
> > > allow lvm_t file_t:file { read getattr };
> > >
> > > #============= mount_t ==============
> > > allow mount_t file_t:file unlink;
> > >
> > > #============= restorecon_t ==============
> > > allow restorecon_t file_t:file read;
> > >
> > > #============= setfiles_t ==============
> > > allow setfiles_t file_t:file read;
> > > allow setfiles_t init_t:dir { read getattr search };
> > > allow setfiles_t init_t:file getattr;
> > > allow setfiles_t init_t:lnk_file getattr;
> > > allow setfiles_t initrc_t:dir { read getattr search };
> > > allow setfiles_t initrc_t:file getattr;
> > > allow setfiles_t initrc_t:lnk_file getattr;
> > > allow setfiles_t kernel_t:dir { read getattr search };
> > > allow setfiles_t kernel_t:file getattr;
> > > allow setfiles_t kernel_t:lnk_file getattr;
> > > allow setfiles_t proc_kcore_t:file getattr;
> > > allow setfiles_t proc_kmsg_t:file getattr;
> > > allow setfiles_t proc_mdstat_t:file getattr;
> > > allow setfiles_t proc_net_t:dir { read getattr search };
> > > allow setfiles_t proc_net_t:file getattr;
> > > allow setfiles_t proc_xen_t:dir { read getattr search };
> > > allow setfiles_t proc_xen_t:file getattr;
> > Should all be dontaudit, this is caused by running restorecon or
> > setfiles on /proc
> > > ###############edited by me################################
> > > #allow setfiles_t self:capability audit_write;
> > > #allow setfiles_t self:netlink_audit_socket { write nlmsg_relay create
> > > read };
> > > ###########################################################
> > > allow setfiles_t sysctl_dev_t:dir { read getattr search };
> > > allow setfiles_t sysctl_dev_t:file getattr;
> > > allow setfiles_t sysctl_hotplug_t:file getattr;
> > > allow setfiles_t sysctl_irq_t:dir { read getattr search };
> > > allow setfiles_t sysctl_irq_t:file getattr;
> > > allow setfiles_t sysctl_kernel_t:dir { read getattr search };
> > > allow setfiles_t sysctl_kernel_t:file getattr;
> > > allow setfiles_t sysctl_modprobe_t:file getattr;
> > > allow setfiles_t sysctl_net_t:dir { read getattr search };
> > > allow setfiles_t sysctl_net_t:file getattr;
> > > allow setfiles_t sysctl_net_unix_t:dir { read getattr search };
> > > allow setfiles_t sysctl_net_unix_t:file getattr;
> > > allow setfiles_t sysctl_vm_t:dir { read getattr search };
> > > allow setfiles_t sysctl_vm_t:file getattr;
> > > allow setfiles_t udev_t:dir { read getattr search };
> > > allow setfiles_t udev_t:file getattr;
> > > allow setfiles_t udev_t:lnk_file getattr;
> > >
> > > #============= udev_t ==============
> > > allow udev_t file_t:file { read getattr };
> > >
> > > ###############added by me################################
> > >
> > > #============= local_login_t ==============
> > > logging_send_audit_msg(local_login_t)
> > > logging_set_loginuid(local_login_t)
> > Latest policy should have these
> > >
> > > #============= sshd_t ==============
> > > logging_send_audit_msg(sshd_t)
> > > logging_set_loginuid(sshd_t)
> > >
> > >
> > > 2007/6/12, Daniel J Walsh <dwalsh@redhat.com>:
> > >> Shintaro Fujiwara wrote:
> > >> > With the latest policy, I could install and could login my machine.
> > >> >
> > >> > Thanks !
> > >> >
> > >> > But another problem...
> > >> >
> > >> > Keymap(jp106) fails...
> > >> >
> > >> > Is this the only problem for not English speaking people and how
> > >> > should we fix it ?
> > >> > I can use my jp106 keybord as US keybord but invconvinient...
> > >> >
> > >> > Is there still bug in policy or not ?
> > >> >
> > >> Most likely a bug in policy,  Please report it and attach your audit.log
> > >>
> >
> >
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.