Re: About the polgengui in FC7

[Daniel J Walsh <dwalsh@redhat.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ian jonhson wrote:
>> yum install selinux-policy-devel
>> Then run the script again
>>
> 
> I still met some problem in running the script. The message are as follows:
> 
> ------------- dump screen --------------
> [root@Fedora7 policy]# sh rwho.sh
> rwho.if:14: Error: duplicate definition of rwho_domtrans(). Original
> definition on 14.
> Compiling targeted rwho module
> /usr/bin/checkmodule:  loading policy configuration from tmp/rwho.tmp
> /usr/bin/checkmodule:  policy configuration loaded
> /usr/bin/checkmodule:  writing binary representation (version 6) to tmp/rwho.mod
> Creating targeted rwho.pp policy package
> rm tmp/rwho.mod tmp/rwho.mod.fc
> /sbin/restorecon reset /usr/bin/rwho context
> system_u:object_r:rwho_exec_t:s0->system_u:object_r:rwho_exec_t:s0
> [root@Fedora7 policy]# setenforce 0
> bash: setenforce: command not found
> ...
/usr/sbin/setenforce 0

> ------------------------------------------------
> 
> I am not sure whether the duplicate definition would affect the policy
> creation, but I got the difference from description in article. Also,
> I can not execute setenforce, and not find the the command.
> 
> When I run the audit2allow, the output messages are:
> 
> ----------  dump screen ------------------
> [root@Fedora7 tmp]# grep rwho /var/log/audit/audit.log | audit2allow -R
> 
> require {
>        type rwho_t;
> }
> 
> #============= rwho_t ==============
> files_search_spool(rwho_t)
> 
> 
> [root@Fedora7 tmp]# grep rwho /var/log/audit/audit.log
> type=AVC msg=audit(1188717730.985:106): avc:  denied  { search } for
> pid=3753 comm="rwhod" name="spool" dev=dm-0 ino=130473
> scontext=user_u:system_r:rwho_t:s0
> tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
> type=SYSCALL msg=audit(1188717730.985:106): arch=40000003 syscall=12
> success=no exit=-13 a0=8000270c a1=2 a2=80003b5c a3=1 items=0
> ppid=3752 pid=3753 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) comm="rwhod" exe="/usr/sbin/rwhod"
> subj=user_u:system_r:rwho_t:s0 key=(null)
> [root@Fedora7 tmp]#
> --------------------------------------------------
> 
> Did I forget anything?
> 
No, Now you would add the line
files_search_spool(rwho_t)
to the te file and rerun the sh script.

> 
>> yes you can do this,  The extension that I am adding, is to setup logged
>> in users who can not talk to the network, or only one port on the
>> network.  These users will not be able to run any setuid applications or
>>  even execute files in the home directories.
> 
> Very good, but in current FC7, that functionalities are not supported,
> right? If the polgengui in FC7 does not support the above
> functionality, can I do my jobs by editing policy source files
> manually? what to do?
> 
> Thank you very much !!
> 
> 
> 
> Best regards,
> 
> ian

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFG3a6CrlYvE4MpobMRArgaAKCbqyU6Cx2GUeMWJ5UvKoIE/dsHrwCeLKL+
YccsQL6ZFkhO3lsy1IbGJmg=
=O47U
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.