From: "Justin P. Mattock" <justinmattock@gmail.com>
To: "Christopher J. PeBenito" <cpebenito@tresys.com>
Cc: refpolicy@oss1.tresys.com, selinux@tycho.nsa.gov
Subject: Re: [refpolicy] WARNING: at kernel/printk.c:430 do_syslog+0x40d/0x441()
Date: Mon, 24 Jan 2011 11:30:40 -0800 [thread overview]
Message-ID: <4D3DD360.9090807@gmail.com> (raw)
In-Reply-To: <4D373BC5.9080609@gmail.com>
On 01/19/11 11:30, Justin P. Mattock wrote:
> On 01/19/11 11:23, Christopher J. PeBenito wrote:
>> On 01/19/11 13:06, Justin P. Mattock wrote:
>>> this is showing up with the latest kernel in enforcing mode..
>>> (I have not update the policy and/or selinux userspace)
>>>
>>> [ 12.803882] type=1400 audit(1295457694.801:3): avc: denied { syslog
>>> } for pid=1540 comm="rsyslogd" capability=34
>>> scontext=system_u:system_r:init_t:s0
>>> tcontext=system_u:system_r:init_t:s0 tclass=capability2
>> [cut]
>>> when using audit2allow I get:
>>>
>>> allow init_t self:capability2 syslog;
>>>
>>> which gives an error when trying to install the module, due to the
>>> policy not knowing what capability2 is
>>>
>>> system is ubuntu maverick, if this is already in(refpolicy) then I'll
>>> pull the latest when I get a chance..
>>
>> Support for this capability is upstream in refpolicy.
>>
>
well... after building and trying to install, seems I need to do this:
From dae5d4d75ab5db99fde09a67f9a1df240f85fbdd Mon Sep 17 00:00:00 2001
From: Justin P. Mattock <justinmattock@gmail.com>
Date: Mon, 24 Jan 2011 11:13:31 -0800
Subject: [PATCH] modified: policy/modules/kernel/domain.te
Signed-off-by: Justin P. Mattock <justinmattock@gmail.com>
diff --git a/policy/modules/kernel/domain.te
b/policy/modules/kernel/domain.te
index bc534c1..77c363b 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -24,7 +24,8 @@ attribute unconfined_domain_type;
# Domains that can mmap low memory.
attribute mmap_low_domain_type;
-neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
+#neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
# Domains that can set their current context
# (perform dynamic transitions)
--
1.6.5.GIT
in order for the policy to build all the way... is anybody else hitting
this, or is this just me..
Justin P. Mattock
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
WARNING: multiple messages have this Message-ID (diff)
From: justinmattock@gmail.com (Justin P. Mattock)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] WARNING: at kernel/printk.c:430 do_syslog+0x40d/0x441()
Date: Mon, 24 Jan 2011 11:30:40 -0800 [thread overview]
Message-ID: <4D3DD360.9090807@gmail.com> (raw)
In-Reply-To: <4D373BC5.9080609@gmail.com>
On 01/19/11 11:30, Justin P. Mattock wrote:
> On 01/19/11 11:23, Christopher J. PeBenito wrote:
>> On 01/19/11 13:06, Justin P. Mattock wrote:
>>> this is showing up with the latest kernel in enforcing mode..
>>> (I have not update the policy and/or selinux userspace)
>>>
>>> [ 12.803882] type=1400 audit(1295457694.801:3): avc: denied { syslog
>>> } for pid=1540 comm="rsyslogd" capability=34
>>> scontext=system_u:system_r:init_t:s0
>>> tcontext=system_u:system_r:init_t:s0 tclass=capability2
>> [cut]
>>> when using audit2allow I get:
>>>
>>> allow init_t self:capability2 syslog;
>>>
>>> which gives an error when trying to install the module, due to the
>>> policy not knowing what capability2 is
>>>
>>> system is ubuntu maverick, if this is already in(refpolicy) then I'll
>>> pull the latest when I get a chance..
>>
>> Support for this capability is upstream in refpolicy.
>>
>
well... after building and trying to install, seems I need to do this:
From dae5d4d75ab5db99fde09a67f9a1df240f85fbdd Mon Sep 17 00:00:00 2001
From: Justin P. Mattock <justinmattock@gmail.com>
Date: Mon, 24 Jan 2011 11:13:31 -0800
Subject: [PATCH] modified: policy/modules/kernel/domain.te
Signed-off-by: Justin P. Mattock <justinmattock@gmail.com>
diff --git a/policy/modules/kernel/domain.te
b/policy/modules/kernel/domain.te
index bc534c1..77c363b 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -24,7 +24,8 @@ attribute unconfined_domain_type;
# Domains that can mmap low memory.
attribute mmap_low_domain_type;
-neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
+#neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
# Domains that can set their current context
# (perform dynamic transitions)
--
1.6.5.GIT
in order for the policy to build all the way... is anybody else hitting
this, or is this just me..
Justin P. Mattock
next prev parent reply other threads:[~2011-01-24 19:30 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-01-19 18:06 WARNING: at kernel/printk.c:430 do_syslog+0x40d/0x441() Justin P. Mattock
2011-01-19 18:06 ` [refpolicy] " Justin P. Mattock
2011-01-19 19:23 ` Christopher J. PeBenito
2011-01-19 19:23 ` Christopher J. PeBenito
2011-01-19 19:30 ` Justin P. Mattock
2011-01-19 19:30 ` Justin P. Mattock
2011-01-24 19:30 ` Justin P. Mattock [this message]
2011-01-24 19:30 ` Justin P. Mattock
2011-01-24 19:34 ` Justin P. Mattock
2011-01-24 19:34 ` Justin P. Mattock
2011-01-24 20:27 ` Dominick Grift
2011-01-24 20:57 ` Justin P. Mattock
2011-01-24 21:03 ` Dominick Grift
2011-01-24 21:08 ` Justin P. Mattock
2011-01-24 22:39 ` Justin P. Mattock
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D3DD360.9090807@gmail.com \
--to=justinmattock@gmail.com \
--cc=cpebenito@tresys.com \
--cc=refpolicy@oss1.tresys.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.