* Turn off "dontaudit" rules in monolithic policy @ 2013-01-21 17:25 Hung Truong 2013-01-22 14:19 ` Vu, Joseph 2013-01-22 18:02 ` Christopher J. PeBenito 0 siblings, 2 replies; 9+ messages in thread From: Hung Truong @ 2013-01-21 17:25 UTC (permalink / raw) To: SELinux [-- Attachment #1: Type: text/plain, Size: 373 bytes --] I have a custom monolithic build based on RHEL6 policy. I get this error when try to turn off dontaudit rules: $ semodule -DB libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/targeted/modules/bmp/base.pp. (No such file or directory) Is there other way to turn off dontaudit rules in a monilithic policy? Many thanks, --Hung Truong [-- Attachment #2: Type: text/html, Size: 2096 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* RE: Turn off "dontaudit" rules in monolithic policy 2013-01-21 17:25 Turn off "dontaudit" rules in monolithic policy Hung Truong @ 2013-01-22 14:19 ` Vu, Joseph 2013-01-22 14:31 ` Hung Truong 2013-01-22 18:02 ` Christopher J. PeBenito 1 sibling, 1 reply; 9+ messages in thread From: Vu, Joseph @ 2013-01-22 14:19 UTC (permalink / raw) To: Hung Truong, SELinux [-- Attachment #1: Type: text/plain, Size: 763 bytes --] Hung, I have been trying to rebuild monolithic policy and was not able to. What version of SELinux Policy and RHT are you using? ________________________________ From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov] On Behalf Of Hung Truong Sent: Monday, January 21, 2013 11:25 AM To: SELinux Subject: Turn off "dontaudit" rules in monolithic policy I have a custom monolithic build based on RHEL6 policy. I get this error when try to turn off dontaudit rules: $ semodule -DB libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/targeted/modules/bmp/base.pp. (No such file or directory) Is there other way to turn off dontaudit rules in a monilithic policy? Many thanks, --Hung Truong [-- Attachment #2: Type: text/html, Size: 3683 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* RE: Turn off "dontaudit" rules in monolithic policy 2013-01-22 14:19 ` Vu, Joseph @ 2013-01-22 14:31 ` Hung Truong 2013-01-22 15:10 ` Daniel J Walsh 0 siblings, 1 reply; 9+ messages in thread From: Hung Truong @ 2013-01-22 14:31 UTC (permalink / raw) To: Vu, Joseph, SELinux [-- Attachment #1: Type: text/plain, Size: 1010 bytes --] I am using version 3.7.19-155el6.6. *From:* Vu, Joseph [mailto:joseph.vu@boeing.com] *Sent:* Tuesday, January 22, 2013 9:19 AM *To:* Hung Truong; SELinux *Subject:* RE: Turn off "dontaudit" rules in monolithic policy Hung, I have been trying to rebuild monolithic policy and was not able to. What version of SELinux Policy and RHT are you using? ------------------------------ *From:* owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov<owner-selinux@tycho.nsa.gov>] *On Behalf Of *Hung Truong *Sent:* Monday, January 21, 2013 11:25 AM *To:* SELinux *Subject:* Turn off "dontaudit" rules in monolithic policy I have a custom monolithic build based on RHEL6 policy. I get this error when try to turn off dontaudit rules: $ semodule -DB libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/targeted/modules/bmp/base.pp. (No such file or directory) Is there other way to turn off dontaudit rules in a monilithic policy? Many thanks, --Hung Truong [-- Attachment #2: Type: text/html, Size: 4949 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Turn off "dontaudit" rules in monolithic policy 2013-01-22 14:31 ` Hung Truong @ 2013-01-22 15:10 ` Daniel J Walsh 2013-01-22 15:14 ` Hung Truong 0 siblings, 1 reply; 9+ messages in thread From: Daniel J Walsh @ 2013-01-22 15:10 UTC (permalink / raw) To: Hung Truong; +Cc: Vu, Joseph, SELinux -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/22/2013 09:31 AM, Hung Truong wrote: > I am using version 3.7.19-155el6.6. > > > > *From:*Vu, Joseph [mailto:joseph.vu@boeing.com > <mailto:joseph.vu@boeing.com>] *Sent:* Tuesday, January 22, 2013 9:19 AM > *To:* Hung Truong; SELinux *Subject:* RE: Turn off "dontaudit" rules in > monolithic policy > > > > Hung, > > > > I have been trying to rebuild monolithic policy and was not able to. > > What version of SELinux Policy and RHT are you using? > > > > -------------------------------------------------------------------------------- > > *From:*owner-selinux@tycho.nsa.gov <mailto:owner-selinux@tycho.nsa.gov> > [mailto:owner-selinux@tycho.nsa.gov] *On Behalf Of *Hung Truong *Sent:* > Monday, January 21, 2013 11:25 AM *To:* SELinux *Subject:* Turn off > "dontaudit" rules in monolithic policy > > > > I have a custom monolithic build based on RHEL6 policy. I get this error > when try to turn off dontaudit rules: > > $ semodule -DB > > > libsemanage.semanage_link_sandbox: Could not access sandbox base file > /etc/selinux/targeted/modules/bmp/base.pp. (No such file or directory) > > Is there other way to turn off dontaudit rules in a monilithic policy? > > > > Many thanks, > > --Hung Truong > Why not compile two policies one with and one without dontaudit rules? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlD+rAEACgkQrlYvE4MpobMNDgCfaLNiljkPI6ilm65DgUSBCHmP W10An1cOKmfs7qCG8xEKaEwjVguLMLZU =MkCV -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 9+ messages in thread
* RE: Turn off "dontaudit" rules in monolithic policy 2013-01-22 15:10 ` Daniel J Walsh @ 2013-01-22 15:14 ` Hung Truong [not found] ` <50FEAEE1.9000002@redhat.com> 0 siblings, 1 reply; 9+ messages in thread From: Hung Truong @ 2013-01-22 15:14 UTC (permalink / raw) To: Daniel J Walsh; +Cc: SELinux Could you tell me how to compile a policy without dontaudit rules? Thanks. Hung Truong | Trident Systems Incorporated Sr. Embedded Engineer, Software System Engineering Group 10201 Fairfax Boulevard | Suite 300 | Fairfax, VA 22030 d: 703.267.6746 | f: 703.273.6608 e: hung.truong@tridsys.com | www.tridsys.com Notice: The information contained in this email message is considered confidential and proprietary to the sender and is intended solely for review and use by the named recipient. Any unauthorized review, use or distribution is strictly prohibited. If you have received this message in error, please advise the sender by reply email and delete the message. -----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Tuesday, January 22, 2013 10:11 AM To: Hung Truong Cc: Vu, Joseph; SELinux Subject: Re: Turn off "dontaudit" rules in monolithic policy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/22/2013 09:31 AM, Hung Truong wrote: > I am using version 3.7.19-155el6.6. > > > > *From:*Vu, Joseph [mailto:joseph.vu@boeing.com > <mailto:joseph.vu@boeing.com>] *Sent:* Tuesday, January 22, 2013 9:19 > AM > *To:* Hung Truong; SELinux *Subject:* RE: Turn off "dontaudit" rules > in monolithic policy > > > > Hung, > > > > I have been trying to rebuild monolithic policy and was not able to. > > What version of SELinux Policy and RHT are you using? > > > > ---------------------------------------------------------------------- > ---------- > > *From:*owner-selinux@tycho.nsa.gov > <mailto:owner-selinux@tycho.nsa.gov> > [mailto:owner-selinux@tycho.nsa.gov] *On Behalf Of *Hung Truong > *Sent:* Monday, January 21, 2013 11:25 AM *To:* SELinux *Subject:* > Turn off "dontaudit" rules in monolithic policy > > > > I have a custom monolithic build based on RHEL6 policy. I get this > error when try to turn off dontaudit rules: > > $ semodule -DB > > > libsemanage.semanage_link_sandbox: Could not access sandbox base file > /etc/selinux/targeted/modules/bmp/base.pp. (No such file or directory) > > Is there other way to turn off dontaudit rules in a monilithic policy? > > > > Many thanks, > > --Hung Truong > Why not compile two policies one with and one without dontaudit rules? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlD+rAEACgkQrlYvE4MpobMNDgCfaLNiljkPI6ilm65DgUSBCHmP W10An1cOKmfs7qCG8xEKaEwjVguLMLZU =MkCV -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 9+ messages in thread
[parent not found: <50FEAEE1.9000002@redhat.com>]
* RE: Turn off "dontaudit" rules in monolithic policy [not found] ` <50FEAEE1.9000002@redhat.com> @ 2013-01-22 16:54 ` Hung Truong 0 siblings, 0 replies; 9+ messages in thread From: Hung Truong @ 2013-01-22 16:54 UTC (permalink / raw) To: Daniel J Walsh; +Cc: refpolicy, selinux This works!!! BTW, there was a typo. The command should be: make enableaudit I really appreciate your help. Hung Truong | Trident Systems Incorporated Sr. Embedded Engineer, Software System Engineering Group 10201 Fairfax Boulevard | Suite 300 | Fairfax, VA 22030 d: 703.267.6746 | f: 703.273.6608 e: hung.truong@tridsys.com | www.tridsys.com Notice: The information contained in this email message is considered confidential and proprietary to the sender and is intended solely for review and use by the named recipient. Any unauthorized review, use or distribution is strictly prohibited. If you have received this message in error, please advise the sender by reply email and delete the message. -----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Tuesday, January 22, 2013 10:23 AM To: Hung Truong Subject: Re: Turn off "dontaudit" rules in monolithic policy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/22/2013 10:14 AM, Hung Truong wrote: > Could you tell me how to compile a policy without dontaudit rules? > Thanks. > make enabelaudit I believe. > > Hung Truong | Trident Systems Incorporated Sr. Embedded Engineer, > Software System Engineering Group 10201 Fairfax Boulevard | Suite 300 > | Fairfax, VA > 22030 d: 703.267.6746 | f: 703.273.6608 e: hung.truong@tridsys.com | > www.tridsys.com > > > > Notice: The information contained in this email message is considered > confidential and proprietary to the sender and is intended solely for > review and use by the named recipient. Any unauthorized review, use > or distribution is strictly prohibited. If you have received this > message in error, please advise the sender by reply email and delete the > message. > > > -----Original Message----- From: Daniel J Walsh > [mailto:dwalsh@redhat.com] > Sent: Tuesday, January 22, 2013 10:11 AM To: Hung Truong Cc: Vu, > Joseph; SELinux Subject: Re: Turn off "dontaudit" rules in monolithic > policy > > > > On 01/22/2013 09:31 AM, Hung Truong wrote: >> I am using version 3.7.19-155el6.6. > > > >> *From:*Vu, Joseph [mailto:joseph.vu@boeing.com >> <mailto:joseph.vu@boeing.com>] *Sent:* Tuesday, January 22, 2013 9:19 >> AM >> *To:* Hung Truong; SELinux *Subject:* RE: Turn off "dontaudit" rules >> in monolithic policy > > > >> Hung, > > > >> I have been trying to rebuild monolithic policy and was not able to. > >> What version of SELinux Policy and RHT are you using? > > > >> --------------------------------------------------------------------- >> - >> ---------- > >> *From:*owner-selinux@tycho.nsa.gov >> <mailto:owner-selinux@tycho.nsa.gov> >> [mailto:owner-selinux@tycho.nsa.gov] *On Behalf Of *Hung Truong >> *Sent:* Monday, January 21, 2013 11:25 AM *To:* SELinux *Subject:* >> Turn off "dontaudit" rules in monolithic policy > > > >> I have a custom monolithic build based on RHEL6 policy. I get this >> error when try to turn off dontaudit rules: > >> $ semodule -DB > > >> libsemanage.semanage_link_sandbox: Could not access sandbox base file >> /etc/selinux/targeted/modules/bmp/base.pp. (No such file or >> directory) > >> Is there other way to turn off dontaudit rules in a monilithic policy? > > > >> Many thanks, > >> --Hung Truong > > Why not compile two policies one with and one without dontaudit rules? > > -- This message was distributed to subscribers of the selinux mailing > list. If you no longer wish to subscribe, send mail to > majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without > quotes as the message. > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlD+ruEACgkQrlYvE4MpobPNkACggndNE6JYVYFJIWRJ4UAjHEIw WnQAn1iAHwPv3UtoiTt3MOSYOgnLtGOv =/+7i -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Turn off "dontaudit" rules in monolithic policy 2013-01-21 17:25 Turn off "dontaudit" rules in monolithic policy Hung Truong 2013-01-22 14:19 ` Vu, Joseph @ 2013-01-22 18:02 ` Christopher J. PeBenito 2013-01-22 18:12 ` Hung Truong 1 sibling, 1 reply; 9+ messages in thread From: Christopher J. PeBenito @ 2013-01-22 18:02 UTC (permalink / raw) To: Hung Truong; +Cc: SELinux To clarify terminology, if you're using semodule, you're using a modular policy, not a monolithic policy. A monolithic policy would be fully compiled on the development machine, and the policy.27 would be deployed to the running machine. A modular policy deploys the *.pp files to the running machine and links them together to make a policy.27. On 01/21/13 12:25, Hung Truong wrote: > I have a custom monolithic build based on RHEL6 policy. > I get this error when try to turn off dontaudit rules: > > $ semodule -DB > > > libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/targeted/modules/bmp/base.pp. (No such file or directory) > > Is there other way to turn off dontaudit rules in a monilithic policy? > > > > Many thanks, > > --Hung Truong > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 9+ messages in thread
* RE: Turn off "dontaudit" rules in monolithic policy 2013-01-22 18:02 ` Christopher J. PeBenito @ 2013-01-22 18:12 ` Hung Truong 2013-01-22 18:20 ` Christopher J. PeBenito 0 siblings, 1 reply; 9+ messages in thread From: Hung Truong @ 2013-01-22 18:12 UTC (permalink / raw) To: Christopher J. PeBenito; +Cc: SELinux Thanks for the clarification. I thought the "semodule -DB" could be used for monolithic policy as well. Daniel Walsh gave a solution by compiling a policy without dontaudit rules and that worked perfectly fine for me. But, just curious if there is an equivalent command to turn off dontaudit for monolithic policy at runtime? --Hung Truong -----Original Message----- From: Christopher J. PeBenito [mailto:cpebenito@tresys.com] Sent: Tuesday, January 22, 2013 1:03 PM To: Hung Truong Cc: SELinux Subject: Re: Turn off "dontaudit" rules in monolithic policy To clarify terminology, if you're using semodule, you're using a modular policy, not a monolithic policy. A monolithic policy would be fully compiled on the development machine, and the policy.27 would be deployed to the running machine. A modular policy deploys the *.pp files to the running machine and links them together to make a policy.27. On 01/21/13 12:25, Hung Truong wrote: > I have a custom monolithic build based on RHEL6 policy. > I get this error when try to turn off dontaudit rules: > > $ semodule -DB > > > libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/targeted/modules/bmp/base.pp. (No such file or directory) > > Is there other way to turn off dontaudit rules in a monilithic policy? > > > > Many thanks, > > --Hung Truong > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Turn off "dontaudit" rules in monolithic policy 2013-01-22 18:12 ` Hung Truong @ 2013-01-22 18:20 ` Christopher J. PeBenito 0 siblings, 0 replies; 9+ messages in thread From: Christopher J. PeBenito @ 2013-01-22 18:20 UTC (permalink / raw) To: Hung Truong; +Cc: SELinux No, a monolithic policy can't be managed like that at run time. The policy is supposed to be static. You'd have to use make enableaudit when you build it, as Dan previously mentioned, and redeploy the policy. On 01/22/13 13:12, Hung Truong wrote: > Thanks for the clarification. I thought the "semodule -DB" could be used > for monolithic policy as well. > > Daniel Walsh gave a solution by compiling a policy without dontaudit rules > and that worked perfectly fine for me. But, just curious if there is an > equivalent command to turn off dontaudit for monolithic policy at runtime? > > > --Hung Truong > > > -----Original Message----- > From: Christopher J. PeBenito [mailto:cpebenito@tresys.com] > Sent: Tuesday, January 22, 2013 1:03 PM > To: Hung Truong > Cc: SELinux > Subject: Re: Turn off "dontaudit" rules in monolithic policy > > To clarify terminology, if you're using semodule, you're using a modular > policy, not a monolithic policy. A monolithic policy would be fully > compiled on the development machine, and the policy.27 would be deployed > to the running machine. A modular policy deploys the *.pp files to the > running machine and links them together to make a policy.27. > > On 01/21/13 12:25, Hung Truong wrote: >> I have a custom monolithic build based on RHEL6 policy. >> I get this error when try to turn off dontaudit rules: >> >> $ semodule -DB >> >> >> libsemanage.semanage_link_sandbox: Could not access sandbox base file > /etc/selinux/targeted/modules/bmp/base.pp. (No such file or directory) >> >> Is there other way to turn off dontaudit rules in a monilithic policy? >> >> >> >> Many thanks, >> >> --Hung Truong >> > > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2013-01-22 18:20 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-01-21 17:25 Turn off "dontaudit" rules in monolithic policy Hung Truong
2013-01-22 14:19 ` Vu, Joseph
2013-01-22 14:31 ` Hung Truong
2013-01-22 15:10 ` Daniel J Walsh
2013-01-22 15:14 ` Hung Truong
[not found] ` <50FEAEE1.9000002@redhat.com>
2013-01-22 16:54 ` Hung Truong
2013-01-22 18:02 ` Christopher J. PeBenito
2013-01-22 18:12 ` Hung Truong
2013-01-22 18:20 ` Christopher J. PeBenito
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.