* Turn off "dontaudit" rules in monolithic policy
@ 2013-01-21 17:25 Hung Truong
2013-01-22 14:19 ` Vu, Joseph
2013-01-22 18:02 ` Christopher J. PeBenito
0 siblings, 2 replies; 9+ messages in thread
From: Hung Truong @ 2013-01-21 17:25 UTC (permalink / raw)
To: SELinux
[-- Attachment #1: Type: text/plain, Size: 373 bytes --]
I have a custom monolithic build based on RHEL6 policy.
I get this error when try to turn off dontaudit rules:
$ semodule -DB
libsemanage.semanage_link_sandbox: Could not access sandbox base file
/etc/selinux/targeted/modules/bmp/base.pp. (No such file or directory)
Is there other way to turn off dontaudit rules in a monilithic policy?
Many thanks,
--Hung Truong
[-- Attachment #2: Type: text/html, Size: 2096 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* RE: Turn off "dontaudit" rules in monolithic policy
2013-01-21 17:25 Turn off "dontaudit" rules in monolithic policy Hung Truong
@ 2013-01-22 14:19 ` Vu, Joseph
2013-01-22 14:31 ` Hung Truong
2013-01-22 18:02 ` Christopher J. PeBenito
1 sibling, 1 reply; 9+ messages in thread
From: Vu, Joseph @ 2013-01-22 14:19 UTC (permalink / raw)
To: Hung Truong, SELinux
[-- Attachment #1: Type: text/plain, Size: 763 bytes --]
Hung,
I have been trying to rebuild monolithic policy and was not able to.
What version of SELinux Policy and RHT are you using?
________________________________
From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov] On Behalf Of Hung Truong
Sent: Monday, January 21, 2013 11:25 AM
To: SELinux
Subject: Turn off "dontaudit" rules in monolithic policy
I have a custom monolithic build based on RHEL6 policy.
I get this error when try to turn off dontaudit rules:
$ semodule -DB
libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/targeted/modules/bmp/base.pp. (No such file or directory)
Is there other way to turn off dontaudit rules in a monilithic policy?
Many thanks,
--Hung Truong
[-- Attachment #2: Type: text/html, Size: 3683 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* RE: Turn off "dontaudit" rules in monolithic policy
2013-01-22 14:19 ` Vu, Joseph
@ 2013-01-22 14:31 ` Hung Truong
2013-01-22 15:10 ` Daniel J Walsh
0 siblings, 1 reply; 9+ messages in thread
From: Hung Truong @ 2013-01-22 14:31 UTC (permalink / raw)
To: Vu, Joseph, SELinux
[-- Attachment #1: Type: text/plain, Size: 1010 bytes --]
I am using version 3.7.19-155el6.6.
*From:* Vu, Joseph [mailto:joseph.vu@boeing.com]
*Sent:* Tuesday, January 22, 2013 9:19 AM
*To:* Hung Truong; SELinux
*Subject:* RE: Turn off "dontaudit" rules in monolithic policy
Hung,
I have been trying to rebuild monolithic policy and was not able to.
What version of SELinux Policy and RHT are you using?
------------------------------
*From:* owner-selinux@tycho.nsa.gov
[mailto:owner-selinux@tycho.nsa.gov<owner-selinux@tycho.nsa.gov>]
*On Behalf Of *Hung Truong
*Sent:* Monday, January 21, 2013 11:25 AM
*To:* SELinux
*Subject:* Turn off "dontaudit" rules in monolithic policy
I have a custom monolithic build based on RHEL6 policy.
I get this error when try to turn off dontaudit rules:
$ semodule -DB
libsemanage.semanage_link_sandbox: Could not access sandbox base file
/etc/selinux/targeted/modules/bmp/base.pp. (No such file or directory)
Is there other way to turn off dontaudit rules in a monilithic policy?
Many thanks,
--Hung Truong
[-- Attachment #2: Type: text/html, Size: 4949 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Turn off "dontaudit" rules in monolithic policy
2013-01-22 14:31 ` Hung Truong
@ 2013-01-22 15:10 ` Daniel J Walsh
2013-01-22 15:14 ` Hung Truong
0 siblings, 1 reply; 9+ messages in thread
From: Daniel J Walsh @ 2013-01-22 15:10 UTC (permalink / raw)
To: Hung Truong; +Cc: Vu, Joseph, SELinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/22/2013 09:31 AM, Hung Truong wrote:
> I am using version 3.7.19-155el6.6.
>
>
>
> *From:*Vu, Joseph [mailto:joseph.vu@boeing.com
> <mailto:joseph.vu@boeing.com>] *Sent:* Tuesday, January 22, 2013 9:19 AM
> *To:* Hung Truong; SELinux *Subject:* RE: Turn off "dontaudit" rules in
> monolithic policy
>
>
>
> Hung,
>
>
>
> I have been trying to rebuild monolithic policy and was not able to.
>
> What version of SELinux Policy and RHT are you using?
>
>
>
> --------------------------------------------------------------------------------
>
> *From:*owner-selinux@tycho.nsa.gov <mailto:owner-selinux@tycho.nsa.gov>
> [mailto:owner-selinux@tycho.nsa.gov] *On Behalf Of *Hung Truong *Sent:*
> Monday, January 21, 2013 11:25 AM *To:* SELinux *Subject:* Turn off
> "dontaudit" rules in monolithic policy
>
>
>
> I have a custom monolithic build based on RHEL6 policy. I get this error
> when try to turn off dontaudit rules:
>
> $ semodule -DB
>
>
> libsemanage.semanage_link_sandbox: Could not access sandbox base file
> /etc/selinux/targeted/modules/bmp/base.pp. (No such file or directory)
>
> Is there other way to turn off dontaudit rules in a monilithic policy?
>
>
>
> Many thanks,
>
> --Hung Truong
>
Why not compile two policies one with and one without dontaudit rules?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlD+rAEACgkQrlYvE4MpobMNDgCfaLNiljkPI6ilm65DgUSBCHmP
W10An1cOKmfs7qCG8xEKaEwjVguLMLZU
=MkCV
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* RE: Turn off "dontaudit" rules in monolithic policy
2013-01-22 15:10 ` Daniel J Walsh
@ 2013-01-22 15:14 ` Hung Truong
[not found] ` <50FEAEE1.9000002@redhat.com>
0 siblings, 1 reply; 9+ messages in thread
From: Hung Truong @ 2013-01-22 15:14 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SELinux
Could you tell me how to compile a policy without dontaudit rules? Thanks.
Hung Truong | Trident Systems Incorporated
Sr. Embedded Engineer, Software System Engineering Group
10201 Fairfax Boulevard | Suite 300 | Fairfax, VA 22030
d: 703.267.6746 | f: 703.273.6608
e: hung.truong@tridsys.com | www.tridsys.com
Notice: The information contained in this email message is considered
confidential and proprietary to the sender and is intended solely for review
and use by the named recipient. Any unauthorized review, use or
distribution is strictly prohibited. If you have received this message in
error, please advise the sender by reply email and delete the message.
-----Original Message-----
From: Daniel J Walsh [mailto:dwalsh@redhat.com]
Sent: Tuesday, January 22, 2013 10:11 AM
To: Hung Truong
Cc: Vu, Joseph; SELinux
Subject: Re: Turn off "dontaudit" rules in monolithic policy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/22/2013 09:31 AM, Hung Truong wrote:
> I am using version 3.7.19-155el6.6.
>
>
>
> *From:*Vu, Joseph [mailto:joseph.vu@boeing.com
> <mailto:joseph.vu@boeing.com>] *Sent:* Tuesday, January 22, 2013 9:19
> AM
> *To:* Hung Truong; SELinux *Subject:* RE: Turn off "dontaudit" rules
> in monolithic policy
>
>
>
> Hung,
>
>
>
> I have been trying to rebuild monolithic policy and was not able to.
>
> What version of SELinux Policy and RHT are you using?
>
>
>
> ----------------------------------------------------------------------
> ----------
>
> *From:*owner-selinux@tycho.nsa.gov
> <mailto:owner-selinux@tycho.nsa.gov>
> [mailto:owner-selinux@tycho.nsa.gov] *On Behalf Of *Hung Truong
> *Sent:* Monday, January 21, 2013 11:25 AM *To:* SELinux *Subject:*
> Turn off "dontaudit" rules in monolithic policy
>
>
>
> I have a custom monolithic build based on RHEL6 policy. I get this
> error when try to turn off dontaudit rules:
>
> $ semodule -DB
>
>
> libsemanage.semanage_link_sandbox: Could not access sandbox base file
> /etc/selinux/targeted/modules/bmp/base.pp. (No such file or directory)
>
> Is there other way to turn off dontaudit rules in a monilithic policy?
>
>
>
> Many thanks,
>
> --Hung Truong
>
Why not compile two policies one with and one without dontaudit rules?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlD+rAEACgkQrlYvE4MpobMNDgCfaLNiljkPI6ilm65DgUSBCHmP
W10An1cOKmfs7qCG8xEKaEwjVguLMLZU
=MkCV
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* RE: Turn off "dontaudit" rules in monolithic policy
[not found] ` <50FEAEE1.9000002@redhat.com>
@ 2013-01-22 16:54 ` Hung Truong
0 siblings, 0 replies; 9+ messages in thread
From: Hung Truong @ 2013-01-22 16:54 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: refpolicy, selinux
This works!!! BTW, there was a typo. The command should be:
make enableaudit
I really appreciate your help.
Hung Truong | Trident Systems Incorporated
Sr. Embedded Engineer, Software System Engineering Group
10201 Fairfax Boulevard | Suite 300 | Fairfax, VA 22030
d: 703.267.6746 | f: 703.273.6608
e: hung.truong@tridsys.com | www.tridsys.com
Notice: The information contained in this email message is considered
confidential and proprietary to the sender and is intended solely for review
and use by the named recipient. Any unauthorized review, use or
distribution is strictly prohibited. If you have received this message in
error, please advise the sender by reply email and delete the message.
-----Original Message-----
From: Daniel J Walsh [mailto:dwalsh@redhat.com]
Sent: Tuesday, January 22, 2013 10:23 AM
To: Hung Truong
Subject: Re: Turn off "dontaudit" rules in monolithic policy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/22/2013 10:14 AM, Hung Truong wrote:
> Could you tell me how to compile a policy without dontaudit rules?
> Thanks.
>
make enabelaudit
I believe.
>
> Hung Truong | Trident Systems Incorporated Sr. Embedded Engineer,
> Software System Engineering Group 10201 Fairfax Boulevard | Suite 300
> | Fairfax, VA
> 22030 d: 703.267.6746 | f: 703.273.6608 e: hung.truong@tridsys.com |
> www.tridsys.com
>
>
>
> Notice: The information contained in this email message is considered
> confidential and proprietary to the sender and is intended solely for
> review and use by the named recipient. Any unauthorized review, use
> or distribution is strictly prohibited. If you have received this
> message in error, please advise the sender by reply email and delete the
> message.
>
>
> -----Original Message----- From: Daniel J Walsh
> [mailto:dwalsh@redhat.com]
> Sent: Tuesday, January 22, 2013 10:11 AM To: Hung Truong Cc: Vu,
> Joseph; SELinux Subject: Re: Turn off "dontaudit" rules in monolithic
> policy
>
>
>
> On 01/22/2013 09:31 AM, Hung Truong wrote:
>> I am using version 3.7.19-155el6.6.
>
>
>
>> *From:*Vu, Joseph [mailto:joseph.vu@boeing.com
>> <mailto:joseph.vu@boeing.com>] *Sent:* Tuesday, January 22, 2013 9:19
>> AM
>> *To:* Hung Truong; SELinux *Subject:* RE: Turn off "dontaudit" rules
>> in monolithic policy
>
>
>
>> Hung,
>
>
>
>> I have been trying to rebuild monolithic policy and was not able to.
>
>> What version of SELinux Policy and RHT are you using?
>
>
>
>> ---------------------------------------------------------------------
>> -
>> ----------
>
>> *From:*owner-selinux@tycho.nsa.gov
>> <mailto:owner-selinux@tycho.nsa.gov>
>> [mailto:owner-selinux@tycho.nsa.gov] *On Behalf Of *Hung Truong
>> *Sent:* Monday, January 21, 2013 11:25 AM *To:* SELinux *Subject:*
>> Turn off "dontaudit" rules in monolithic policy
>
>
>
>> I have a custom monolithic build based on RHEL6 policy. I get this
>> error when try to turn off dontaudit rules:
>
>> $ semodule -DB
>
>
>> libsemanage.semanage_link_sandbox: Could not access sandbox base file
>> /etc/selinux/targeted/modules/bmp/base.pp. (No such file or
>> directory)
>
>> Is there other way to turn off dontaudit rules in a monilithic policy?
>
>
>
>> Many thanks,
>
>> --Hung Truong
>
> Why not compile two policies one with and one without dontaudit rules?
>
> -- This message was distributed to subscribers of the selinux mailing
> list. If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without
> quotes as the message.
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlD+ruEACgkQrlYvE4MpobPNkACggndNE6JYVYFJIWRJ4UAjHEIw
WnQAn1iAHwPv3UtoiTt3MOSYOgnLtGOv
=/+7i
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Turn off "dontaudit" rules in monolithic policy
2013-01-21 17:25 Turn off "dontaudit" rules in monolithic policy Hung Truong
2013-01-22 14:19 ` Vu, Joseph
@ 2013-01-22 18:02 ` Christopher J. PeBenito
2013-01-22 18:12 ` Hung Truong
1 sibling, 1 reply; 9+ messages in thread
From: Christopher J. PeBenito @ 2013-01-22 18:02 UTC (permalink / raw)
To: Hung Truong; +Cc: SELinux
To clarify terminology, if you're using semodule, you're using a modular policy, not a monolithic policy. A monolithic policy would be fully compiled on the development machine, and the policy.27 would be deployed to the running machine. A modular policy deploys the *.pp files to the running machine and links them together to make a policy.27.
On 01/21/13 12:25, Hung Truong wrote:
> I have a custom monolithic build based on RHEL6 policy.
> I get this error when try to turn off dontaudit rules:
>
> $ semodule -DB
>
>
> libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/targeted/modules/bmp/base.pp. (No such file or directory)
>
> Is there other way to turn off dontaudit rules in a monilithic policy?
>
>
>
> Many thanks,
>
> --Hung Truong
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* RE: Turn off "dontaudit" rules in monolithic policy
2013-01-22 18:02 ` Christopher J. PeBenito
@ 2013-01-22 18:12 ` Hung Truong
2013-01-22 18:20 ` Christopher J. PeBenito
0 siblings, 1 reply; 9+ messages in thread
From: Hung Truong @ 2013-01-22 18:12 UTC (permalink / raw)
To: Christopher J. PeBenito; +Cc: SELinux
Thanks for the clarification. I thought the "semodule -DB" could be used
for monolithic policy as well.
Daniel Walsh gave a solution by compiling a policy without dontaudit rules
and that worked perfectly fine for me. But, just curious if there is an
equivalent command to turn off dontaudit for monolithic policy at runtime?
--Hung Truong
-----Original Message-----
From: Christopher J. PeBenito [mailto:cpebenito@tresys.com]
Sent: Tuesday, January 22, 2013 1:03 PM
To: Hung Truong
Cc: SELinux
Subject: Re: Turn off "dontaudit" rules in monolithic policy
To clarify terminology, if you're using semodule, you're using a modular
policy, not a monolithic policy. A monolithic policy would be fully
compiled on the development machine, and the policy.27 would be deployed
to the running machine. A modular policy deploys the *.pp files to the
running machine and links them together to make a policy.27.
On 01/21/13 12:25, Hung Truong wrote:
> I have a custom monolithic build based on RHEL6 policy.
> I get this error when try to turn off dontaudit rules:
>
> $ semodule -DB
>
>
> libsemanage.semanage_link_sandbox: Could not access sandbox base file
/etc/selinux/targeted/modules/bmp/base.pp. (No such file or directory)
>
> Is there other way to turn off dontaudit rules in a monilithic policy?
>
>
>
> Many thanks,
>
> --Hung Truong
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Turn off "dontaudit" rules in monolithic policy
2013-01-22 18:12 ` Hung Truong
@ 2013-01-22 18:20 ` Christopher J. PeBenito
0 siblings, 0 replies; 9+ messages in thread
From: Christopher J. PeBenito @ 2013-01-22 18:20 UTC (permalink / raw)
To: Hung Truong; +Cc: SELinux
No, a monolithic policy can't be managed like that at run time. The policy is supposed to be static. You'd have to use make enableaudit when you build it, as Dan previously mentioned, and redeploy the policy.
On 01/22/13 13:12, Hung Truong wrote:
> Thanks for the clarification. I thought the "semodule -DB" could be used
> for monolithic policy as well.
>
> Daniel Walsh gave a solution by compiling a policy without dontaudit rules
> and that worked perfectly fine for me. But, just curious if there is an
> equivalent command to turn off dontaudit for monolithic policy at runtime?
>
>
> --Hung Truong
>
>
> -----Original Message-----
> From: Christopher J. PeBenito [mailto:cpebenito@tresys.com]
> Sent: Tuesday, January 22, 2013 1:03 PM
> To: Hung Truong
> Cc: SELinux
> Subject: Re: Turn off "dontaudit" rules in monolithic policy
>
> To clarify terminology, if you're using semodule, you're using a modular
> policy, not a monolithic policy. A monolithic policy would be fully
> compiled on the development machine, and the policy.27 would be deployed
> to the running machine. A modular policy deploys the *.pp files to the
> running machine and links them together to make a policy.27.
>
> On 01/21/13 12:25, Hung Truong wrote:
>> I have a custom monolithic build based on RHEL6 policy.
>> I get this error when try to turn off dontaudit rules:
>>
>> $ semodule -DB
>>
>>
>> libsemanage.semanage_link_sandbox: Could not access sandbox base file
> /etc/selinux/targeted/modules/bmp/base.pp. (No such file or directory)
>>
>> Is there other way to turn off dontaudit rules in a monilithic policy?
>>
>>
>>
>> Many thanks,
>>
>> --Hung Truong
>>
>
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2013-01-22 18:20 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-01-21 17:25 Turn off "dontaudit" rules in monolithic policy Hung Truong
2013-01-22 14:19 ` Vu, Joseph
2013-01-22 14:31 ` Hung Truong
2013-01-22 15:10 ` Daniel J Walsh
2013-01-22 15:14 ` Hung Truong
[not found] ` <50FEAEE1.9000002@redhat.com>
2013-01-22 16:54 ` Hung Truong
2013-01-22 18:02 ` Christopher J. PeBenito
2013-01-22 18:12 ` Hung Truong
2013-01-22 18:20 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.