* Re: How to restore a policy module
2014-03-21 13:29 How to restore a policy module Kim Lawson-Jenkins
@ 2014-03-21 13:32 ` Stephen Smalley
2014-03-21 13:35 ` Stephen Smalley
2014-03-21 13:37 ` Ilya Frolov
` (2 subsequent siblings)
3 siblings, 1 reply; 7+ messages in thread
From: Stephen Smalley @ 2014-03-21 13:32 UTC (permalink / raw)
To: kim.lawson-jenkins, selinux
On 03/21/2014 09:29 AM, Kim Lawson-Jenkins wrote:
> In an attempt to lockdown a system I removed the remotelogin policy
> module using semodule –r. I’m using the targeted policy on RHEL6. How
> do I add this file back to my current configuration?
You can always do a yum reinstall selinux-policy-targeted to fully
reinstall the policy, or you could individually install that policy
module. Used to be the case that a copy of each module was available
under /usr/share/selinux/targeted, so you could do a semodule -i
/usr/share/selinux/targeted/remotelogin.pp if that exists (but it seems
to have gone away in recent Fedora, likely to save on storage).
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: How to restore a policy module
2014-03-21 13:32 ` Stephen Smalley
@ 2014-03-21 13:35 ` Stephen Smalley
2014-03-21 13:49 ` Kim Lawson-Jenkins
0 siblings, 1 reply; 7+ messages in thread
From: Stephen Smalley @ 2014-03-21 13:35 UTC (permalink / raw)
To: kim.lawson-jenkins, selinux
On 03/21/2014 09:32 AM, Stephen Smalley wrote:
> On 03/21/2014 09:29 AM, Kim Lawson-Jenkins wrote:
>> In an attempt to lockdown a system I removed the remotelogin policy
>> module using semodule –r. I’m using the targeted policy on RHEL6. How
>> do I add this file back to my current configuration?
>
> You can always do a yum reinstall selinux-policy-targeted to fully
> reinstall the policy, or you could individually install that policy
> module. Used to be the case that a copy of each module was available
> under /usr/share/selinux/targeted, so you could do a semodule -i
> /usr/share/selinux/targeted/remotelogin.pp if that exists (but it seems
> to have gone away in recent Fedora, likely to save on storage).
Also, if you add:
save-previous = true
to your /etc/selinux/semanage.conf
it will keep a copy of your previous policy under
/etc/selinux/targeted/modules/previous on each transaction, making it
easier to rollback changes.
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: How to restore a policy module
2014-03-21 13:35 ` Stephen Smalley
@ 2014-03-21 13:49 ` Kim Lawson-Jenkins
0 siblings, 0 replies; 7+ messages in thread
From: Kim Lawson-Jenkins @ 2014-03-21 13:49 UTC (permalink / raw)
To: selinux
Thanks everyone for the rapid answers. I was able to restore the file.
Kim
-----Original Message-----
From: Stephen Smalley [mailto:sds@tycho.nsa.gov]
Sent: Friday, March 21, 2014 9:35 AM
To: kim.lawson-jenkins@nrl.navy.mil; selinux@tycho.nsa.gov
Subject: Re: How to restore a policy module
On 03/21/2014 09:32 AM, Stephen Smalley wrote:
> On 03/21/2014 09:29 AM, Kim Lawson-Jenkins wrote:
>> In an attempt to lockdown a system I removed the remotelogin policy
>> module using semodule -r. I'm using the targeted policy on RHEL6.
>> How do I add this file back to my current configuration?
>
> You can always do a yum reinstall selinux-policy-targeted to fully
> reinstall the policy, or you could individually install that policy
> module. Used to be the case that a copy of each module was available
> under /usr/share/selinux/targeted, so you could do a semodule -i
> /usr/share/selinux/targeted/remotelogin.pp if that exists (but it
> seems to have gone away in recent Fedora, likely to save on storage).
Also, if you add:
save-previous = true
to your /etc/selinux/semanage.conf
it will keep a copy of your previous policy under
/etc/selinux/targeted/modules/previous on each transaction, making it easier
to rollback changes.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: How to restore a policy module
2014-03-21 13:29 How to restore a policy module Kim Lawson-Jenkins
2014-03-21 13:32 ` Stephen Smalley
@ 2014-03-21 13:37 ` Ilya Frolov
2014-03-21 13:41 ` James Carter
2014-03-21 18:34 ` Daniel J Walsh
3 siblings, 0 replies; 7+ messages in thread
From: Ilya Frolov @ 2014-03-21 13:37 UTC (permalink / raw)
To: kim.lawson-jenkins; +Cc: selinux@tycho.nsa.gov
[-- Attachment #1: Type: text/plain, Size: 1421 bytes --]
Hello Kim,
i'd downloaded rpm, containing relevant module, unpacked it and then used
semodule -i /path/to/module.pp to replace it.
Also, i think simple reinstall of the policy would do the trick.
Here's what i base my assumption on:
root@selinux:/root # cp /etc/selinux/custom/modules/active/modules/apt.pp
/tmp/
root@selinux:/root # semodule -l | grep apt
apt 1.8.2
root@selinux:/root # semodule -r apt
root@selinux:/root # ls -la /etc/selinux/custom/modules/active/modules/apt*
ls: cannot access /etc/selinux/custom/modules/active/modules/apt*: No such
file or directory
root@selinux:/root # semodule -i /tmp/apt.pp
root@selinux:/root # ls -la /etc/selinux/custom/modules/active/modules/apt*
-rw-------. 1 root root 6814 Mar 21 13:33
/etc/selinux/custom/modules/active/modules/apt.pp
regards,
ilya
On Fri, Mar 21, 2014 at 5:29 PM, Kim Lawson-Jenkins <
kim.lawson-jenkins@nrl.navy.mil> wrote:
> In an attempt to lockdown a system I removed the remotelogin policy module
> using semodule –r. I’m using the targeted policy on RHEL6. How do I add
> this file back to my current configuration?
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
>
>
[-- Attachment #2: Type: text/html, Size: 2343 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: How to restore a policy module
2014-03-21 13:29 How to restore a policy module Kim Lawson-Jenkins
2014-03-21 13:32 ` Stephen Smalley
2014-03-21 13:37 ` Ilya Frolov
@ 2014-03-21 13:41 ` James Carter
2014-03-21 18:34 ` Daniel J Walsh
3 siblings, 0 replies; 7+ messages in thread
From: James Carter @ 2014-03-21 13:41 UTC (permalink / raw)
To: kim.lawson-jenkins, selinux
On 03/21/2014 09:29 AM, Kim Lawson-Jenkins wrote:
> In an attempt to lockdown a system I removed the remotelogin policy module
> using semodule -r. I'm using the targeted policy on RHEL6. How do I add
> this file back to my current configuration?
>
The pp file for the module will still be in /usr/share/selinux/targeted/.
To reinstall the module do:
semodule -i /usr/share/selinux/remotelogin.pp.bz2
--
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: How to restore a policy module
2014-03-21 13:29 How to restore a policy module Kim Lawson-Jenkins
` (2 preceding siblings ...)
2014-03-21 13:41 ` James Carter
@ 2014-03-21 18:34 ` Daniel J Walsh
3 siblings, 0 replies; 7+ messages in thread
From: Daniel J Walsh @ 2014-03-21 18:34 UTC (permalink / raw)
To: kim.lawson-jenkins, selinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/21/2014 09:29 AM, Kim Lawson-Jenkins wrote:
> In an attempt to lockdown a system I removed the remotelogin policy module
> using semodule ?r. I?m using the targeted policy on RHEL6. How do I add
> this file back to my current configuration?
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________ Selinux mailing list
> Selinux@tycho.nsa.gov To unsubscribe, send email to
> Selinux-leave@tycho.nsa.gov. To get help, send an email containing "help"
> to Selinux-request@tycho.nsa.gov.
>
yum reinstall selinux-policy-targeted
Should do it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlMshhsACgkQrlYvE4MpobOIsQCghsLBWa3m8QxihXmjXsmm8UcE
708AmgOi7Hp1e1FRGMyuohfqonoS4fQQ
=PP3O
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 7+ messages in thread