Re: Add SELinux protection to Pure-FTPd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2006-04-14 at 16:47 +0200, Aurelien Bompard wrote:
> Looks good to me, except I've placed it
> in /usr/share/selinux/packages/<packagename> to avoid the base and targeted
> dirs being buried under a ton of packages dirs in the future.
> 
> It's taking shape, but I have another problem. I run
>   semodule -i %{_datadir}/selinux/packages/%{name}/pureftpd.pp
> in the %post scriptlet to load the module, and I get this error:
> 
> libsemanage.semanage_commit_sandbox: Could not remove previous
> backup /etc/selinux/targeted/modules/previous.
> semodule:  Failed!
> 
> With this AVC in audit.log :
> 
> type=AVC msg=audit(1145025496.481:18267): avc:  denied  { rmdir } for 
> pid=28069 comm="semodule" name="modules" dev=sda2 ino=1249868
> scontext=user_u:system_r:semanage_t:s0
> tcontext=user_u:object_r:selinux_config_t:s0 tclass=dir

Looks like the type isn't getting preserved
on /etc/selinux/$SELINUXTYPE/modules/{active,previous} upon updates -
they are reverting from semanage_store_t to selinux_config_t (the type
on their parent directory.  We either need to put semanage_store_t
on /etc/selinux/$SELINUXTYPE/modules as well or we need to make
libsemanage preserve the types.

> 
> And the module is not loaded.
> Calling semodule outside the RPM scriptlet works fine.
> 
> Any idea ? Should I use another command ?
> 
> 
> Thanks,
> 
> Aurélien
-- 
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux