On Fri, 2006-05-19 at 09:58 -0500, Hongwei Li wrote: > Hi, > > I need help about local.te. My system: > > kernel: 2.6.16-1.2111_FC5smp > selinux-policy-targeted: 2.2.38-1.fc5 > audit: 1.1.5-1 > sendmail: 8.13.6-0.FC5.1 > squirrelmail: 1.4.6-5.fc5 > > When I try to create an email folder in squirrelmail, I got Error. So, I run > the following to create my local.te and add my module. Here are what I run > and get: > > # audit2allow -M local < /var/log/audit/audit.log > Generating type enforcment file: local.te > Compiling policy > checkmodule -M -m -o local.mod local.te > semodule_package -o local.pp -m local.mod > > ******************** IMPORTANT *********************** > > In order to load this newly created policy package into the kernel, > you are required to execute > > semodule -i local.pp > > # ls -l > total 40 > -rw-r--r-- 1 root root 2448 May 19 09:46 local.mod > -rw-r--r-- 1 root root 2464 May 19 09:46 local.pp > -rw-r--r-- 1 root root 733 May 19 09:46 local.te > > # semodule -i local.pp > libsepol.check_assertion_helper: assertion on line 0 violated by allow httpd_t > shadow_t:file { read }; > libsepol.check_assertions: 1 assertion violations occured > libsemanage.semanage_expand_sandbox: Expand module failed > semodule: Failed! > > How to solve the problem? > > Thanks! This means that your local.te file includes a rule that allows httpd to read your /etc/shadow file, and this violates an assertion in the base policy. Review your local.te file, prune entries that are not legitimate, and rebuild the .mod and .pp files, e.g. # vi local.te # edit out bogus entries or replace them with dontaudit rules # checkmodule -m -M -o local.mod local.te # semodule_package -o local.pp -m local.mod # semodule -i local.pp -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list