RE: need help for local.te

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

Everytime I need to make a local.te I always localized (read: make new file,
and extract the msg) the corresponding AVC denied messages to another log
file to be sure that I will get from audit2allow only those needed policies
related to the localized AVC denied message and not from the whole audit.log
file.

You might try to use that practice.

-- 
Best regards,
 
Ketut Mahaindra (Ito)
"The race for perfection has no finish line"
 

-----Original Message-----
From: fedora-selinux-list-bounces@xxxxxxxxxx
[mailto:fedora-selinux-list-bounces@xxxxxxxxxx] On Behalf Of Hongwei Li
Sent: Saturday, May 20, 2006 1:13 AM
To: fedora-selinux-list@xxxxxxxxxx
Subject: Re: need help for local.te

> This means that your local.te file includes a rule that allows httpd to
> read your /etc/shadow file, and this violates an assertion in the base
> policy.  Review your local.te file, prune entries that are not
> legitimate, and rebuild the .mod and .pp files, e.g.
> # vi local.te # edit out bogus entries or replace them with dontaudit
rules
> # checkmodule -m -M -o local.mod local.te
> # semodule_package -o local.pp -m local.mod
> # semodule -i local.pp
>
> --
> Stephen Smalley
> National Security Agency

The problem is I need to re-do for local.te from time to time, and whenver I
run (after rebooting)
# audit2allow -M local < /var/log/audit/audit.log
the line

allow httpd_t shadow_t:file { getattr read write };

is automatically added to local.te -- this time, it added more, not just
read.
 I believe that this is because I need to run change_password plugin in
squirrelmail.  It is not a problem in fc4 selinux -- I run audit2allow to
add
entry into local.te and run make load, then everything is working.  But, in
fc5, it is a problem.  If I remove that line, then whenever I run the above
command, it is automatically added.

How to fix the problem?

Thanks!

Hongwei


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux