Hello, Everytime I need to make a local.te I always localized (read: make new file, and extract the msg) the corresponding AVC denied messages to another log file to be sure that I will get from audit2allow only those needed policies related to the localized AVC denied message and not from the whole audit.log file. You might try to use that practice. -- Best regards, Ketut Mahaindra (Ito) "The race for perfection has no finish line" -----Original Message----- From: fedora-selinux-list-bounces@xxxxxxxxxx [mailto:fedora-selinux-list-bounces@xxxxxxxxxx] On Behalf Of Hongwei Li Sent: Saturday, May 20, 2006 1:13 AM To: fedora-selinux-list@xxxxxxxxxx Subject: Re: need help for local.te > This means that your local.te file includes a rule that allows httpd to > read your /etc/shadow file, and this violates an assertion in the base > policy. Review your local.te file, prune entries that are not > legitimate, and rebuild the .mod and .pp files, e.g. > # vi local.te # edit out bogus entries or replace them with dontaudit rules > # checkmodule -m -M -o local.mod local.te > # semodule_package -o local.pp -m local.mod > # semodule -i local.pp > > -- > Stephen Smalley > National Security Agency The problem is I need to re-do for local.te from time to time, and whenver I run (after rebooting) # audit2allow -M local < /var/log/audit/audit.log the line allow httpd_t shadow_t:file { getattr read write }; is automatically added to local.te -- this time, it added more, not just read. I believe that this is because I need to run change_password plugin in squirrelmail. It is not a problem in fc4 selinux -- I run audit2allow to add entry into local.te and run make load, then everything is working. But, in fc5, it is a problem. If I remove that line, then whenever I run the above command, it is automatically added. How to fix the problem? Thanks! Hongwei -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
