sorry I didn't make myself clear ... enough. Me thought if I want to build and load my own policy successfully, I should "feel" and confirm that the build path works on my box in advance. I shall have a valid .te file, and with that, I can compile/load it without errors and see it working correctly. That's why I start with audit2allow, it's merely a test for me. =) As for the warning, yes I did see my module installed through semodule -l. However, why is the warning? It's fc5 in my box, instead of debian, surely I don't have dpkg installed. Besides, I checked with semodule and didn't see dpkg. It's so weird to see a warning of something I don't have. By the way, thank you so much for clarifying my problems. =) -----Original Message----- From: Stephen Smalley [mailto:sds@xxxxxxxxxxxxx] Sent: Thursday, September 21, 2006 5:28 AM To: Benjamin Tsai Cc: Christopher J. PeBenito; Daniel J Walsh; Karl MacMillan; Joshua Brindle; fedora-selinux-list@xxxxxxxxxx Subject: RE: How to apply new policy exactly? On Wed, 2006-09-20 at 11:06 +0800, Benjamin Tsai wrote: > Thank you for the reply, I now a bit closer to the right track. :) > > To work the build path around, I start with "audit2allow." > With my box installed with selinux-policy-strict-2.3.7-2.fc5 and turned > selinux mode to "permissive," I run audit2allow as follows: Hmmm...I'm confused again. I thought you said that you didn't want strict policy per se, just policy for your own daemon. Did you change your mind? Just want to be clear on your goals. If you want strict, then the next question is whether that fc5 strict policy package actually works. Dan or Karl? Last I looked, fc5 didn't have a libsepol/checkpolicy combo that included the final optionals-in-base fixes, and thus the modularized strict policy was broken there. > #audit2allow -m dmesg -d > dmesg.te > #checkmodule -M -m -o dmesg.mod dmesg.te > #semodule_package -o dmesg.pp -m dmesg.mod > #semodule -I dmesg.pp > > Then I had the following errors: > > /etc/selinux/strict/contexts/files/file_contexts: Multiple different > specifications for /usr/bin/apt-get (system_u:object_r:rpm_exec_t:s0 and > system_u:object_r:apt_exec_t:s0). > /etc/selinux/strict/contexts/files/file_contexts: Multiple different > specifications for /usr/bin/apt-shell (system_u:object_r:rpm_exec_t:s0 > and system_u:object_r:apt_exec_t:s0). > > I googled out your reply on same errors in 2004 and it says: > "You shouldn't enable both rpm.te and dpkg.te in the same policy; they > conflict." > > Without policy source, how can I disable either rpm.te or dpkg.te? > Besides, I tried to mark rules related to rpm in my .te file, but it > didn't fix the problem. First, those are just warnings, not fatal errors, and they aren't likely relevant to you. Second, if rpm and dpkg were built modular, then you should just be able to semodule -r them, e.g. semodule -r dpkg I don't think you want to disable rpm on a fedora system ;) Third, your dmesg module has lots of rules that I don't think you really want to allow, so you need to prune out most of it. Looks like you were trying to do privileged operations as a staff_r user rather than first newrole'ing to sysadm_r, and like you didn't restorecon your home directory after setting up your role for staff_r so that it had the right type (staff_home_* instead of user_home_*). -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
