selinux-policy-strict bug

"Paul S" <nnm.one@xxxxxxxxx> · Wed, 6 Jun 2007 00:48:30 +0200

selinux-policy-strict seems to fail with allowing remote access to the sshd on Fedora7 (2.6.21-1.3194.fc7). I've installed Fedora7 with all the package collections disabled for a minimal system in the installer, installed the necessary tools for selinux and the strict policy and enabled it. Installed sshd, touched /.autorelabel and rebooted (twice). When enabling the enforced mode, and try to ssh from the LAN, I get avc messages because of denied access ("permission denied" after entering the password on the client). I tried to make a module for allowing it but I get assertions when installing the modules.

#######################################################

[root@area51 sshd]# cat MYsshd.te
module MYsshd 1.0;

require {
        type staff_t;
        type user_home_dir_t;
        type sshd_t;

        class file { write ioctl };
        class capability { audit_control audit_write };
        class netlink_audit_socket { create nlmsg_relay write read };
}

#============= sshd_t ==============

allow sshd_t self:capability { audit_control audit_write };
allow sshd_t self:netlink_audit_socket { create nlmsg_relay read write };

#============= staff_t =============
allow staff_t user_home_dir_t:file { write ioctl };

-------------------------------------------------------

[root@area51 sshd]# semodule -i MYsshd.pp
libsepol.check_assertion_helper: assertion on line 0 violated by allow sshd_t sshd_t:netlink_audit_socket { nlmsg_relay };

libsepol.check_assertion_helper: assertion on line 0 violated by allow sshd_t sshd_t:capability { audit_write };
libsepol.check_assertion_helper: assertion on line 0 violated by allow sshd_t sshd_t:capability { audit_control };

libsepol.check_assertions: 3 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed
semodule:  Failed!

#######################################################

cat /var/log/messages | audit2allow -M MYautogen

semodule -i MYautogen.pp

-------------------------------------------------------

libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_t security_t:security { load_policy };
libsepol.check_assertion_helper:
 assertion on line 0 violated by allow staff_xserver_t staff_xserver_t:netlink_audit_socket { nlmsg_relay };
libsepol.check_assertion_helper: assertion on line 0 violated by allow local_login_t local_login_t:netlink_audit_socket { nlmsg_relay };

libsepol.check_assertion_helper: assertion on line 0 violated by allow sshd_t sshd_t:netlink_audit_socket { nlmsg_relay };
libsepol.check_assertion_helper: assertion on line 0 violated by allow setfiles_t setfiles_t:netlink_audit_socket { nlmsg_relay };

libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_xserver_t staff_xserver_t:capability { audit_write };
libsepol.check_assertion_helper: assertion on line 0 violated by allow local_login_t local_login_t:capability { audit_write };

libsepol.check_assertion_helper: assertion on line 0 violated by allow sshd_t sshd_t:capability { audit_write };
libsepol.check_assertion_helper: assertion on line 0 violated by allow setfiles_t setfiles_t:capability { audit_write };

libsepol.check_assertion_helper: assertion on line 0 violated by allow local_login_t local_login_t:capability { audit_control };
libsepol.check_assertion_helper: assertion on line 0 violated by allow sshd_t sshd_t:capability { audit_control };

libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_t staff_t:capability { audit_control };
libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_t staff_t:capability { sys_module };

libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_xserver_t shadow_t:file { write create };
libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_t shadow_t:file { write create };

libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_xserver_t shadow_t:file { read };
libsepol.check_assertions: 16 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed

semodule:  Failed!

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list