Debian testing +selinux

"Justin Conover" <justin.conover@xxxxxxxxx> · Mon, 23 Jul 2007 09:09:03 -0500

I'm not sure if there is a regular selinux mailing list or not, I mainly use Fedora but thought someone here might be able to help.

I'm playing with selinux on Debian Testing and decided to try and write a policy from following the fc5 faq

http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385

Here is what I have done:

comatose:~# sestatus
SELinux status:                 enabled

SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 21
Policy from config file:        refpolicy-targeted

comatose:~# audit2allow -m local -l -i /var/log/audit/audit.log > local.te
comatose:~# checkmodule -M -m -o local.mod local.te
checkmodule:  loading policy configuration from local.te
checkmodule:  policy configuration loaded

checkmodule:  writing binary representation (version 6) to local.mod
comatose:~# semodule_package -o local.pp -m local.mod
comatose:~# semodule -i local.pp
libsepol.check_assertion_helper: assertion on line 0 violated by allow hald_t memory_device_t:chr_file { read };

libsepol.check_assertions: 1 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed
semodule:  Failed!

comatose:~# cat local.te

module local 1.0;

require {

        type unconfined_t;
        type lib_t;
        type xserver_log_t;
        type mount_t;
        type var_run_t;
        type syslogd_t;
        type etc_runtime_t;
        type initrc_t;

        type xdm_t;
        type udev_t;
        type device_t;
        type hald_t;
        type xdm_xserver_t;
        type memory_device_t;
        type insmod_t;
        type dhcpc_t;
        type var_t;

        type etc_t;
        type security_t;
        class fifo_file write;
        class process { execstack execmem signal };
        class unix_stream_socket { read write };
        class chr_file read;

        class fd use;
        class file { write rename getattr append read create unlink execute_no_trans };
        class filesystem getattr;
        class dir { write remove_name create add_name rmdir };

}

#============= dhcpc_t ==============
allow dhcpc_t etc_runtime_t:file unlink;

#============= hald_t ==============
allow hald_t memory_device_t:chr_file read;
allow hald_t var_t:file { read getattr };

#============= insmod_t ==============
allow insmod_t xdm_t:fd use;
allow insmod_t xdm_xserver_t:unix_stream_socket { read write };
allow insmod_t xserver_log_t:file write;

#============= mount_t ==============

allow mount_t security_t:filesystem getattr;

#============= syslogd_t ==============
allow syslogd_t device_t:fifo_file write;

#============= udev_t ==============
allow udev_t etc_t:dir { write remove_name add_name };

allow udev_t etc_t:file { write rename create unlink append };
allow udev_t initrc_t:process signal;
allow udev_t lib_t:file execute_no_trans;
allow udev_t var_run_t:dir { create rmdir };

#============= unconfined_t ==============

allow unconfined_t self:process { execstack execmem };

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list