Re: Strict policy on FC6 and F7

Hal <hal_bg@xxxxxxxxx> · Wed, 8 Aug 2007 12:39:45 -0700 (PDT)

I have tryed with
logging_send_audit_msgs(local_login_t)

But still:
[root@localhost hal]# make -f /usr/share/selinux/devel/Makefile local.pp
Compiling strict local module
/usr/bin/checkmodule:  loading policy configuration from tmp/local.tmp
local.te:9:ERROR 'unknown class capability used in rule' at token ';' on line
81105:
#line 9
        allow local_login_t self:capability audit_write;
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/local.mod] Error 1

I really have no idea what all this means.
there is nowhere "allow" in local.te. if it is in this macros at the end...
Do I need to install the policy source and edit it?

However, I am more interested in solving the Firefox problem on fc6.
On the other hand I do not understand how can login be disabled in the strict
policy in F7. Is this a bug or a feature. I am really confused.   

--- shintaro_fujiwara <shin216@xxxxxxxxxxxxxxxx> wrote:

> Ooops
> This seems to be the same problem as Hal has.
> 
> My suggestion is, do not use allow sentence, but
> use interface.
> Please read Hal and I might solve this problem.
> comment out those line same as interface says.
> I mean, 
> 
> #aloow locao_login_t ...
> 
> You can do it !
> Because I already solved it.
> 
> 
> 2007-08-08 (æ°´) ã?® 02:11 -0700 ã?« Louis Lam ã??ã??ã?¯æ?¸ã??ã?¾ã??ã??:
> > Hi,
> > 
> > I'm trying to enable strict policy on fc7, need to do this too. But i
> > got this error when I tried to compile the module
> > 
> > [root@localhost local_module_for_login]# make
> > -f /usr/share/selinux/devel/Makefile local.pp
> > Compiling targeted local module
> > /usr/bin/checkmodule:  loading policy configuration from tmp/local.tmp
> > local.te:10:ERROR 'unknown class capability used in rule' at token ';'
> > on line 80642:
> > #line 10
> >         allow local_login_t self:capability audit_write;
> > /usr/bin/checkmodule:  error(s) encountered while parsing
> > configuration
> > make: *** [tmp/local.mod] Error 1
> > 
> > Thanks & Rgds,
> > Louis
> > 
> > ----- Original Message ----
> > From: shintaro_fujiwara <shin216@xxxxxxxxxxxxxxxx>
> > To: Hal <hal_bg@xxxxxxxxx>; fedora-selinux-list@xxxxxxxxxx
> > Sent: Tuesday, August 7, 2007 5:27:16 PM
> > Subject: Re: Strict policy on FC6 and F7
> > 
> > 2007-08-07 (ç?«) ã?® 09:48 -0700 ã?« Hal ã??ã??ã?¯æ?¸ã??ã?¾ã??ã??:
> > > Hallo 
> > > 
> > > After a problem with the strict policy in FC6: firefox does not
> > start under
> > > strict policy. No messages at all. I decided to check if firefox
> > under strict
> > > policy on F7 works. 
> > > I have installed F7 and enabled strict policy. But from now on I can
> > no longer
> > > login in enforcing is on . When I enter username and password and I
> > get
> > > permission denied even for root in GDM. In console I just get new
> > "username"
> > > prompt.
> > > 
> > > I do not understand why firefox does not start in fc6 and 
> > > can not longin on F7 under strict policy?
> > >  
> > > What might be wrong? 
> > > Because, now you're in enforcing mode,
> > please disable SELinux and login.
> > Install devel policy.
> > 
> > #yum install selinux-policy-devel
> > 
> > Please install this module.
> > 
> > #vim local.te
> > 
> > module local 1.0;
> > 
> > require {
> >         type local_login_t;
> >         class netlink_audit_socket { append bind connect shutdown
> > ioctl
> > getattr
> > setattr shutdown getopt setopt write nlmsg_relay nlmsg_read create
> > read };
> > }
> > 
> > logging_send_audit_msg(local_login_t)
> > logging_set_loginuid(local_login_t)
> > 
> > #make -f /usr/share/selinux/devel/Makefile local.pp
> > #semodule -i local.pp
> > #semodule -l|grep local
> > 
> > Set SELinux enforcing.
> > 
> > Did it work?
> > 
> > 
> > > Hal
> > > 
> > > 
> > > 
> > > 
> > > 
> > >
> >
>
____________________________________________________________________________________
> > > Luggage? GPS? Comic books? 
> > > Check out fitting gifts for grads at Yahoo! Search
> > > http://search.yahoo.com/search?fr=oni_on_mail&p=graduation
> > +gifts&cs=bz
> > > 
> > > --
> > > fedora-selinux-list mailing list
> > > fedora-selinux-list@xxxxxxxxxx
> > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > 
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list@xxxxxxxxxx
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > 
> > 
> > 
> > 
> > Send instant messages to your online friends
> > http://uk.messenger.yahoo.com 
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 

____________________________________________________________________________________
Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail, news, photos & more. 
http://mobile.yahoo.com/go?refer=1GNXIC

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list