Re: Strict policy on FC6 and F7

Louis Lam <lshoujun@xxxxxxxxx> · Thu, 9 Aug 2007 19:36:03 -0700 (PDT)

Hi,

I'm still having problems compiling the local.te module. The problem i'm facing seems to be different from Hal's:

--------------------
local.te:11:ERROR 'permission nlsms_relay is not defined for class netlink_audit_socket' at token '
;' on line 80809:
        allow local_login_t self:netlink_audit_socket { { create { ioctl read getattr write setattr
 append bind connect getopt setopt shutdown } } nlmsg_read nlsms_relay };
#line 11
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/local.mod] Error 1
---------------------

My local.te file looks like
 this:
-------------
policy_module(local,1.0)

require {

        type local_login_t;
        class netlink_audit_socket { append bind connect shutdown ioctl getattr setattr shutdown ge
topt setopt write nlmsg_relay nlmsg_read create read };
}

logging_send_audit_msg(local_login_t)
logging_set_loginuid(local_login_t)

-------------

Seems like the problem is with logging_set_loginuid macro. I'm not sure how to solve this problem though.

BTW here are some details on my environment:

1. I'm using the stock policy for FC7 2.6.4-8
2. I did the compilation while running in targeted mode (will it affect?)
3. The macro logging_set_loginuid is defined in the file policy-20070501.patch

Here is an extract of how logging_set_loginuid is defined in the patch :

+########################################
+##
 <summary>
+##     Set login uid
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`logging_set_loginuid',`
+       gen_require(`
+               attribute can_set_loginuid;
+               attribute can_send_audit_msg;
+       ')
+
+       typeattribute $1 can_set_loginuid, can_send_audit_msg;
+
+       allow $1 self:capability audit_control;
+       allow $1 self:netlink_audit_socket { create_socket_perms nlmsg_read
 nlsms_relay };
+')

Hope it helps in solving the problem...

Thanks,
Louis

----- Original Message ----
From: shintaro_fujiwara <shin216@xxxxxxxxxxxxxxxx>
To: Hal <hal_bg@xxxxxxxxx>; fedora-selinux-list@xxxxxxxxxx; cpebenito@xxxxxxxxxx
Sent: Wednesday, August 8, 2007 5:55:49 PM
Subject: Re: Strict policy on FC6 and F7

I think F7 strict policy is broken.
Let's wait for a while until SELinux guys fix it.
I decided to play with FC6 this time.

2007-08-08 (水) の 14:43 -0700 に Hal さんは書きました:
> Authentication failed again:(
> but meanwhile I have checked firefox on strict policy on FC7 it does not work.
> 
> --- shintaro_fujiwara <shin216@xxxxxxxxxxxxxxxx> wrote:
> 
> > 2007-08-08 (æ°´) ã® 13:32 -0700 ã« Hal
 ã•ã‚“ã¯æ›¸ãã¾ã—ãŸ:
> > > Well
> > > I manged to compile the module, but
> > > it does not work for me. 
> > > Compiled,loaded,set enforcing and: "authentication failed" again.
> > > 
> > > I do not know if I am stupid, but I can not get a long with this Selinux...
> > 
> > > 
> > > Does this nodule work for you guys????
> > > 
> > > hal
> > > 
> > > --- "Christopher J. PeBenito" <cpebenito@xxxxxxxxxx> wrote:
> > > 
> > > > On Wed, 2007-08-08 at 12:39 -0700, Hal wrote:
> > > > > I have tryed with
> > > > > logging_send_audit_msgs(local_login_t)
> > > > > 
> > > > > But still:
> > > > > [root@localhost hal]# make -f /usr/share/selinux/devel/Makefile
> >
 local.pp
> > > > > Compiling strict local module
> > > > > /usr/bin/checkmodule:  loading policy configuration from tmp/local.tmp
> > > > > local.te:9:ERROR 'unknown class capability used in rule' at token ';'
> > on
> > > > line
> > > > > 81105:
> > > > > #line 9
> > > > >         allow local_login_t self:capability audit_write;
> > Because we did not write 
> > 
> > class capability { audit_write };
> > 
> > in require brace.
> > 
> > write it and try again.
> > Did you make it?
> > 
> > 
> > As a matter of fact, I have another problem on strict policy.
> > I ended up breaking F7 altogether eliminating libselinux with --nodeps.
> > Now I'm trying to upgrade
 FC6 to F7.
> > You can upgrade FC6 to F7, if you are tired of your process on F7.
> > Do not stop trying strict policy.Never surrender.
> > It's rewarding, and SELinux guys will guide you to the right place.
> > 
> > 
> > > > > /usr/bin/checkmodule:  error(s) encountered while parsing configuration
> > > > > make: *** [tmp/local.mod] Error 1
> > > > > 
> > > > > I really have no idea what all this means.
> > > > > there is nowhere "allow" in local.te. if it is in this macros at the
> > end...
> > > > > Do I need to install the policy source and edit it?
> > > > 
> > > > It is in the interface.  You need to change this:
> > > > 
> > > > > > > module local 1.0;
> > > > 
> > > >
 to this:
> > > > 
> > > > policy_module(local,1.0)
> > > > 
> > > > It will automatically require all of the kernel object classes.
> > > > 
> > > > -- 
> > > > Chris PeBenito
> > > > Tresys Technology, LLC
> > > > (410) 290-1411 x150
> > > > 
> > > > 
> > > 
> > > 
> > > 
> > >      
> >
> ____________________________________________________________________________________
> > > Luggage? GPS? Comic books? 
> > > Check out fitting gifts for grads at Yahoo! Search
> > > http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz
>
 > > 
> > > --
> > > fedora-selinux-list mailing list
> > > fedora-selinux-list@xxxxxxxxxx
> > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > 
> > 
> 
> 
> 
>        
> ____________________________________________________________________________________
> Sick sense of humor? Visit Yahoo! TV's 
> Comedy with an Edge to see what's on, when. 
> http://tv.yahoo.com/collections/222

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Send instant messages to your online friends http://uk.messenger.yahoo.com --
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list