shintaro_fujiwara wrote:
I think F7 strict policy is broken.
Let's wait for a while until SELinux guys fix it.
I decided to play with FC6 this time.
2007-08-08 (水) の 14:43 -0700 に Hal さんは書きました:
Authentication failed again:(
but meanwhile I have checked firefox on strict policy on FC7 it does not work.
--- shintaro_fujiwara <shin216@xxxxxxxxxxxxxxxx> wrote:
2007-08-08 (æ°´) ã® 13:32 -0700 ã« Hal ã•ã‚“ã¯æ›¸ãã¾ã—ãŸ:
Well
I manged to compile the module, but
it does not work for me.
Compiled,loaded,set enforcing and: "authentication failed" again.
I do not know if I am stupid, but I can not get a long with this Selinux...
Does this nodule work for you guys????
hal
--- "Christopher J. PeBenito" <cpebenito@xxxxxxxxxx> wrote:
On Wed, 2007-08-08 at 12:39 -0700, Hal wrote:
I have tryed with
logging_send_audit_msgs(local_login_t)
But still:
[root@localhost hal]# make -f /usr/share/selinux/devel/Makefile
local.pp
Compiling strict local module
/usr/bin/checkmodule: loading policy configuration from tmp/local.tmp
local.te:9:ERROR 'unknown class capability used in rule' at token ';'
on
line
81105:
#line 9
allow local_login_t self:capability audit_write;
Because we did not write
class capability { audit_write };
in require brace.
write it and try again.
Did you make it?
As a matter of fact, I have another problem on strict policy.
I ended up breaking F7 altogether eliminating libselinux with --nodeps.
Now I'm trying to upgrade FC6 to F7.
You can upgrade FC6 to F7, if you are tired of your process on F7.
Do not stop trying strict policy.Never surrender.
It's rewarding, and SELinux guys will guide you to the right place.
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/local.mod] Error 1
I really have no idea what all this means.
there is nowhere "allow" in local.te. if it is in this macros at the
end...
Do I need to install the policy source and edit it?
It is in the interface. You need to change this:
module local 1.0;
to this:
policy_module(local,1.0)
It will automatically require all of the kernel object classes.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
____________________________________________________________________________________
Luggage? GPS? Comic books?
Check out fitting gifts for grads at Yahoo! Search
http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
____________________________________________________________________________________
Sick sense of humor? Visit Yahoo! TV's
Comedy with an Edge to see what's on, when.
http://tv.yahoo.com/collections/222
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I am not sure what is broken on Firefox on Strict policy as of Fedora
7. I have begun the merge of strict and targeted in rawhide Fedora Core
8/Test1. I have done some rewriting of the Mozilla/Firefox policy.
There were several problems in the existing policy and several problems
in the way the OS is designed. Mainly these dealt with the use of the
/tmp file system by gnome.
I have rewritten the mozilla policy to use one of three booleans.
firefox no network access (r/only)
Firefox with network access (R/O on homedir)
Firefox with network access (r/w on homedir)
firefox currently transitions form the user domain to
userdoman_mozilla_t. So for example
user_t - > user_mozilla_t. But I am allowing firefox to r/w user_tmp_t
as well as user_mozilla_tmp_t.
This allows firefox to interact with X sockets, gdm_files, iceauth
files, orbitz files. Trying to lock this down does not
work.
So if you want to use a locked down firefox, I would recommend looking
at Fedora 8 Test1, and setting up a xguest user.
xguest users can only access the web via firefox and are totally locked
down.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list