Hi Dan,
I'm using the stock policy for FC7 2.6.4-8, not the latest policy. I'm not too sure where to go and how to get the latest policy version. Do i take the latest policy version and remake the source RPM? Or are there pre-packaged rpms that I can use to upgrade?
You didn't see this problem in RHEL 5? Do i need the local.te module if I use the "stock" RHEL 5? I tried switching to strict policy in RHEL 5 and cannot login with root. But I can log in as a normal user. Is it "normal" that this restriction be placed on root? Is the local.te trying to enable root login?
Thanks,
Louis
I'm using the stock policy for FC7 2.6.4-8, not the latest policy. I'm not too sure where to go and how to get the latest policy version. Do i take the latest policy version and remake the source RPM? Or are there pre-packaged rpms that I can use to upgrade?
You didn't see this problem in RHEL 5? Do i need the local.te module if I use the "stock" RHEL 5? I tried switching to strict policy in RHEL 5 and cannot login with root. But I can log in as a normal user. Is it "normal" that this restriction be placed on root? Is the local.te trying to enable root login?
Thanks,
Louis
----- Original Message
----
From: Daniel J Walsh <dwalsh@xxxxxxxxxx>
To: Louis Lam <lshoujun@xxxxxxxxx>
Cc: shintaro_fujiwara <shin216@xxxxxxxxxxxxxxxx>; Hal <hal_bg@xxxxxxxxx>; fedora-selinux-list@xxxxxxxxxx; cpebenito@xxxxxxxxxx
Sent: Friday, August 10, 2007 11:17:42 PM
Subject: Re: Strict policy on FC6 and F7
From: Daniel J Walsh <dwalsh@xxxxxxxxxx>
To: Louis Lam <lshoujun@xxxxxxxxx>
Cc: shintaro_fujiwara <shin216@xxxxxxxxxxxxxxxx>; Hal <hal_bg@xxxxxxxxx>; fedora-selinux-list@xxxxxxxxxx; cpebenito@xxxxxxxxxx
Sent: Friday, August 10, 2007 11:17:42 PM
Subject: Re: Strict policy on FC6 and F7
Louis Lam wrote:
> Hi,
>
> I'm still having problems compiling the local.te module. The problem
> i'm facing seems to be different from Hal's:
>
> --------------------
> local.te:11:ERROR 'permission nlsms_relay is not defined for class
> netlink_audit_socket' at token '
> ;' on line 80809:
> allow local_login_t self:netlink_audit_socket { { create {
> ioctl read getattr write setattr
> append bind connect getopt setopt shutdown } } nlmsg_read nlsms_relay };
> #line 11
> /usr/bin/checkmodule: error(s) encountered while parsing configuration
> make: *** [tmp/local.mod] Error 1
> ---------------------
>
> My local.te file looks like this:
> -------------
> policy_module(local,1.0)
>
> require {
>
> type local_login_t;
> class netlink_audit_socket { append bind connect shutdown
> ioctl getattr setattr shutdown ge
> topt setopt write nlmsg_relay nlmsg_read create read };
> }
>
>
> logging_send_audit_msg(local_login_t)
> logging_set_loginuid(local_login_t)
>
> -------------
>
> Seems like the problem is with logging_set_loginuid macro. I'm not
> sure how to solve this problem though.
>
> BTW here are some details on my environment:
>
> 1. I'm using the stock policy for FC7 2.6.4-8
> 2. I did the compilation while running in targeted mode (will it affect?)
> 3. The macro logging_set_loginuid is defined in the file
> policy-20070501.patch
>
> Here is an extract of how logging_set_loginuid is defined in the patch :
>
> +########################################
> +## <summary>
> +## Set login uid
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`logging_set_loginuid',`
> + gen_require(`
> + attribute can_set_loginuid;
> + attribute can_send_audit_msg;
> + ')
> +
> + typeattribute $1 can_set_loginuid, can_send_audit_msg;
> +
> + allow $1 self:capability audit_control;
> + allow $1 self:netlink_audit_socket { create_socket_perms
> nlmsg_read nlsms_relay };
> +')
>
> Hope it helps in solving the problem...
>
> Thanks,
> Louis
I am not seeing this in RHEL5, FC6, F7 or F8. So are you sure you are
using the latest policy?
> Hi,
>
> I'm still having problems compiling the local.te module. The problem
> i'm facing seems to be different from Hal's:
>
> --------------------
> local.te:11:ERROR 'permission nlsms_relay is not defined for class
> netlink_audit_socket' at token '
> ;' on line 80809:
> allow local_login_t self:netlink_audit_socket { { create {
> ioctl read getattr write setattr
> append bind connect getopt setopt shutdown } } nlmsg_read nlsms_relay };
> #line 11
> /usr/bin/checkmodule: error(s) encountered while parsing configuration
> make: *** [tmp/local.mod] Error 1
> ---------------------
>
> My local.te file looks like this:
> -------------
> policy_module(local,1.0)
>
> require {
>
> type local_login_t;
> class netlink_audit_socket { append bind connect shutdown
> ioctl getattr setattr shutdown ge
> topt setopt write nlmsg_relay nlmsg_read create read };
> }
>
>
> logging_send_audit_msg(local_login_t)
> logging_set_loginuid(local_login_t)
>
> -------------
>
> Seems like the problem is with logging_set_loginuid macro. I'm not
> sure how to solve this problem though.
>
> BTW here are some details on my environment:
>
> 1. I'm using the stock policy for FC7 2.6.4-8
> 2. I did the compilation while running in targeted mode (will it affect?)
> 3. The macro logging_set_loginuid is defined in the file
> policy-20070501.patch
>
> Here is an extract of how logging_set_loginuid is defined in the patch :
>
> +########################################
> +## <summary>
> +## Set login uid
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`logging_set_loginuid',`
> + gen_require(`
> + attribute can_set_loginuid;
> + attribute can_send_audit_msg;
> + ')
> +
> + typeattribute $1 can_set_loginuid, can_send_audit_msg;
> +
> + allow $1 self:capability audit_control;
> + allow $1 self:netlink_audit_socket { create_socket_perms
> nlmsg_read nlsms_relay };
> +')
>
> Hope it helps in solving the problem...
>
> Thanks,
> Louis
I am not seeing this in RHEL5, FC6, F7 or F8. So are you sure you are
using the latest policy?
Send instant messages to your online friends http://uk.messenger.yahoo.com
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list