Hi Louis, do not loose your time with login.te module. It does not work, or at least it does not allow login. I could not fix the problem for myself but managed to find that my initial problem with firefox is still not solved in f7 even with the latest policy. So I am still looking for a solution of the firefox problem. regards Hal --- Louis Lam <lshoujun@xxxxxxxxx> wrote: > Hi Dan, > > For RHEL5, I've upgraded the selinux policy rpms to version 2.4.6-79. I've > updated only the > following rpms > > selinux-policy > selinux-policy-devel > selinux-policy-targeted > selinux-policy-strict > > But I left the libselinux libraries alone since the rpm upgrade went through > without complains. I > can't use YUM because my system is not directly connected to the internet. > > But I'm still faced with the problem of not being able to logon as root at > runlevel 5, gui login. > Do I still need the login.te module? Or is it advisable to upgrade the > selinux libraries as well? > > Thanks, > Louis > > --- Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > > > Louis Lam wrote: > > > Hi Dan, > > > > > > I'm using the stock policy for FC7 2.6.4-8, not the latest policy. I'm > > > not too sure where to go and how to get the latest policy version. Do > > > i take the latest policy version and remake the source RPM? Or are > > > there pre-packaged rpms that I can use to upgrade? > > > > > You should be able to simply do a yum update. > > > You didn't see this problem in RHEL 5? Do i need the local.te module > > > if I use the "stock" RHEL 5? I tried switching to strict policy in > > > RHEL 5 and cannot login with root. But I can log in as a normal user. > > > Is it "normal" that this restriction be placed on root? Is the > > > local.te trying to enable root login? > > No this sounds like either a bug or a labeling problem in RHEL5. You > > should be able to login as root. You might want to update to the U1 > > policy which is available on http://people.redhat.com/dwalsh/SELinux/RHEL5 > > > > > > Thanks, > > > Louis > > > > > > ----- Original Message ---- > > > From: Daniel J Walsh <dwalsh@xxxxxxxxxx> > > > To: Louis Lam <lshoujun@xxxxxxxxx> > > > Cc: shintaro_fujiwara <shin216@xxxxxxxxxxxxxxxx>; Hal > > > <hal_bg@xxxxxxxxx>; fedora-selinux-list@xxxxxxxxxx; cpebenito@xxxxxxxxxx > > > Sent: Friday, August 10, 2007 11:17:42 PM > > > Subject: Re: Strict policy on FC6 and F7 > > > > > > Louis Lam wrote: > > > > Hi, > > > > > > > > I'm still having problems compiling the local.te module. The problem > > > > i'm facing seems to be different from Hal's: > > > > > > > > -------------------- > > > > local.te:11:ERROR 'permission nlsms_relay is not defined for class > > > > netlink_audit_socket' at token ' > > > > ;' on line 80809: > > > > allow local_login_t self:netlink_audit_socket { { create { > > > > ioctl read getattr write setattr > > > > append bind connect getopt setopt shutdown } } nlmsg_read > > > nlsms_relay }; > > > > #line 11 > > > > /usr/bin/checkmodule: error(s) encountered while parsing configuration > > > > make: *** [tmp/local.mod] Error 1 > > > > --------------------- > > > > > > > > My local.te file looks like this: > > > > ------------- > > > > policy_module(local,1.0) > > > > > > > > require { > > > > > > > > type local_login_t; > > > > class netlink_audit_socket { append bind connect shutdown > > > > ioctl getattr setattr shutdown ge > > > > topt setopt write nlmsg_relay nlmsg_read create read }; > > > > } > > > > > > > > > > > > logging_send_audit_msg(local_login_t) > > > > logging_set_loginuid(local_login_t) > > > > > > > > ------------- > > > > > > > > Seems like the problem is with logging_set_loginuid macro. I'm not > > > > sure how to solve this problem though. > > > > > > > > BTW here are some details on my environment: > > > > > > > > 1. I'm using the stock policy for FC7 2.6.4-8 > > > > 2. I did the compilation while running in targeted mode (will it > > > affect?) > > > > 3. The macro logging_set_loginuid is defined in the file > > > > policy-20070501.patch > > > > > > > > Here is an extract of how logging_set_loginuid is defined in the patch > : > > > > > > > > +######################################## > > > > +## <summary> > > > > +## Set login uid > > > > +## </summary> > > > > +## <param name="domain"> > > > > +## <summary> > > > > +## Domain allowed access. > > > > +## </summary> > > > > +## </param> > > > > +# > > > > +interface(`logging_set_loginuid',` > > > > + gen_require(` > > > > + attribute can_set_loginuid; > > > > + attribute can_send_audit_msg; > > > > + ') > > > > + > > > > + typeattribute $1 can_set_loginuid, can_send_audit_msg; > > > > + > > > > + allow $1 self:capability audit_control; > > > > + allow $1 self:netlink_audit_socket { create_socket_perms > > > > nlmsg_read nlsms_relay }; > > > > +') > > > > > > > > Hope it helps in solving the problem... > > > > > > > > Thanks, > > > > Louis > > > I am not seeing this in RHEL5, FC6, F7 or F8. So are you sure you are > > > using the latest policy? > > > > > > > > > Send instant messages to your online friends > > > http://uk.messenger.yahoo.com > > > > > > > Send instant messages to your online friends http://uk.messenger.yahoo.com > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > ____________________________________________________________________________________ Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online. http://smallbusiness.yahoo.com/webhosting -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
