Re: Strict policy on FC6 and F7

[Daniel J Walsh <dwalsh@xxxxxxxxxx>]

Louis Lam wrote:
> Hi Dan,
>
> For RHEL5, I've upgraded the selinux policy rpms to version 2.4.6-79. I've updated only the
> following rpms
>
> selinux-policy
> selinux-policy-devel
> selinux-policy-targeted
> selinux-policy-strict
>
> But I left the libselinux libraries alone since the rpm upgrade went through without complains. I
> can't use YUM because my system is not directly connected to the internet.
>
> But I'm still faced with the problem of not being able to logon as root at runlevel 5, gui login.
> Do I still need the login.te module? Or is it advisable to upgrade the selinux libraries as well?
>
>   
What error are you seeing at the gui login?
> Thanks,
> Louis
>
> --- Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
>
>   
> > Louis Lam wrote:
> >     
> > > Hi Dan,
> > >
> > > I'm using the stock policy for FC7 2.6.4-8, not the latest policy. I'm 
> > > not too sure where to go and how to get the latest policy version. Do 
> > > i take the latest policy version and remake the source RPM? Or are 
> > > there pre-packaged rpms that I can use to upgrade?
> > >
> > >       
> > You should be able to simply do a yum update.
> >     
> > > You didn't see this problem in RHEL 5? Do i need the local.te module 
> > > if I use the "stock" RHEL 5? I tried switching to strict policy in 
> > > RHEL 5 and cannot login with root. But I can log in as a normal user. 
> > > Is it "normal" that this restriction be placed on root? Is the 
> > > local.te trying to enable root login?
> > >       
> > No this sounds like either a bug or a labeling problem in RHEL5.  You 
> > should be able to login as root.  You might want to update to the U1 
> > policy which is available on http://people.redhat.com/dwalsh/SELinux/RHEL5
> >     
> > > Thanks,
> > > Louis
> > >
> > > ----- Original Message ----
> > > From: Daniel J Walsh <dwalsh@xxxxxxxxxx>
> > > To: Louis Lam <lshoujun@xxxxxxxxx>
> > > Cc: shintaro_fujiwara <shin216@xxxxxxxxxxxxxxxx>; Hal 
> > > <hal_bg@xxxxxxxxx>; fedora-selinux-list@xxxxxxxxxx; cpebenito@xxxxxxxxxx
> > > Sent: Friday, August 10, 2007 11:17:42 PM
> > > Subject: Re: Strict policy on FC6 and F7
> > >
> > > Louis Lam wrote:
> > >       
> > > > Hi,
> > > >
> > > > I'm still having problems compiling the local.te module. The problem
> > > > i'm facing seems to be different from Hal's:
> > > >
> > > > --------------------
> > > > local.te:11:ERROR 'permission nlsms_relay is not defined for class
> > > > netlink_audit_socket' at token '
> > > > ;' on line 80809:
> > > >         allow local_login_t self:netlink_audit_socket { { create {
> > > > ioctl read getattr write setattr
> > > >  append bind connect getopt setopt shutdown } } nlmsg_read 
> > > >         
> > > nlsms_relay };
> > >       
> > > > #line 11
> > > > /usr/bin/checkmodule:  error(s) encountered while parsing configuration
> > > > make: *** [tmp/local.mod] Error 1
> > > > ---------------------
> > > >
> > > > My local.te file looks like this:
> > > > -------------
> > > > policy_module(local,1.0)
> > > >
> > > > require {
> > > >
> > > >         type local_login_t;
> > > >         class netlink_audit_socket { append bind connect shutdown
> > > > ioctl getattr setattr shutdown ge
> > > > topt setopt write nlmsg_relay nlmsg_read create read };
> > > > }
> > > >
> > > >
> > > > logging_send_audit_msg(local_login_t)
> > > > logging_set_loginuid(local_login_t)
> > > >
> > > > -------------
> > > >
> > > > Seems like the problem is with logging_set_loginuid macro. I'm not
> > > > sure how to solve this problem though.
> > > >
> > > > BTW here are some details on my environment:
> > > >
> > > > 1. I'm using the stock policy for FC7 2.6.4-8
> > > > 2. I did the compilation while running in targeted mode (will it 
> > > >         
> > > affect?)
> > >       
> > > > 3. The macro logging_set_loginuid is defined in the file
> > > > policy-20070501.patch
> > > >
> > > > Here is an extract of how logging_set_loginuid is defined in the patch :
> > > >
> > > > +########################################
> > > > +## <summary>
> > > > +##     Set login uid
> > > > +## </summary>
> > > > +## <param name="domain">
> > > > +##     <summary>
> > > > +##     Domain allowed access.
> > > > +##     </summary>
> > > > +## </param>
> > > > +#
> > > > +interface(`logging_set_loginuid',`
> > > > +       gen_require(`
> > > > +               attribute can_set_loginuid;
> > > > +               attribute can_send_audit_msg;
> > > > +       ')
> > > > +
> > > > +       typeattribute $1 can_set_loginuid, can_send_audit_msg;
> > > > +
> > > > +       allow $1 self:capability audit_control;
> > > > +       allow $1 self:netlink_audit_socket { create_socket_perms
> > > > nlmsg_read nlsms_relay };
> > > > +')
> > > >
> > > > Hope it helps in solving the problem...
> > > >
> > > > Thanks,
> > > > Louis
> > > >         
> > > I am not seeing this in RHEL5, FC6, F7 or F8.  So are you sure you are
> > > using the latest policy?
> > >
> > >
> > > Send instant messages to your online friends 
> > > http://uk.messenger.yahoo.com 
> > >       
> >     
>
>
> Send instant messages to your online friends http://uk.messenger.yahoo.com 
>   

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list