RE: two new questions (sort of)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2008-01-09 at 11:09 -0800, Clarkson, Mike R (US SSA) wrote:
> 
> > -----Original Message-----
> > From: Stephen Smalley [mailto:sds@xxxxxxxxxxxxx]
> > Sent: Wednesday, January 09, 2008 10:15 AM
> > To: Clarkson, Mike R (US SSA)
> > Cc: Eric Paris; Daniel J Walsh; fedora-selinux-list@xxxxxxxxxx
> > Subject: RE: two new questions (sort of)
> > 
> > 
> > On Wed, 2008-01-09 at 09:27 -0800, Clarkson, Mike R (US SSA) wrote:
> > > I'll file a bug.
> > >
> > > Here is what I did:
> > >
> > > # semodule -b /usr/share/selinux/mls/enableaudit.pp
> > > libsepol.scope_copy_callback: acct: Duplicate declaration in module:
> > > type/attribute acct_t
> > > libsemanage.semanage_link_sandbox: Link packages failed
> > > semodule:  Failed!
> > > # semodule -r acct
> > > # semodule -b /usr/share/selinux/mls/enableaudit.pp
> > > libsepol.scope_copy_callback: aide: Duplicate declaration in module:
> > > type/attribute aide_t
> > > libsemanage.semanage_link_sandbox: Link packages failed
> > > semodule:  Failed!
> > 
> > That suggests that enableaudit.pp wasn't built the same way (or
> against
> > the same policy) as the policy you are using.  Are you using a custom
> > policy or the RH-provided selinux-policy-mls?
> 
> I thought I was using the RedHat provided mls policy. I downloaded the
> src from RedHat and built as a strict-mls policy.

There should have already been a selinux-policy-mls binary rpm available
that you could have used.  If you rebuilt from source, you may have used
a different modules.conf or build.conf settings, unless you just rebuild
their src rpm as is via rpmbuild.

> > 
> > Also, I suspect that stripping dontaudits from your base module isn't
> > going to help you since you are talking about your own custom module
> for
> > your own application, right?  So I'd start by looking at the
> > postprocessed module file for dontaudits and strip those by hand.  Or
> > just build a modern selinux userland into a private directory, set
> PATH
> > and LD_LIBRARY_PATH to refer to it, and run the modern semodule -DB
> > command from it.
> > 
> 
> I think the only non-base module coming into play is my small setcontest
> module, and I didn't add any dontaudit statements it. I do call a number
> of interfaces that may add dontaudit statements but I think most/all of
> them are to base modules.

Interfaces are just m4 macros at present, so they get expanded into your
module, not in the base.  So any dontaudits they included would show up
in your module after processing by m4.

> By "postprocessed module file" do you mean the setcontest.pp file? This
> file doesn't appear to have any dontaudit statements in it, but aren't
> *.pp files binary? I wouldn't know how to strip out a dontaudit
> statement if I found one.

When you do a 'make -f /usr/share/selinux/devel/Makefile', it creates a
tmp/ directory, processes your .te file, creating a postprocessed
tmp/<name>.tmp file.  That's the real module content.  Then that gets
fed into checkmodule and that gets fed into semodule_package.  So, for
example, you might do the following to strip dontaudits from your
module:
	cd tmp/
	grep -v dontaudit setcontext.tmp > foo
	mv foo setcontext.tmp
	checkmodule -m -M -o setcontext.mod setcontext.tmp
	semodule_package -o setcontext.pp -m setcontext.mod -f setcontext.fc
	semodule -i setcontext.pp

> I'm not sure what you mean by "build a modern selinux userland ...". 

Grab the sources of the current selinux userland (ones that support
semodule -DB) and compile them?

-- 
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux