On 02/11/2011 09:37 PM, Adrian Sevcenco wrote:
Hi! I try to add a policy for chrome for allowing read access for stuff
from LD_LIBRARY_PATH
and i done this :
[root@sev selinux]# cat chrome.audit | audit2allow -M chrome
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i chrome.pp
[root@sev selinux]# semodule -i chrome.pp
Use a different name of module.
# cat chrome.audit | audit2allow -M mychrome
# semodule -i mychrome.pp
You can dontaudit it using
# cat chrome.audit | audit2allow -D -M mychrome
# semodule -i mychome.pp
libsepol.print_missing_requirements: chrome's global requirements were
not met: type/attribute chrome_sandbox_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or
directory).
semodule: Failed!
with this :
[root@sev selinux]# cat chrome.audit
type=AVC msg=audit(1297435306.238:20321): avc: denied { read } for
pid=22631 comm="chrome" name="clhep" dev=sda5 ino=8195388
scontext=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1297435306.238:20321): arch=c000003e syscall=2
success=no exit=-2 a0=7fffb3534570 a1=0 a2=0 a3=2f7065686c632f70 items=0
ppid=0 pid=22631 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=(none) ses=7 comm="chrome"
exe="/opt/google/chrome/chrome"
subj=unconfined_u:unconfined_r:chrome_sandbox_t:s0-s0:c0.c1023 key=(null)
the sym link in question have this properties:
adrian@sev: ~ $ ls -lZ /home/physics-tools/clhep/clhep
lrwxrwxrwx. adrian adrian unconfined_u:object_r:user_home_t:SystemLow
/home/physics-tools/clhep/clhep -> /home/physics-tools/clhep/2.1.0.0/
anybody any idea about the problem?
Thanks!
Adrian
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
|
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
