-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/19/2011 07:21 PM, Mr Dash Four wrote: > Yesterday I've upgraded my SELinux policy & tools on my FC13 machine to > bring it up to date with what is distributed with FC15 and later on did > a similar upgrade to the kernel as well (.38 - the latest released for > FC15), but SELinux is experiencing a few issues with the kernel. Here is > what I've upgraded: > > old: > policycoreutils-python-2.0.83-33.8 > policycoreutils-2.0.83-33.8 > selinux-policy-3.7.19-101 > selinux-policy-targeted-3.7.19-101 > libsemanage-2.0.45-1 > libsemanage-devel-2.0.45-1 > libsemanage-static-2.0.45-1 > libsemanage-python-2.0.45-1 > libselinux-python-2.0.94-2 > libselinux-2.0.94-2 > libselinux-devel-2.0.94-2 > libselinux-utils-2.0.94-2 > libsepol-2.0.41-3 > libsepol-devel-2.0.41-3 > libsepol-static-2.0.41-3 > > new: > policycoreutils-python-2.0.86-7 > policycoreutils-2.0.86-7 > policycoreutils-gui-2.0.86-7 > policycoreutils-newrole-2.0.86-7 > policycoreutils-restorecond-2.0.86-7 > selinux-policy-3.9.16-26 > selinux-policy-targeted-3.9.16-26 > libsemanage-2.0.46-4 > libsemanage-devel-2.0.46-4 > libsemanage-static-2.0.46-4 > libsemanage-python-2.0.46-4 > libselinux-python-2.0.99-4 > libselinux-2.0.99-4 > libselinux-devel-2.0.99-4 > libselinux-utils-2.0.99-4 > libsepol-2.0.42-2 > libsepol-devel-2.0.42-2 > libsepol-static-2.0.42-2 > > Most of the new SELinux policy & tools above have been compiled from > source - successfully - using the source rpm and just running rpmbuild > with no changes to the .spec file. Everything installed OK, though when > I recompiled and upgraded the kernel, it does boot up and works OK, > though I have this in my syslog from SELinux: > > kernel: dracut: Loading SELinux policy > kernel: type=1404 audit(1308450301.855:2): enforcing=1 old_enforcing=0 > auid=4294967295 ses=4294967295 > kernel: SELinux: Permission audit_access in class file not defined in > policy. > kernel: SELinux: Permission audit_access in class dir not defined in > policy. > kernel: SELinux: Permission execmod in class dir not defined in policy. > kernel: SELinux: Permission audit_access in class lnk_file not defined > in policy. > kernel: SELinux: Permission open in class lnk_file not defined in policy. > kernel: SELinux: Permission execmod in class lnk_file not defined in > policy. > kernel: SELinux: Permission audit_access in class chr_file not defined > in policy. > kernel: SELinux: Permission audit_access in class blk_file not defined > in policy. > kernel: SELinux: Permission execmod in class blk_file not defined in > policy. > kernel: SELinux: Permission audit_access in class sock_file not defined > in policy. > kernel: SELinux: Permission execmod in class sock_file not defined in > policy. > kernel: SELinux: Permission audit_access in class fifo_file not defined > in policy. > kernel: SELinux: Permission execmod in class fifo_file not defined in > policy. > kernel: SELinux: Permission syslog in class capability2 not defined in > policy. > kernel: SELinux: the above unknown classes and permissions will be allowed > kernel: type=1403 audit(1308450302.288:3): policy loaded auid=4294967295 > ses=4294967295 > > What could be the reason for this? > > I remember getting similar messages when I attempted to upgrade the > kernel a couple of months ago from .34 to .37 - I had similar "not > defined in policy" messages then from what I remember, though they were > just a couple and certainly not the amount I am getting above. Is there > any way I could rectify this *without* doing a full upgrade to FC15? > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > > Lines like Permission audit_access in class file not defined in policy. Mean the kernel understands what an audit_access means but the policy does not mention it. Looks like you are loading a policy that is older then the kernel. I would make sure your FC15 policy is compiled and installed correctly. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk3/KoQACgkQrlYvE4MpobMFXwCgw1TiS3fjTYg28GClIPSqF/4z 4WAAniX68YQGU2d24iG5Pw0cAqCop7fE =XofD -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
