On Sun, 2012-03-25 at 18:11 +0100, Mr Dash Four wrote: > > What does audit2why say? > > > Well, not what I expected :-\ : > > -bash-4.1# audit2why < /var/log/audit/audit.log > Traceback (most recent call last): > File "/usr/bin/audit2allow", line 24, in <module> > import sepolgen.policygen as policygen > File "/usr/lib/python2.6/site-packages/sepolgen/policygen.py", line > 33, in <module> > from setools import * > ImportError: No module named setools ouch > So, I guess I have to transfer my audit.log on a machine which does have > setools (python) installed (the one I am getting this on is my dmz > server, so it is pretty constrained). > > > Some shots in the dark: > > > > # get past dyntransition kiddy lock > > domain_dyntrans_type(sshd_t) > > > > # get past subject identity change kiddy lock > > domain_subj_id_change_exemption(sshd_t) > > > > # get past role change kiddy lock > > domain_role_change_exemption(sshd_t) > > > I'll try these, thanks Dominick! I'll introduce these one by one as > tunables and see what works. > > Could it be that the new version of openssh introduced these new hooks, > which were not present in older versions? To me this whole issue is > caused entirely by openssh. > not likely, i am not sure though -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
