What OS?
$ rpm -q selinux-policy
selinux-policy-3.9.16-48.fc15.noarch, but as I already mentioned, this
is (heavily) modified policy. See Dominick's suggestions at the top of
this thread on what has been modified.
If I implement Dominick's suggestions as a separate module, which is
*not* part of the policy I don't get these syntax errors and I have my
mypol.pp file. If I try to do that as part of the policy-building
process, then it fails with the syntax error I already mentioned. I
can't include this separate module (mypol.pp), because I am building
LiveCD image and the root system (/) is read-only, so as soon as I
insert/install mypol.pp with semodule -i, this will be gone the next
time I reboot, so I have to incorporate these changes (provided that is
what I have to do!) as part of the policy (selinux-targeted), not as a
separate module.
All this is beside the point though. SSHD (5.8 is the version I tried
before I backtracked to the previous one I used - 5.5p1) has now some
new privilege-separation code and it seems to be causing me all these
errors. I did a little investigation yesterday before I gave up and if I
include "UsePrivilegeSeparation no" in sshd_config, then I do not get
the dyntransition avc, but I do get all the other ones (like { read }, {
unlink } on file/directory etc) which are associated with a domain
(sshd_t), which has no permission to access those files/directories -
that, to me, indicates that this "privilege separation" issue is not
completely gone even if I set "UsePrivilegeSeparation no".
When I revert back to 5.5p1 everything is hunky-dory and I have no such
issues, provided I switch sftpd_full_access to "on", otherwise I get the
same avc as above.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
