On Mon, 2009-01-26 at 13:20 -0600, Xavier Toth wrote: > On Mon, Jan 26, 2009 at 11:27 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > > On Mon, 2009-01-26 at 10:30 -0600, Xavier Toth wrote: > >> I've built and install an fc10 version of the rawhide policy and am > >> now getting kerneloops. Does the kernel build rely on policy files? > >> > >> Kernel failure message 1: > >> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff > >> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff > >> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff > >> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6 > >> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff > >> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed > >> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed > > > > No, but enabling the openperm policy capability will trigger that > > warning on older kernels. > > > > -- > > Stephen Smalley > > National Security Agency > > > > > > I'm not familiar with the openperm policy capability how is it enabled/disabled? The policy/policy_capabilities file specifies what policy capabilities are enabled for a given policy - that tells the kernel whether or not to enable newer permission checks that require a newer policy. Originally introduced for the network peer controls and then extended for the new open permission check. You have to modify that file and then rebuild the base module. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
