On 01/19/11 11:30, Justin P. Mattock wrote:
On 01/19/11 11:23, Christopher J. PeBenito wrote:
On 01/19/11 13:06, Justin P. Mattock wrote:
this is showing up with the latest kernel in enforcing mode..
(I have not update the policy and/or selinux userspace)
[ 12.803882] type=1400 audit(1295457694.801:3): avc: denied { syslog
} for pid=1540 comm="rsyslogd" capability=34
scontext=system_u:system_r:init_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=capability2
[cut]
when using audit2allow I get:
allow init_t self:capability2 syslog;
which gives an error when trying to install the module, due to the
policy not knowing what capability2 is
system is ubuntu maverick, if this is already in(refpolicy) then I'll
pull the latest when I get a chance..
Support for this capability is upstream in refpolicy.
well... after building and trying to install, seems I need to do this:
From dae5d4d75ab5db99fde09a67f9a1df240f85fbdd Mon Sep 17 00:00:00 2001
From: Justin P. Mattock <justinmattock@xxxxxxxxx>
Date: Mon, 24 Jan 2011 11:13:31 -0800
Subject: [PATCH] modified: policy/modules/kernel/domain.te
Signed-off-by: Justin P. Mattock <justinmattock@xxxxxxxxx>
diff --git a/policy/modules/kernel/domain.te
b/policy/modules/kernel/domain.te
index bc534c1..77c363b 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -24,7 +24,8 @@ attribute unconfined_domain_type;
# Domains that can mmap low memory.
attribute mmap_low_domain_type;
-neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
+#neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
# Domains that can set their current context
# (perform dynamic transitions)
--
1.6.5.GIT
in order for the policy to build all the way... is anybody else hitting
this, or is this just me..
Justin P. Mattock
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
