Add SELinux protection to Pure-FTPd
Stephen Smalley
sds at tycho.nsa.gov
Fri Apr 14 15:16:40 UTC 2006
On Fri, 2006-04-14 at 16:47 +0200, Aurelien Bompard wrote:
> Looks good to me, except I've placed it
> in /usr/share/selinux/packages/<packagename> to avoid the base and targeted
> dirs being buried under a ton of packages dirs in the future.
>
> It's taking shape, but I have another problem. I run
> semodule -i %{_datadir}/selinux/packages/%{name}/pureftpd.pp
> in the %post scriptlet to load the module, and I get this error:
>
> libsemanage.semanage_commit_sandbox: Could not remove previous
> backup /etc/selinux/targeted/modules/previous.
> semodule: Failed!
>
> With this AVC in audit.log :
>
> type=AVC msg=audit(1145025496.481:18267): avc: denied { rmdir } for
> pid=28069 comm="semodule" name="modules" dev=sda2 ino=1249868
> scontext=user_u:system_r:semanage_t:s0
> tcontext=user_u:object_r:selinux_config_t:s0 tclass=dir
Looks like the type isn't getting preserved
on /etc/selinux/$SELINUXTYPE/modules/{active,previous} upon updates -
they are reverting from semanage_store_t to selinux_config_t (the type
on their parent directory. We either need to put semanage_store_t
on /etc/selinux/$SELINUXTYPE/modules as well or we need to make
libsemanage preserve the types.
>
> And the module is not loaded.
> Calling semodule outside the RPM scriptlet works fine.
>
> Any idea ? Should I use another command ?
>
>
> Thanks,
>
> Aurélien
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list