[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: failed to customize policy, SELinux won't let me



On Wed, 2006-05-03 at 09:53 -0700, Florin Andrei wrote:
> Fresh FC5 install (not an update) on an Intel 32bit CPU.
> Applied all updates, reboot, let anacron do its job, reboot.
> 
> Installed Postfix and Cyrus-IMAPd
> While testing Postfix with Cyrus I got this:
> 
> May  3 09:38:25 stantz kernel: audit(1146674305.211:305): avc:  denied
> { search } for  pid=3441 comm="lmtp" name="lib" dev=hda2 ino=2293761
> scontext=user_u:system_r:postfix_master_t:s0
> tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
> 
> OK, fine, I go here and follow the steps (all the time working in
> the /root/selinux directory):
> 
> http://fedora.redhat.com/docs/selinux-faq-fc5/#faq-entry-local.te
> 
> However, I can't seem to load the local module:
> 
> # /usr/sbin/semodule -i local.pp
> /usr/sbin/semodule:  Could not read file 'local.pp':
> # ls
> local.fc  local.if  local.pp  local.te  tmp
> # cat local.te
> policy_module(local, 1.0)
> 
> require {
>         type postfix_master_t;
>         type var_lib_t;
> }
> 
> allow postfix_master_t var_lib_t:dir search;
> 
> In the logs I get this:
> 
> audit(1146674668.001:307): avc:  denied  { search } for  pid=3569
> comm="semodule" name="selinux" dev=hda4 ino=6501763
> scontext=user_u:system_r:semanage_t:s0
> tcontext=user_u:object_r:user_home_t:s0 tclass=dir
> 
> What is going on?

Yes, I noticed this as well - semanage/semodule policy doesn't appear to
allow it to take input from user home directories presently.  Nice from
an integrity point of view (don't take untrustworthy inputs), but likely
not workable for every day usage.

-- 
Stephen Smalley
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]