[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: need help for local.te



On Fri, 2006-05-19 at 09:58 -0500, Hongwei Li wrote:
> Hi,
> 
> I need help about local.te.  My system:
> 
> kernel:         2.6.16-1.2111_FC5smp
> selinux-policy-targeted:     2.2.38-1.fc5
> audit:          1.1.5-1
> sendmail:       8.13.6-0.FC5.1
> squirrelmail:   1.4.6-5.fc5
> 
> When I try to create an email folder in squirrelmail, I got Error.  So, I run
> the following to create my local.te and add my module.  Here are what I run
> and get:
> 
> # audit2allow -M local < /var/log/audit/audit.log
> Generating type enforcment file: local.te
> Compiling policy
> checkmodule -M -m -o local.mod local.te
> semodule_package -o local.pp -m local.mod
> 
> ******************** IMPORTANT ***********************
> 
> In order to load this newly created policy package into the kernel,
> you are required to execute
> 
> semodule -i local.pp
> 
> # ls -l
> total 40
> -rw-r--r-- 1 root root 2448 May 19 09:46 local.mod
> -rw-r--r-- 1 root root 2464 May 19 09:46 local.pp
> -rw-r--r-- 1 root root  733 May 19 09:46 local.te
> 
> # semodule -i local.pp
> libsepol.check_assertion_helper: assertion on line 0 violated by allow httpd_t
> shadow_t:file { read };
> libsepol.check_assertions: 1 assertion violations occured
> libsemanage.semanage_expand_sandbox: Expand module failed
> semodule:  Failed!
> 
> How to solve the problem?
> 
> Thanks!

This means that your local.te file includes a rule that allows httpd to
read your /etc/shadow file, and this violates an assertion in the base
policy.  Review your local.te file, prune entries that are not
legitimate, and rebuild the .mod and .pp files, e.g.
# vi local.te # edit out bogus entries or replace them with dontaudit rules
# checkmodule -m -M -o local.mod local.te
# semodule_package -o local.pp -m local.mod
# semodule -i local.pp

-- 
Stephen Smalley
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]