need help for local.te

Hongwei Li hongwei at wustl.edu
Fri May 19 17:13:15 UTC 2006 

> On Fri, 2006-05-19 at 09:58 -0500, Hongwei Li wrote:
>> Hi,
>>
>> I need help about local.te.  My system:
>>
>> kernel:         2.6.16-1.2111_FC5smp
>> selinux-policy-targeted:     2.2.38-1.fc5
>> audit:          1.1.5-1
>> sendmail:       8.13.6-0.FC5.1
>> squirrelmail:   1.4.6-5.fc5
>>
>> When I try to create an email folder in squirrelmail, I got Error.  So, I
>> run
>> the following to create my local.te and add my module.  Here are what I run
>> and get:
>>
>> # audit2allow -M local < /var/log/audit/audit.log
>> Generating type enforcment file: local.te
>> Compiling policy
>> checkmodule -M -m -o local.mod local.te
>> semodule_package -o local.pp -m local.mod
>>
>> ******************** IMPORTANT ***********************
>>
>> In order to load this newly created policy package into the kernel,
>> you are required to execute
>>
>> semodule -i local.pp
>>
>> # ls -l
>> total 40
>> -rw-r--r-- 1 root root 2448 May 19 09:46 local.mod
>> -rw-r--r-- 1 root root 2464 May 19 09:46 local.pp
>> -rw-r--r-- 1 root root  733 May 19 09:46 local.te
>>
>> # semodule -i local.pp
>> libsepol.check_assertion_helper: assertion on line 0 violated by allow
>> httpd_t
>> shadow_t:file { read };
>> libsepol.check_assertions: 1 assertion violations occured
>> libsemanage.semanage_expand_sandbox: Expand module failed
>> semodule:  Failed!
>>
>> How to solve the problem?
>>
>> Thanks!
>
> This means that your local.te file includes a rule that allows httpd to
> read your /etc/shadow file, and this violates an assertion in the base
> policy.  Review your local.te file, prune entries that are not
> legitimate, and rebuild the .mod and .pp files, e.g.
> # vi local.te # edit out bogus entries or replace them with dontaudit rules
> # checkmodule -m -M -o local.mod local.te
> # semodule_package -o local.pp -m local.mod
> # semodule -i local.pp
>
> --
> Stephen Smalley
> National Security Agency

The problem is I need to re-do for local.te from time to time, and whenver I
run (after rebooting)
# audit2allow -M local < /var/log/audit/audit.log
the line

allow httpd_t shadow_t:file { getattr read write };

is automatically added to local.te -- this time, it added more, not just read.
 I believe that this is because I need to run change_password plugin in
squirrelmail.  It is not a problem in fc4 selinux -- I run audit2allow to add
entry into local.te and run make load, then everything is working.  But, in
fc5, it is a problem.  If I remove that line, then whenever I run the above
command, it is automatically added.

How to fix the problem?

Thanks!

Hongwei

More information about the fedora-selinux-list mailing list