Re: need help for local.te

[Daniel J Walsh <dwalsh redhat com>]

Hongwei Li wrote:
> > On Fri, 2006-05-19 at 09:58 -0500, Hongwei Li wrote:
> >     
> > > Hi,
> > >
> > > I need help about local.te.  My system:
> > >
> > > kernel:         2.6.16-1.2111_FC5smp
> > > selinux-policy-targeted:     2.2.38-1.fc5
> > > audit:          1.1.5-1
> > > sendmail:       8.13.6-0.FC5.1
> > > squirrelmail:   1.4.6-5.fc5
> > >
> > > When I try to create an email folder in squirrelmail, I got Error.  So, I
> > > run
> > > the following to create my local.te and add my module.  Here are what I run
> > > and get:
> > >
> > > # audit2allow -M local < /var/log/audit/audit.log
> > > Generating type enforcment file: local.te
> > > Compiling policy
> > > checkmodule -M -m -o local.mod local.te
> > > semodule_package -o local.pp -m local.mod
> > >
> > > ******************** IMPORTANT ***********************
> > >
> > > In order to load this newly created policy package into the kernel,
> > > you are required to execute
> > >
> > > semodule -i local.pp
> > >
> > > # ls -l
> > > total 40
> > > -rw-r--r-- 1 root root 2448 May 19 09:46 local.mod
> > > -rw-r--r-- 1 root root 2464 May 19 09:46 local.pp
> > > -rw-r--r-- 1 root root  733 May 19 09:46 local.te
> > >
> > > # semodule -i local.pp
> > > libsepol.check_assertion_helper: assertion on line 0 violated by allow
> > > httpd_t
> > > shadow_t:file { read };
> > > libsepol.check_assertions: 1 assertion violations occured
> > > libsemanage.semanage_expand_sandbox: Expand module failed
> > > semodule:  Failed!
> > >
> > > How to solve the problem?
> > >
> > > Thanks!
> > >       
> > This means that your local.te file includes a rule that allows httpd to
> > read your /etc/shadow file, and this violates an assertion in the base
> > policy.  Review your local.te file, prune entries that are not
> > legitimate, and rebuild the .mod and .pp files, e.g.
> > # vi local.te # edit out bogus entries or replace them with dontaudit rules
> > # checkmodule -m -M -o local.mod local.te
> > # semodule_package -o local.pp -m local.mod
> > # semodule -i local.pp
> >
> > --
> > Stephen Smalley
> > National Security Agency
> >     
>
> The problem is I need to re-do for local.te from time to time, and whenver I
> run (after rebooting)
> # audit2allow -M local < /var/log/audit/audit.log
> the line
>
> allow httpd_t shadow_t:file { getattr read write };
>
> is automatically added to local.te -- this time, it added more, not just read.
>  I believe that this is because I need to run change_password plugin in
> squirrelmail.  It is not a problem in fc4 selinux -- I run audit2allow to add
> entry into local.te and run make load, then everything is working.  But, in
> fc5, it is a problem.  If I remove that line, then whenever I run the above
> command, it is automatically added.
>
> How to fix the problem?
>   
If this is not causing a problem for squirrelmail, how about

dontaudit httpd_t shadow_t:file { getattr read write };

Also you can create more than one pp file.  So you could create 
local1.pp and local2.pp ...

You should always edit make sure you only have the rules in your pp file 
that you want.

If these are legitimate problems with policy or some package, are you 
submitting bugzillas?

Dan
> Thanks!
>
> Hongwei
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list redhat com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>