shintaro_fujiwara wrote:
I am not sure what is broken on Firefox on Strict policy as of Fedora 7. I have begun the merge of strict and targeted in rawhide Fedora Core 8/Test1. I have done some rewriting of the Mozilla/Firefox policy. There were several problems in the existing policy and several problems in the way the OS is designed. Mainly these dealt with the use of the /tmp file system by gnome.I think F7 strict policy is broken. Let's wait for a while until SELinux guys fix it. I decided to play with FC6 this time. 2007-08-08 (水) の 14:43 -0700 に Hal さんは書きました:Authentication failed again:( but meanwhile I have checked firefox on strict policy on FC7 it does not work. --- shintaro_fujiwara <shin216 xf7 so-net ne jp> wrote:2007-08-08 (æ°´) ã® 13:32 -0700 ã« Hal ã•ã‚“ã¯æ›¸ãã¾ã—ãŸ:Well I manged to compile the module, butit does not work for me. Compiled,loaded,set enforcing and: "authentication failed" again.I do not know if I am stupid, but I can not get a long with this Selinux...Does this nodule work for you guys????hal --- "Christopher J. PeBenito" <cpebenito tresys com> wrote:On Wed, 2007-08-08 at 12:39 -0700, Hal wrote:I have tryed with logging_send_audit_msgs(local_login_t) But still: [root localhost hal]# make -f /usr/share/selinux/devel/Makefilelocal.ppCompiling strict local module /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp local.te:9:ERROR 'unknown class capability used in rule' at token ';'onBecause we did not writeline81105: #line 9 allow local_login_t self:capability audit_write;class capability { audit_write }; in require brace. write it and try again. Did you make it? As a matter of fact, I have another problem on strict policy. I ended up breaking F7 altogether eliminating libselinux with --nodeps. Now I'm trying to upgrade FC6 to F7. You can upgrade FC6 to F7, if you are tired of your process on F7. Do not stop trying strict policy.Never surrender. It's rewarding, and SELinux guys will guide you to the right place./usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/local.mod] Error 1 I really have no idea what all this means. there is nowhere "allow" in local.te. if it is in this macros at theend...Do I need to install the policy source and edit it?It is in the interface. You need to change this:module local 1.0;to this: policy_module(local,1.0) It will automatically require all of the kernel object classes. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150____________________________________________________________________________________Luggage? GPS? Comic books? Check out fitting gifts for grads at Yahoo! Searchhttp://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz -- fedora-selinux-list mailing list fedora-selinux-list redhat com https://www.redhat.com/mailman/listinfo/fedora-selinux-list____________________________________________________________________________________ Sick sense of humor? Visit Yahoo! TV's Comedy with an Edge to see what's on, when. http://tv.yahoo.com/collections/222-- fedora-selinux-list mailing list fedora-selinux-list redhat com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I have rewritten the mozilla policy to use one of three booleans. firefox no network access (r/only) Firefox with network access (R/O on homedir) Firefox with network access (r/w on homedir)firefox currently transitions form the user domain to userdoman_mozilla_t. So for example
user_t - > user_mozilla_t. But I am allowing firefox to r/w user_tmp_t as well as user_mozilla_tmp_t.
This allows firefox to interact with X sockets, gdm_files, iceauth files, orbitz files. Trying to lock this down does not
work.So if you want to use a locked down firefox, I would recommend looking at Fedora 8 Test1, and setting up a xguest user. xguest users can only access the web via firefox and are totally locked down.