[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: audit2allow broken?
- From: Stephen Smalley <sds tycho nsa gov>
- To: Hongwei Li <hongwei wustl edu>
- Cc: fedora-selinux-list redhat com, Karl MacMillan <kmacmillan mentalrootkit com>
- Subject: Re: audit2allow broken?
- Date: Wed, 09 May 2007 14:53:57 -0400
On Wed, 2007-05-09 at 13:47 -0500, Hongwei Li wrote:
> Hi,
>
> I have a fc6 linux box: kernel-2.6.20-1.2944.fc6, selinux-policy-2.4.6-62.fc6
> and selinux-policy-targeted-2.4.6-62.fc6, audit-1.4.2-5.fc6.
> The system works and I was trying to add some settings to the selinux policy
> by running audit2allow. It was okay before noon:
>
> # audit2allow -M local < /var/log/audit/audit.log
> # semodule -i local.pp
>
> The new modules were added and it works. However, later, I can't do it again,
> but always get error:
>
> # audit2allow -M local < /var/log/audit/audit.log
> compilation failed:
> (unknown source)::ERROR 'syntax error' at token '' on line 6:
>
> /usr/bin/checkmodule: error(s) encountered while parsing configuration
> /usr/bin/checkmodule: loading policy configuration from local.te
>
> and the file local.te has only one line:
>
> module local 1.0;
>
> not like before. Can somebody tell what is wrong? "on line 6" of what file?
> I reboot the system, still the same.
What version of policycoreutils?
The implication is that there were no avc denials
in /var/log/audit/audit.log, and thus the generated module was empty.
Possibly your audit logs were automatically rotated?
You should really be using the -a option btw, e.g.
audit2allow -a -M local
That will pull all messages from audit, including older audit logs I
believe.
--
Stephen Smalley
National Security Agency
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]