[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

latest rawhide with strict policy and audit



allow $1_t self:netlink_audit_socket { create bind write nlmsg_read read };

After updating the the latest rawhide stuff I needed the above rule in sshd.te 
to allow sshd to work correctly (unified diff attached).  The first two 
accesses (create and bind) are needed to allow sshd to work to the stage of 
permitting logins.  The last three to stop it spewing messages.

What is this self:netlink_audit_socket access?  What is the appropriate access 
for such things?

newrole has the same issue, the file newrole.diff applies to 
newrole_macros.te.  Even after applying that patch I get an error as follows:

[root community ~]# newrole -r sysadm_r
Authenticating root.
Password:
Error sending status request (Operation not permitted)
[root community ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6
(disk),10(wheel) context=root:sysadm_r:sysadm_t
[root community ~]#


I guess that this is in the new pam so local_login_t, xdm_t and other domains 
will need similar changes.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page
--- ssh.te.old	2005-04-14 20:26:20.000000000 +1000
+++ ssh.te	2005-04-14 20:26:04.000000000 +1000
@@ -31,6 +31,7 @@
 role system_r types $1_t;
 dontaudit $1_t shadow_t:file { getattr read };
 uses_shlib($1_t)
+allow $1_t self:netlink_audit_socket { create bind write nlmsg_read read };
 allow $1_t self:unix_dgram_socket create_socket_perms;
 allow $1_t self:unix_stream_socket create_stream_socket_perms;
 allow $1_t self:fifo_file rw_file_perms;
--- newrole_macros.te.old	2005-04-14 20:29:29.000000000 +1000
+++ newrole_macros.te	2005-04-14 20:33:39.000000000 +1000
@@ -20,6 +20,8 @@
 read_locale($1_t)
 read_sysctl($1_t)
 
+allow $1_t self:netlink_audit_socket { create bind write nlmsg_read read };
+
 # for when the user types "exec newrole" at the command line
 allow $1_t privfd:process sigchld;
 

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]