need help for local.te
Ketut Mahaindra
kmahaindra at axalto.com
Sun May 21 04:01:28 UTC 2006
Hello,
Everytime I need to make a local.te I always localized (read: make new file,
and extract the msg) the corresponding AVC denied messages to another log
file to be sure that I will get from audit2allow only those needed policies
related to the localized AVC denied message and not from the whole audit.log
file.
You might try to use that practice.
--
Best regards,
Ketut Mahaindra (Ito)
"The race for perfection has no finish line"
-----Original Message-----
From: fedora-selinux-list-bounces at redhat.com
[mailto:fedora-selinux-list-bounces at redhat.com] On Behalf Of Hongwei Li
Sent: Saturday, May 20, 2006 1:13 AM
To: fedora-selinux-list at redhat.com
Subject: Re: need help for local.te
> This means that your local.te file includes a rule that allows httpd to
> read your /etc/shadow file, and this violates an assertion in the base
> policy. Review your local.te file, prune entries that are not
> legitimate, and rebuild the .mod and .pp files, e.g.
> # vi local.te # edit out bogus entries or replace them with dontaudit
rules
> # checkmodule -m -M -o local.mod local.te
> # semodule_package -o local.pp -m local.mod
> # semodule -i local.pp
>
> --
> Stephen Smalley
> National Security Agency
The problem is I need to re-do for local.te from time to time, and whenver I
run (after rebooting)
# audit2allow -M local < /var/log/audit/audit.log
the line
allow httpd_t shadow_t:file { getattr read write };
is automatically added to local.te -- this time, it added more, not just
read.
I believe that this is because I need to run change_password plugin in
squirrelmail. It is not a problem in fc4 selinux -- I run audit2allow to
add
entry into local.te and run make load, then everything is working. But, in
fc5, it is a problem. If I remove that line, then whenever I run the above
command, it is automatically added.
How to fix the problem?
Thanks!
Hongwei
--
fedora-selinux-list mailing list
fedora-selinux-list at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list