[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: need help for local.te

Hongwei Li wrote:
On Fri, 2006-05-19 at 09:58 -0500, Hongwei Li wrote:

I need help about local.te.  My system:

kernel:         2.6.16-1.2111_FC5smp
selinux-policy-targeted:     2.2.38-1.fc5
audit:          1.1.5-1
sendmail:       8.13.6-0.FC5.1
squirrelmail:   1.4.6-5.fc5

When I try to create an email folder in squirrelmail, I got Error.  So, I
the following to create my local.te and add my module.  Here are what I run
and get:

# audit2allow -M local < /var/log/audit/audit.log
Generating type enforcment file: local.te
Compiling policy
checkmodule -M -m -o local.mod local.te
semodule_package -o local.pp -m local.mod

******************** IMPORTANT ***********************

In order to load this newly created policy package into the kernel,
you are required to execute

semodule -i local.pp

# ls -l
total 40
-rw-r--r-- 1 root root 2448 May 19 09:46 local.mod
-rw-r--r-- 1 root root 2464 May 19 09:46 local.pp
-rw-r--r-- 1 root root  733 May 19 09:46 local.te

# semodule -i local.pp
libsepol.check_assertion_helper: assertion on line 0 violated by allow
shadow_t:file { read };
libsepol.check_assertions: 1 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed
semodule:  Failed!

How to solve the problem?

This means that your local.te file includes a rule that allows httpd to
read your /etc/shadow file, and this violates an assertion in the base
policy.  Review your local.te file, prune entries that are not
legitimate, and rebuild the .mod and .pp files, e.g.
# vi local.te # edit out bogus entries or replace them with dontaudit rules
# checkmodule -m -M -o local.mod local.te
# semodule_package -o local.pp -m local.mod
# semodule -i local.pp

Stephen Smalley
National Security Agency

The problem is I need to re-do for local.te from time to time, and whenver I
run (after rebooting)
# audit2allow -M local < /var/log/audit/audit.log
the line

allow httpd_t shadow_t:file { getattr read write };

is automatically added to local.te -- this time, it added more, not just read.
 I believe that this is because I need to run change_password plugin in
squirrelmail.  It is not a problem in fc4 selinux -- I run audit2allow to add
entry into local.te and run make load, then everything is working.  But, in
fc5, it is a problem.  If I remove that line, then whenever I run the above
command, it is automatically added.

How to fix the problem?
If this is not causing a problem for squirrelmail, how about

dontaudit httpd_t shadow_t:file { getattr read write };

Also you can create more than one pp file. So you could create local1.pp and local2.pp ...

You should always edit make sure you only have the rules in your pp file that you want.

If these are legitimate problems with policy or some package, are you submitting bugzillas?



fedora-selinux-list mailing list
fedora-selinux-list redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]