[fedora-arm] semanage error Re: Fedora-Xfce-armhfp-21-20140815-sda.raw.xz
Robert Moskowitz
rgm at htt-consult.com
Sun Aug 17 05:09:32 UTC 2014
On 08/16/2014 05:45 AM, Daniel J Walsh wrote:
> On 08/15/2014 03:34 PM, Robert Moskowitz wrote:
>> My cubieboard2 vanilla see below
>> I move the sshd port, and update SELinux policy with:
>>
>> semanage port -a -t ssh_port_t -p tcp 1234
>>
>> and got the following messages:
>>
>> [ 1828.788735] SELinux: Permission audit_read in class capability2
>> not defined in policy.
> This means you have a capability defined in policy "audit_read", which
> the kernel does not understand
Well this is a clean install:
# fedora-arm-image-installer/fedora-arm-image-installer.sh
--image=Fedora-Xfce-armhfp-21-20140815-sda.raw.xz --target=Cubietruck
--media=/dev/sdb --norootpass
But replacing the Cubietruck uboot with the cubieboard2 uboot:
# dd if=/root/u-boot-sunxi/u-boot-sunxi-with-spl.bin of=/dev/sdb bs=1024
seek=8; sync
So I am performing a 'rather common' semanage command to allow sshd to
listen on a non-standard port, using the provided kernel and stuff. The
Cubieboard2 uboot is what is being cleaned up for inclusion in armhfp-21.
>> [ 1828.796870] SELinux: the above unknown classes and permissions will
>> be allowed
>> [ 1829.450779] SELinux: Context
>> system_u:system_r:vbetool_t:s0-s0:c0.c1023 became invalid (unmapped).
>> [ 1831.528160] SELinux: Context
>> system_u:unconfined_r:sandbox_t:s0-s0:c0.c1023 became invalid (unmapped).
>> [ 1832.890157] SELinux: Context
>> unconfined_u:system_r:vbetool_t:s0-s0:c0.c1023 became invalid (unmapped).
>> [ 1834.966398] SELinux: Context
>> unconfined_u:unconfined_r:sandbox_t:s0-s0:c0.c1023 became invalid
>> (unmapped).
> These are types that have been removed from the default packages. So
> they were defined in the previous policy that you had in the kernel, but
> the new policy you loaded no longer has sandbox_t and vbetool_t. These
> should not be a problem
> unless you had an application running as sanbox_t or vbetool_t, most
> likely not.
Again, I am doing something that lots of others do, that is move sshd to
another port using a common semanage command. So I did not do anything
knowingly wiht sandbox_t or the rest you identify. Something provided in
the current build is resonding not as it does in F20.
>> But it seems to have worked. That is SSH can be reached at the
>> changed port. And yes, I also did the firewall-cmd for the new port
>> number.
>>
>>
More information about the arm
mailing list