SELinux and Shorewall with IPSets
Dominick Grift
domg472 at gmail.com
Wed Jun 30 19:46:10 UTC 2010
On 06/30/2010 09:36 PM, Mr Dash Four wrote:
>
>> You would need to edit the source, and rebuild modified selinux-policy
>> packages. The port declaration is located in
>> policy/modules/kernel/corenetwork.te.in.
>>
>
> Building the RPMs went OK, though the image build failed miserably!
>
> I am getting the following errors when trying to install my
> (custom-built) selinux-policy and selinux-policy-targeted rpms:
>
> =============Errors when executing rpm -ivh selinux-policy*.rpm on the
> image======================
> libsemanage.semanage_install_active: setfiles returned error code 1.
> (Permission denied).
> libsemanage.semanage_install_active: Could not copy
> /etc/selinux/targeted/modules/active/policy.kern to
> /etc/selinux/targeted/policy/policy.24. (No such file or directory).
> semodule: Failed!
> libsemanage.semanage_read_policydb: Could not open kernel policy
> /etc/selinux/targeted/modules/active/policy.kern for reading. (No such
> file or directory).
> /usr/sbin/semanage: Could not test MLS enabled status
> ===============================================================================
>
>
> Looking at my syslog I am getting the following:
>
>
> ============syslog====================================
> Jun 30 20:06:36 xp1 kernel: type=1401 audit(1277924796.734:30578):
> security_compute_sid: invalid context
> unconfined_u:system_r:setfiles_mac_t:s0-s0:c0.c1023 for
> scontext=unconfined_u:system_r:livecd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=process
> Jun 30 20:07:05 xp1 kernel: type=1401 audit(1277924825.706:30579):
> security_compute_sid: invalid context
> unconfined_u:system_r:setfiles_mac_t:s0-s0:c0.c1023 for
> scontext=unconfined_u:system_r:livecd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=process
> Jun 30 20:07:05 xp1 kernel: type=1401 audit(1277924825.740:30580):
> security_compute_sid: invalid context
> unconfined_u:system_r:setfiles_mac_t:s0-s0:c0.c1023 for
> scontext=unconfined_u:system_r:livecd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=process
> =====================================================
>
> I presume my currently running SELinux does not like something when I
> try to install SELinux on the image. I presume it is something to do
> with the fact that its own 'selinux-policy' somehow differs from the one
> I built from source.
>
> When I actually log on the image itself (with qemu) and try running
> "semanage port -l | grep ssh" I am getting this:
>
> ======================================
> libsemanage.semanage_read_policydb: Could not open kernel policy
> /etc/selinux/targeted/modules/active/policy.kern for reading. (No such
> file or directory).
> /usr/sbin/semanage: Could not test MLS enabled status
> ======================================
>
>
> The interesting thing is that my "semanage fcontext" command to change
> ipset SELinux attributes have been executed - these attributes are changed.
hmm... i am not sure about this but maybe:
role system_r types setfiles_mac_t;
helps here..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100630/fc92645d/attachment.bin
More information about the selinux
mailing list