Should cron jobs be allowed to access the user's X session?
by Aleksey Nogin
I have a cron job that pops up a "reminder" message in my X session
(provided I have one at that time). Should this be allowed? I am getting:
audit(1079766600.874:0): avc: denied { getattr } for pid=5767
exe=/usr/bin/python path=/home dev=hda2 ino=3777313
scontext=aleksey:staff_r:staff_crond_t
tcontext=system_u:object_r:home_root_t tclass=dir
audit(1079766600.915:0): avc: denied { getsched } for pid=5767
exe=/usr/bin/python scontext=aleksey:staff_r:staff_crond_t
tcontext=aleksey:staff_r:staff_crond_t tclass=process
audit(1079766601.549:0): avc: denied { search } for pid=5767
exe=/usr/bin/python name=.X11-unix dev=hda2 ino=229366
scontext=aleksey:staff_r:staff_crond_t
tcontext=system_u:object_r:xdm_xserver_tmp_t tclass=dir
audit(1079766601.550:0): avc: denied { write } for pid=5767
exe=/usr/bin/python name=X0 dev=hda2 ino=229060
scontext=aleksey:staff_r:staff_crond_t
tcontext=system_u:object_r:xdm_xserver_tmp_t tclass=sock_file
audit(1079766601.576:0): avc: denied { connectto } for pid=5767
exe=/usr/bin/python path=/tmp/.X11-unix/X0
scontext=aleksey:staff_r:staff_crond_t
tcontext=system_u:system_r:xdm_xserver_t tclass=unix_stream_socket
audit(1079766601.576:0): avc: denied { read } for pid=5767
exe=/usr/bin/python name=.Xauthority dev=hda2 ino=311184
scontext=aleksey:staff_r:staff_crond_t
tcontext=system_u:object_r:staff_home_xauth_t tclass=file
audit(1079766601.577:0): avc: denied { getattr } for pid=5767
exe=/usr/bin/python path=/home/aleksey/.Xauthority dev=hda2 ino=311184
scontext=aleksey:staff_r:staff_crond_t
tcontext=system_u:object_r:staff_home_xauth_t tclass=file
audit(1079766602.836:0): avc: denied { search } for pid=5767
exe=/usr/bin/python name=fonts dev=hda2 ino=114501
scontext=aleksey:staff_r:staff_crond_t
tcontext=system_u:object_r:fonts_t tclass=dir
audit(1079766602.883:0): avc: denied { read } for pid=5767
exe=/usr/bin/python name=fonts.cache-1 dev=hda2 ino=114575
scontext=aleksey:staff_r:staff_crond_t
tcontext=system_u:object_r:fonts_t tclass=file
audit(1079766602.885:0): avc: denied { getattr } for pid=5767
exe=/usr/bin/python path=/usr/share/fonts dev=hda2 ino=114501
scontext=aleksey:staff_r:staff_crond_t
tcontext=system_u:object_r:fonts_t tclass=dir
audit(1079766602.885:0): avc: denied { getattr } for pid=5767
exe=/usr/bin/python path=/usr/share/fonts/fonts.cache-1 dev=hda2
ino=114575 scontext=aleksey:staff_r:staff_crond_t
tcontext=system_u:object_r:fonts_t tclass=file
audit(1079766603.005:0): avc: denied { read } for pid=5767
exe=/usr/bin/python name=OTF dev=hda2 ino=4366585
scontext=aleksey:staff_r:staff_crond_t
tcontext=system_u:object_r:fonts_t tclass=dir
audit(1079767201.115:0): avc: denied { search } for pid=5794
exe=/usr/bin/python name=.X11-unix dev=hda2 ino=229366
scontext=aleksey:staff_r:staff_crond_t
tcontext=system_u:object_r:xdm_xserver_tmp_t tclass=dir
audit(1079767201.115:0): avc: denied { write } for pid=5794
exe=/usr/bin/python name=X0 dev=hda2 ino=229060
scontext=aleksey:staff_r:staff_crond_t
tcontext=system_u:object_r:xdm_xserver_tmp_t tclass=sock_file
audit(1079767201.116:0): avc: denied { read } for pid=5794
exe=/usr/bin/python name=.Xauthority dev=hda2 ino=311184
scontext=aleksey:staff_r:staff_crond_t
tcontext=system_u:object_r:staff_home_xauth_t tclass=file
audit(1079767201.116:0): avc: denied { getattr } for pid=5794
exe=/usr/bin/python path=/home/aleksey/.Xauthority dev=hda2 ino=311184
scontext=aleksey:staff_r:staff_crond_t
tcontext=system_u:object_r:staff_home_xauth_t tclass=file
--
Aleksey Nogin
Home Page: http://nogin.org/
E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907
20 years, 1 month
USERCTL=yes - ifup by non-privileged user AVCs.
by Aleksey Nogin
I have USERCTL=yes in my /etc/sysconfig/network-scripts/ifcfg-wvlan0 and
I run "ifup wvlan0" as a non-privileged user. Of course, this generates
a long list of AVC messages. Should there be some special policy
provisions for the usernetctl?
security_compute_sid: invalid context user_u:user_r:insmod_t for
scontext=user_u:user_r:user_t tcontext=system_u:object_r:insmod_exec_t
tclass=process
audit(1079121920.219:0): avc: denied { read write } for pid=1123
exe=/sbin/insmod path=/dev/pts/9 dev= ino=11
scontext=user_u:user_r:insmod_t tcontext=user_u:object_r:user_devpts_t
tclass=chr_file
audit(1079121920.231:0): avc: denied { getattr } for pid=1046
exe=/bin/bash path=/etc/dhclient.conf dev=hda2 ino=231943
scontext=user_u:user_r:user_t tcontext=system_u:object_r:dhcp_etc_t
tclass=file
audit(1079121920.233:0): avc: denied { create } for pid=1124
exe=/bin/bash name=dhclient-wvlan0.conf.ifupnew
scontext=user_u:user_r:user_t tcontext=user_u:object_r:etc_t tclass=file
audit(1079121920.234:0): avc: denied { getattr } for pid=17337
exe=/usr/bin/fam path=/etc/mtab dev=hda2 ino=229229
scontext=system_u:system_r:inetd_child_t
tcontext=system_u:object_r:etc_runtime_t tclass=file
audit(1079121920.237:0): avc: denied { read } for pid=1124
exe=/bin/grep name=dhclient.conf dev=hda2 ino=231943
scontext=user_u:user_r:user_t tcontext=system_u:object_r:dhcp_etc_t
tclass=file
audit(1079121920.254:0): avc: denied { write } for pid=1124
exe=/bin/grep path=/etc/dhclient-wvlan0.conf.ifupnew dev=hda2
ino=2191270 scontext=user_u:user_r:user_t tcontext=user_u:object_r:etc_t
tclass=file
audit(1079121920.259:0): avc: denied { write } for pid=1125
exe=/bin/bash name=dhclient.conf dev=hda2 ino=231943
scontext=user_u:user_r:user_t tcontext=system_u:object_r:dhcp_etc_t
tclass=file
audit(1079121920.268:0): avc: denied { unlink } for pid=1126
exe=/bin/rm name=dhclient-wvlan0.conf.ifupnew dev=hda2 ino=2191270
scontext=user_u:user_r:user_t tcontext=user_u:object_r:etc_t tclass=file
audit(1079121920.421:0): avc: denied { search } for pid=1144
exe=/sbin/dhclient name=dhcp dev=hda2 ino=1815097
scontext=user_u:user_r:user_t tcontext=system_u:object_r:dhcp_state_t
tclass=dir
audit(1079121920.422:0): avc: denied { read } for pid=1144
exe=/sbin/dhclient name=dhclient-wvlan0.leases dev=hda2 ino=1815259
scontext=user_u:user_r:user_t tcontext=system_u:object_r:dhcpc_state_t
tclass=file
audit(1079121920.422:0): avc: denied { write } for pid=1144
exe=/sbin/dhclient name=dhclient-wvlan0.leases dev=hda2 ino=1815259
scontext=user_u:user_r:user_t tcontext=system_u:object_r:dhcpc_state_t
tclass=file
audit(1079121920.442:0): avc: denied { getattr } for pid=1144
exe=/sbin/dhclient path=/var/lib/dhcp/dhclient-wvlan0.leases dev=hda2
ino=1815259 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:dhcpc_state_t tclass=file
wvlan0: New link status: Connected (0001)
audit(1079121921.923:0): avc: denied { create } for pid=1144
exe=/sbin/dhclient scontext=user_u:user_r:user_t
tcontext=user_u:user_r:user_t tclass=packet_socket
audit(1079121921.923:0): avc: denied { bind } for pid=1144
exe=/sbin/dhclient scontext=user_u:user_r:user_t
tcontext=user_u:user_r:user_t tclass=packet_socket
audit(1079121921.928:0): avc: denied { setopt } for pid=1144
exe=/sbin/dhclient scontext=user_u:user_r:user_t
tcontext=user_u:user_r:user_t tclass=packet_socket
audit(1079121921.928:0): avc: denied { name_bind } for pid=1144
exe=/sbin/dhclient src=68 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:dhcpc_port_t tclass=udp_socket
audit(1079121921.929:0): avc: denied { write } for pid=1144
exe=/sbin/dhclient scontext=user_u:user_r:user_t
tcontext=user_u:user_r:user_t tclass=packet_socket
audit(1079121922.935:0): avc: denied { read } for pid=1144
exe=/sbin/dhclient path=socket:[5287768] dev= ino=5287768
scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t
tclass=packet_socket
audit(1079121923.662:0): avc: denied { write } for pid=1247
exe=/sbin/dhclient name=dhclient-wvlan0.pid dev=hda2 ino=179909
scontext=user_u:user_r:user_t tcontext=system_u:object_r:dhcpc_var_run_t
tclass=file
--
Aleksey Nogin
Home Page: http://nogin.org/
E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907
20 years, 1 month
What is the best way to find out (in a script) whether SElinux is used?
by Aleksey Nogin
I want to have a script that acts slightly differently depending on
whether SELinux is being used or not. What is the best way to do it?
My initial attempts to use "-e /etc/security/selinux" or "-e
/selinux/enforce" all create log messages:
audit(1079689937.170:0): avc: denied { getattr } for pid=2662
exe=/bin/bash path=/etc/security/selinux dev=hda2 ino=3712021
scontext=aleksey:staff_r:staff_t
tcontext=system_u:object_r:policy_config_t tclass=dir
audit(1079690744.526:0): avc: denied { getattr } for pid=3577
exe=/bin/bash path=/selinux/enforce dev= ino=4
scontext=aleksey:staff_r:staff_t tcontext=system_u:object_r:security_t
tclass=file
--
Aleksey Nogin
Home Page: http://nogin.org/
E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907
20 years, 1 month
[policy-1.8-22] Bringing a device via hotplug AVCs
by Aleksey Nogin
The list is now much smaller than it used to be. I see:
audit(1079689114.447:0): avc: denied { read } for pid=1615
exe=/sbin/route name=resolv.conf dev=hda2 ino=229950
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:net_conf_t tclass=file
audit(1079689114.448:0): avc: denied { getattr } for pid=1615
exe=/sbin/route path=/etc/resolv.conf dev=hda2 ino=229950
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:net_conf_t tclass=file
audit(1079689115.057:0): avc: denied { udp_recv } for
saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0
scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:netif_t
tclass=netif
audit(1079689115.057:0): avc: denied { udp_recv } for
saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0
scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:node_t
tclass=node
audit(1079689115.057:0): avc: denied { recv_msg } for
saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:dns_port_t tclass=udp_socket
--
Aleksey Nogin
Home Page: http://nogin.org/
E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907
20 years, 1 month
XFree86 accessing /dev/urandom AVCs.
by Aleksey Nogin
Not sure where these come from (possibly it's because of my using the
vnc module in X). Safe to dontaudit?
audit(1079686139.241:0): avc: denied { getattr } for pid=9439
exe=/usr/X11R6/bin/XFree86 path=/dev/urandom dev=hda2 ino=2689265
scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:object_r:urandom_device_t tclass=chr_file
audit(1079686139.241:0): avc: denied { ioctl } for pid=9439
exe=/usr/X11R6/bin/XFree86 path=/dev/urandom dev=hda2 ino=2689265
scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:object_r:urandom_device_t tclass=chr_file
--
Aleksey Nogin
Home Page: http://nogin.org/
E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907
20 years, 1 month
[policy-1.8-19] Running /bin/mail as a sysadm_r user AVCs
by Aleksey Nogin
I ran "... | mail -s ... aleksey" while running under sysadm_r and I got:
audit(1079685757.727:0): avc: denied { read } for pid=9687
exe=/usr/sbin/sendmail.sendmail name=self dev= ino=2
scontext=aleksey:sysadm_r:sysadm_mail_t
tcontext=system_u:object_r:proc_t tclass=lnk_file
audit(1079685757.727:0): avc: denied { search } for pid=9687
exe=/usr/sbin/sendmail.sendmail name=9687 dev= ino=634847234
scontext=aleksey:sysadm_r:sysadm_mail_t
tcontext=aleksey:sysadm_r:sysadm_mail_t tclass=dir
audit(1079685757.751:0): avc: denied { dac_override } for pid=9688
exe=/usr/sbin/sendmail.sendmail capability=1
scontext=system_u:system_r:sendmail_t
tcontext=system_u:system_r:sendmail_t tclass=capability
The first one is probably an issue with how the kernel manages /proc -
/proc/self IMHO should not be system_u:object_r:proc_t.
--
Aleksey Nogin
Home Page: http://nogin.org/
E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907
20 years, 1 month
[policy-1.8-19] Reading the hostname AVCs
by Aleksey Nogin
When running hostname (or hostname -s) to _get_ (not set) the hostname
as a "staff" user - under sysadm_r:
audit(1079685457.360:0): avc: denied { read } for pid=9499
exe=/bin/hostname name=resolv.conf dev=hda2 ino=229950
scontext=aleksey:sysadm_r:hostname_t
tcontext=system_u:object_r:net_conf_t tclass=file
audit(1079685457.361:0): avc: denied { getattr } for pid=9499
exe=/bin/hostname path=/etc/resolv.conf dev=hda2 ino=229950
scontext=aleksey:sysadm_r:hostname_t
tcontext=system_u:object_r:net_conf_t tclass=file
audit(1079685457.361:0): avc: denied { create } for pid=9499
exe=/bin/hostname scontext=aleksey:sysadm_r:hostname_t
tcontext=aleksey:sysadm_r:hostname_t tclass=unix_stream_socket
audit(1079685457.361:0): avc: denied { connect } for pid=9499
exe=/bin/hostname scontext=aleksey:sysadm_r:hostname_t
tcontext=aleksey:sysadm_r:hostname_t tclass=unix_stream_socket
The socket ones are coming from, I believe, trying to access
/var/run/nscd/socket that does not exist (nscd was never used on this
machine).
--
Aleksey Nogin
Home Page: http://nogin.org/
E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907
20 years, 1 month
How do I make sudo "trusted"?
by Aleksey Nogin
Contrast the following two:
% su -c id
Password:
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=root:sysadm_r:sysadm_t
% sudo id
Password:
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=user_u:user_r:user_t
How do I change my local policy so have sudo grant the same sysadm
permissions as su does? Is it possible to make it tunable? Or is this
something that is very dangerous and should not be done? Thanks!
--
Aleksey Nogin
Home Page: http://nogin.org/
E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907
20 years, 1 month
Syslog to /dev/tty10
by Aleksey Nogin
If I want syslogd to log to a tty, what is the "proper" way of allowing it?
Should I augment the local file contexts to set /dev/tty10 to be
var_log_t? Or should I augment the local policies to allow syslogd_t
processes more access? Or should I do something else?
Thanks!
--
Aleksey Nogin
Home Page: http://nogin.org/
E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907
20 years, 1 month
Http clean install - and many problems with the initial install
by Jim Cornette
I just installed Fedora core development from 3/17 and after the
install, gdm did not recognize that there was actually a home directory
created.
This also happened with the root account.
Anyway, user regular had files that it did not seem to own within using
mc to visually see the files present. all the files looked like the
default for broken symlinks.
With the root user. gdm did not see the /root directory and would not start.
Next, I thought that I'd telinit to runlevel 1 and change to
/etc/security/selinux/src/policy to run make, then make relabel. I ran
make and there was nothing to make. Performing an ls on the directory
only yielded a file_x and nothing more.
I edited my grub.conf file and am now running with SELinux off. I then
checked if policy was installed, it was. Then checked if policy-sources
was installed, it wasn't.
I then ran up2date policy-sources and it downloaded policy sources, then
checkpolicy as a requirement. Checking the directory now, there are
other files installed.
The below mess is what I did so far. I will run make and make relabel
tomorrow.
I also have a lot of mail to root with errors galore. This might help
narrow down some problems.
Also, thanks for the suggestion of turning off fam for the other
installation that I have. I'll try to see if the error count goes down.
paste below of activity (from gnome-terminal)
[root@cornette-development root]# rpm -q policy
policy-1.8-19
[root@cornette-development root]# rpm -q policy-sources
package policy-sources is not installed
[root@cornette-development root]# up2date policy-sources
http://fedora.redhat.com/download/up2date-mirrors/fedora-core-rawhide
using mirror: http://mirrors.kernel.org/fedora/core/development/i386/
Fetching Obsoletes list for channel: fedora-core-rawhide...
Fetching rpm headers...
########################################
Name Version Rel
----------------------------------------------------------
policy-sources 1.8 19
noarch
Testing package set / solving RPM inter-dependencies...
########################################
policy-sources-1.8-19.noarc ########################## Done.
checkpolicy-1.8-1.i386.rpm: ########################## Done.
Preparing ########################################### [100%]
Installing...
1:checkpolicy ###########################################
[100%]
2:policy-sources ###########################################
[100%]
make: Entering directory `/etc/security/selinux/src/policy'
mkdir -p tmp
( cd domains/program/ ; for n in *.te ; do echo "define(\`$n')"; done )
> tmp/program_used_flags.te.tmp
( cd domains/misc/ ; for n in *.te ; do echo "define(\`$n')"; done ) >>
tmp/program_used_flags.te.tmp
mv tmp/program_used_flags.te.tmp tmp/program_used_flags.te
mkdir -p tmp
m4 -Imacros -s flask/security_classes flask/initial_sids
flask/access_vectors tunable.te attrib.te tmp/program_used_flags.te
macros/program/apache_macros.te macros/program/chkpwd_macros.te
macros/program/chroot_macros.te macros/program/clamav_macros.te
macros/program/crond_macros.te macros/program/crontab_macros.te
macros/program/fingerd_macros.te macros/program/gpg_macros.te
macros/program/gph_macros.te macros/program/irc_macros.te
macros/program/login_macros.te macros/program/lpr_macros.te
macros/program/mount_macros.te macros/program/mozilla_macros.te
macros/program/mta_macros.te macros/program/newrole_macros.te
macros/program/rhgb_macros.te macros/program/run_program_macros.te
macros/program/screen_macros.te macros/program/sendmail_macros.te
macros/program/slocate_macros.te macros/program/ssh_agent_macros.te
macros/program/ssh_macros.te macros/program/su_macros.te
macros/program/uml_macros.te macros/program/xauth_macros.te
macros/program/x_client_macros.te macros/program/xserver_macros.te
macros/program/ypbind_macros.te macros/admin_macros.te
macros/base_user_macros.te macros/core_macros.te macros/global_macros.te
macros/mini_user_macros.te macros/user_macros.te types/device.te
types/devpts.te types/file.te types/network.te types/nfs.te
types/procfs.te types/security.te domains/admin.te domains/user.te
domains/misc/auth-net.te domains/misc/fcron.te domains/misc/kernel.te
domains/misc/startx.te domains/program/acct.te domains/program/amanda.te
domains/program/amavis.te domains/program/anaconda.te
domains/program/apache.te domains/program/apmd.te domains/program/atd.te
domains/program/auditd.te domains/program/authbind.te
domains/program/automount.te domains/program/backup.te
domains/program/bluetooth.te domains/program/bootloader.te
domains/program/calamaris.te domains/program/canna.te
domains/program/cardmgr.te domains/program/checkpolicy.te
domains/program/chkpwd.te domains/program/chroot.te
domains/program/ciped.te domains/program/clamav.te
domains/program/consoletype.te domains/program/courier.te
domains/program/cpucontrol.te domains/program/cpuspeed.te
domains/program/crack.te domains/program/crond.te
domains/program/crontab.te domains/program/cups.te
domains/program/cyrus.te domains/program/dbusd.te
domains/program/ddt-client.te domains/program/devfsd.te
domains/program/dhcpc.te domains/program/dhcpd.te
domains/program/dictd.te domains/program/dmesg.te
domains/program/fingerd.te domains/program/firstboot.te
domains/program/fsadm.te domains/program/fs_daemon.te
domains/program/ftpd.te domains/program/games.te
domains/program/getty.te domains/program/gnome-pty-helper.te
domains/program/gpg.te domains/program/gpm.te
domains/program/hostname.te domains/program/hotplug.te
domains/program/hwclock.te domains/program/ifconfig.te
domains/program/imazesrv.te domains/program/inetd.te
domains/program/initrc.te domains/program/init.te
domains/program/innd.te domains/program/ipsec.te
domains/program/iptables.te domains/program/ircd.te
domains/program/irc.te domains/program/irqbalance.te
domains/program/jabberd.te domains/program/klogd.te
domains/program/kudzu.te domains/program/lcd.te
domains/program/ldconfig.te domains/program/loadkeys.te
domains/program/load_policy.te domains/program/login.te
domains/program/logrotate.te domains/program/lpd.te
domains/program/lpr.te domains/program/lrrd.te domains/program/lvm.te
domains/program/mailman.te domains/program/mdadm.te
domains/program/modutil.te domains/program/monopd.te
domains/program/mount.te domains/program/mozilla.te
domains/program/mrtg.te domains/program/mta.te domains/program/mysqld.te
domains/program/named.te domains/program/nessusd.te
domains/program/netsaint.te domains/program/netutils.te
domains/program/newrole.te domains/program/nscd.te
domains/program/nsd.te domains/program/ntpd.te
domains/program/oav-update.te domains/program/openca-ca.te
domains/program/pamconsole.te domains/program/pam.te
domains/program/passwd.te domains/program/perdition.te
domains/program/ping.te domains/program/portmap.te
domains/program/portslave.te domains/program/postfix.te
domains/program/postgresql.te domains/program/pppd.te
domains/program/prelink.te domains/program/privoxy.te
domains/program/procmail.te domains/program/pump.te
domains/program/pxe.te domains/program/quota.te
domains/program/radius.te domains/program/radvd.te
domains/program/restorecon.te domains/program/rhgb.te
domains/program/rlogind.te domains/program/rpcd.te
domains/program/rpm.te domains/program/rshd.te domains/program/samba.te
domains/program/scannerdaemon.te domains/program/screen.te
domains/program/sendmail.te domains/program/setfiles.te
domains/program/seuser.te domains/program/slapd.te
domains/program/slocate.te domains/program/slrnpull.te
domains/program/snmpd.te domains/program/snort.te
domains/program/sound-server.te domains/program/sound.te
domains/program/spamd.te domains/program/speedmgmt.te
domains/program/squid.te domains/program/ssh-agent.te
domains/program/ssh.te domains/program/sudo.te
domains/program/sulogin.te domains/program/su.te domains/program/sxid.te
domains/program/syslogd.te domains/program/sysstat.te
domains/program/tcpd.te domains/program/tftpd.te
domains/program/tmpreaper.te domains/program/traceroute.te
domains/program/transproxy.te domains/program/udev.te
domains/program/uml.te domains/program/updfstab.te
domains/program/uptimed.te domains/program/usbmodules.te
domains/program/useradd.te domains/program/userhelper.te
domains/program/utempter.te domains/program/vmware.te
domains/program/watchdog.te domains/program/xauth.te
domains/program/xdm.te domains/program/xfs.te domains/program/xserver.te
domains/program/ypbind.te domains/program/ypserv.te
domains/program/zebra.te assert.te rbac users constraints
initial_sid_contexts fs_use genfs_contexts net_contexts > policy.conf.tmp
mv policy.conf.tmp policy.conf
mkdir -p /etc/security/selinux/src
install -m 644 policy.conf /etc/security/selinux/src/policy.conf
mkdir -p /etc/security/selinux
/usr/bin/checkpolicy -c -o /etc/security/selinux/policy.15
/etc/security/selinux/src/policy.conf
/usr/bin/checkpolicy: loading policy configuration from
/etc/security/selinux/src/policy.conf
security: 3 users, 5 roles, 1161 types, 1 bools
security: 30 classes, 198929 rules
/usr/bin/checkpolicy: policy configuration loaded
/usr/bin/checkpolicy: writing binary representation (version 15) to
/etc/security/selinux/policy.15
warning: discarding booleans and conditional rules
mkdir -p file_contexts/misc
m4 file_contexts/types.fc file_contexts/program/acct.fc
file_contexts/program/amanda.fc file_contexts/program/amavis.fc
file_contexts/program/anaconda.fc file_contexts/program/apache.fc
file_contexts/program/apmd.fc file_contexts/program/atd.fc
file_contexts/program/auditd.fc file_contexts/program/authbind.fc
file_contexts/program/automount.fc file_contexts/program/backup.fc
file_contexts/program/bluetooth.fc file_contexts/program/bootloader.fc
file_contexts/program/calamaris.fc file_contexts/program/canna.fc
file_contexts/program/cardmgr.fc file_contexts/program/checkpolicy.fc
file_contexts/program/chkpwd.fc file_contexts/program/chroot.fc
file_contexts/program/ciped.fc file_contexts/program/clamav.fc
file_contexts/program/consoletype.fc file_contexts/program/courier.fc
file_contexts/program/cpucontrol.fc file_contexts/program/cpuspeed.fc
file_contexts/program/crack.fc file_contexts/program/crond.fc
file_contexts/program/crontab.fc file_contexts/program/cups.fc
file_contexts/program/cyrus.fc file_contexts/program/dbusd.fc
file_contexts/program/ddt-client.fc file_contexts/program/devfsd.fc
file_contexts/program/dhcpc.fc file_contexts/program/dhcpd.fc
file_contexts/program/dictd.fc file_contexts/program/dmesg.fc
file_contexts/program/fingerd.fc file_contexts/program/firstboot.fc
file_contexts/program/fsadm.fc file_contexts/program/fs_daemon.fc
file_contexts/program/ftpd.fc file_contexts/program/games.fc
file_contexts/program/getty.fc file_contexts/program/gnome-pty-helper.fc
file_contexts/program/gpg.fc file_contexts/program/gpm.fc
file_contexts/program/hostname.fc file_contexts/program/hotplug.fc
file_contexts/program/hwclock.fc file_contexts/program/ifconfig.fc
file_contexts/program/imazesrv.fc file_contexts/program/inetd.fc
file_contexts/program/initrc.fc file_contexts/program/init.fc
file_contexts/program/innd.fc file_contexts/program/ipsec.fc
file_contexts/program/iptables.fc file_contexts/program/ircd.fc
file_contexts/program/irc.fc file_contexts/program/irqbalance.fc
file_contexts/program/jabberd.fc file_contexts/program/klogd.fc
file_contexts/program/kudzu.fc file_contexts/program/lcd.fc
file_contexts/program/ldconfig.fc file_contexts/program/loadkeys.fc
file_contexts/program/load_policy.fc file_contexts/program/login.fc
file_contexts/program/logrotate.fc file_contexts/program/lpd.fc
file_contexts/program/lpr.fc file_contexts/program/lrrd.fc
file_contexts/program/lvm.fc file_contexts/program/mailman.fc
file_contexts/program/mdadm.fc file_contexts/program/modutil.fc
file_contexts/program/monopd.fc file_contexts/program/mount.fc
file_contexts/program/mozilla.fc file_contexts/program/mrtg.fc
file_contexts/program/mta.fc file_contexts/program/mysqld.fc
file_contexts/program/named.fc file_contexts/program/nessusd.fc
file_contexts/program/netsaint.fc file_contexts/program/netutils.fc
file_contexts/program/newrole.fc file_contexts/program/nscd.fc
file_contexts/program/nsd.fc file_contexts/program/ntpd.fc
file_contexts/program/oav-update.fc file_contexts/program/openca-ca.fc
file_contexts/program/pamconsole.fc file_contexts/program/pam.fc
file_contexts/program/passwd.fc file_contexts/program/perdition.fc
file_contexts/program/ping.fc file_contexts/program/portmap.fc
file_contexts/program/portslave.fc file_contexts/program/postfix.fc
file_contexts/program/postgresql.fc file_contexts/program/pppd.fc
file_contexts/program/prelink.fc file_contexts/program/privoxy.fc
file_contexts/program/procmail.fc file_contexts/program/pump.fc
file_contexts/program/pxe.fc file_contexts/program/quota.fc
file_contexts/program/radius.fc file_contexts/program/radvd.fc
file_contexts/program/restorecon.fc file_contexts/program/rhgb.fc
file_contexts/program/rlogind.fc file_contexts/program/rpcd.fc
file_contexts/program/rpm.fc file_contexts/program/rshd.fc
file_contexts/program/samba.fc file_contexts/program/scannerdaemon.fc
file_contexts/program/screen.fc file_contexts/program/sendmail.fc
file_contexts/program/setfiles.fc file_contexts/program/seuser.fc
file_contexts/program/slapd.fc file_contexts/program/slocate.fc
file_contexts/program/slrnpull.fc file_contexts/program/snmpd.fc
file_contexts/program/snort.fc file_contexts/program/sound-server.fc
file_contexts/program/sound.fc file_contexts/program/spamd.fc
file_contexts/program/speedmgmt.fc file_contexts/program/squid.fc
file_contexts/program/ssh-agent.fc file_contexts/program/ssh.fc
file_contexts/program/sudo.fc file_contexts/program/sulogin.fc
file_contexts/program/su.fc file_contexts/program/sxid.fc
file_contexts/program/syslogd.fc file_contexts/program/sysstat.fc
file_contexts/program/tcpd.fc file_contexts/program/tftpd.fc
file_contexts/program/tmpreaper.fc file_contexts/program/traceroute.fc
file_contexts/program/transproxy.fc file_contexts/program/udev.fc
file_contexts/program/uml.fc file_contexts/program/updfstab.fc
file_contexts/program/uptimed.fc file_contexts/program/usbmodules.fc
file_contexts/program/useradd.fc file_contexts/program/userhelper.fc
file_contexts/program/utempter.fc file_contexts/program/vmware.fc
file_contexts/program/watchdog.fc file_contexts/program/xauth.fc
file_contexts/program/xdm.fc file_contexts/program/xfs.fc
file_contexts/program/xserver.fc file_contexts/program/ypbind.fc
file_contexts/program/ypserv.fc file_contexts/program/zebra.fc >
file_contexts/file_contexts.tmp
rm file_contexts/file_contexts.tmp
mkdir -p /etc/security/selinux
install -m 644 file_contexts/file_contexts
/etc/security/selinux/file_contexts
/usr/sbin/load_policy /etc/security/selinux/policy.15
/usr/sbin/load_policy: security_load_policy failed
make: *** [reload] Error 3
make: Leaving directory `/etc/security/selinux/src/policy'
The following packages were added to your selection to satisfy dependencies:
Name Version Release
--------------------------------------------------------------
checkpolicy 1.8 1
[root@cornette-development root]# pwd
/root
[root@cornette-development root]# cd /etc/security/selinux/src/policy
[root@cornette-development policy]# ls
appconfig file_contexts mls remove-unwanted-policy
assert.te flask net_contexts tmp
attrib.te fs_use policy.15 tunable.te
ChangeLog genfs_contexts policy.conf types
constraints initial_sid_contexts policy.spec users
COPYING macros rbac VERSION
domains Makefile README
20 years, 1 month