Problem with Tresys tools on Core 2
by Nick
Conditions:
-----------
Install from DVD ISO
yum upgrade
installation of RPMS
checkpolicy-1.10-1.i386.rpm
policy-sources-1.11.2-18.noarch.rpm
setools-1.3-2.i386.rpm
setools-gui-1.3-2.i386.rpm
Results
-------
[root@rocket policy]# seinfo -r
Could not open policy!
[root@rocket policy]# seuser -X
Error in StartScript (/usr/share/setools/se_user.tcl):
Thanks Nick
--
Nick Gray
Senior Systems Engineer
Bruzenak Inc.
nagray(a)austin.rr.com
(512) 331-7998
19 years, 10 months
Access to cd device denied for cdp
by Andrew Farris
Playing a cd from the terminal using cdp, or cdplay (non-interactive),
results in the following avc in permissive mode (but the cd is allowed
to play):
Apr 26 15:09:24 CirithUngol kernel: audit(1083017364.035:0): avc:
denied { ioctl } for pid=10129 exe=/usr/bin/cdp path=/dev/hdc dev=hdb8
ino=66203 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
This is not audited in enforcing mode.. but does not work either
(program exits with "please chmod 666 /dev/cdrom as root").
/dev/cdrom is symlinked directly to /dev/hdc.
4.0K lrwxrwxrwx 1 0 0 8 Mar 29 17:26 /dev/cdrom -> /dev/hdc
4.0K brw-rw-rw- 1 0 6 22, 0 Feb 23 13:02 /dev/hdc
Is this expected, or desired behavior? Shouldn't a locally logged in
user be allowed access to audio cds? (perhaps should be -or is- tunable)
I'm working with policy-sources-1.11.2-13.
--
Andrew Farris, CPE senior (California Polytechnic State University, SLO)
fedora(a)andrewfarris.com :: lmorgul on irc.freenode.net
"The only thing necessary for the triumph of evil is for good men
to do nothing." (Edmond Burke)
19 years, 10 months
Need to allow output from processes under sudo.
by Aleksey Nogin
Recently sudo was changed back not to relabel the tty (see
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120213 , for
example). This means that now the processes that sudo might run need to
be given explicit access to the caller's tty (until something better is
implemented - see
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120213#c2 for my
description of how I think it should work).
Anyway, for now I had to add to my local policy modes:
allow { checkpolicy_t consoletype_t ifconfig_t iptables_t ntpd_t
load_policy_t sysadm_mail_t ping_t traceroute_t }
staff_devpts_t:chr_file { getattr read write };
allow { locate_t sysadm_mail_t } staff_tmp_t:file { getattr write };
And this is probably still very incomplete.
--
Aleksey Nogin
Home Page: http://nogin.org/
E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907
19 years, 10 months