Problem with Tresys tools on Core 2
by Nick
Conditions:
-----------
Install from DVD ISO
yum upgrade
installation of RPMS
checkpolicy-1.10-1.i386.rpm
policy-sources-1.11.2-18.noarch.rpm
setools-1.3-2.i386.rpm
setools-gui-1.3-2.i386.rpm
Results
-------
[root@rocket policy]# seinfo -r
Could not open policy!
[root@rocket policy]# seuser -X
Error in StartScript (/usr/share/setools/se_user.tcl):
Thanks Nick
--
Nick Gray
Senior Systems Engineer
Bruzenak Inc.
nagray(a)austin.rr.com
(512) 331-7998
19 years, 12 months
- 4
- 6
Access to cd device denied for cdp
by Andrew Farris
Playing a cd from the terminal using cdp, or cdplay (non-interactive),
results in the following avc in permissive mode (but the cd is allowed
to play):
Apr 26 15:09:24 CirithUngol kernel: audit(1083017364.035:0): avc:
denied { ioctl } for pid=10129 exe=/usr/bin/cdp path=/dev/hdc dev=hdb8
ino=66203 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
This is not audited in enforcing mode.. but does not work either
(program exits with "please chmod 666 /dev/cdrom as root").
/dev/cdrom is symlinked directly to /dev/hdc.
4.0K lrwxrwxrwx 1 0 0 8 Mar 29 17:26 /dev/cdrom -> /dev/hdc
4.0K brw-rw-rw- 1 0 6 22, 0 Feb 23 13:02 /dev/hdc
Is this expected, or desired behavior? Shouldn't a locally logged in
user be allowed access to audio cds? (perhaps should be -or is- tunable)
I'm working with policy-sources-1.11.2-13.
--
Andrew Farris, CPE senior (California Polytechnic State University, SLO)
fedora(a)andrewfarris.com :: lmorgul on irc.freenode.net
"The only thing necessary for the triumph of evil is for good men
to do nothing." (Edmond Burke)
19 years, 12 months
- 6
- 7
Need to allow output from processes under sudo.
by Aleksey Nogin
Recently sudo was changed back not to relabel the tty (see
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120213 , for
example). This means that now the processes that sudo might run need to
be given explicit access to the caller's tty (until something better is
implemented - see
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120213#c2 for my
description of how I think it should work).
Anyway, for now I had to add to my local policy modes:
allow { checkpolicy_t consoletype_t ifconfig_t iptables_t ntpd_t
load_policy_t sysadm_mail_t ping_t traceroute_t }
staff_devpts_t:chr_file { getattr read write };
allow { locate_t sysadm_mail_t } staff_tmp_t:file { getattr write };
And this is probably still very incomplete.
--
Aleksey Nogin
Home Page: http://nogin.org/
E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907
19 years, 12 months
- 1
- 0