Louis Lam wrote:
Hi,
I've fixed the typo problem on nlsms_relay. Now the module compiles ok, but I
can't load it via
semodule, i'm getting this error:
semodule -vi local.pp
libsepol.permission_copy_callback: Module local depends on permission nlsms_relay in
class
netlink_
audit_socket, not satisfied
libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed!
My local.te looks like this now,
----------------------------
policy_module(local,1.0)
require {
type local_login_t;
class netlink_audit_socket { append bind connect shutdown ioctl getattr setattr
shutdown
ge
topt setopt write nlsms_relay nlmsg_read create read };
}
should be nlmsg_relay
NetLinkMeSsaGe :^)
logging_send_audit_msg(local_login_t)
logging_set_loginuid(local_login_t)
-----------------------
I don't quite understand why there is a dependancy not satisfied.
Thanks,
Louis
--- Stephen Smalley <sds(a)tycho.nsa.gov> wrote:
> On Thu, 2007-08-09 at 19:36 -0700, Louis Lam wrote:
>
>> Hi,
>>
>> I'm still having problems compiling the local.te module. The problem
>> i'm facing seems to be different from Hal's:
>>
>> --------------------
>> local.te:11:ERROR 'permission nlsms_relay is not defined for class
>> netlink_audit_socket' at token '
>> ;' on line 80809:
>> allow local_login_t self:netlink_audit_socket { { create
>> { ioctl read getattr write setattr
>> append bind connect getopt setopt shutdown } } nlmsg_read
>> nlsms_relay };
>>
> Looks like a typo in the policy includes to me (nlsms_relay vs.
> nlmsg_relay).
>
>
>> #line 11
>> /usr/bin/checkmodule: error(s) encountered while parsing
>> configuration
>> make: *** [tmp/local.mod] Error 1
>> ---------------------
>>
>> My local.te file looks like this:
>> -------------
>> policy_module(local,1.0)
>>
>> require {
>>
>> type local_login_t;
>> class netlink_audit_socket { append bind connect shutdown
>> ioctl getattr setattr shutdown ge
>> topt setopt write nlmsg_relay nlmsg_read create read };
>> }
>>
>>
>> logging_send_audit_msg(local_login_t)
>> logging_set_loginuid(local_login_t)
>>
>> -------------
>>
>> Seems like the problem is with logging_set_loginuid macro. I'm not
>> sure how to solve this problem though.
>>
>> BTW here are some details on my environment:
>>
>> 1. I'm using the stock policy for FC7 2.6.4-8
>> 2. I did the compilation while running in targeted mode (will it
>> affect?)
>> 3. The macro logging_set_loginuid is defined in the file
>> policy-20070501.patch
>>
>> Here is an extract of how logging_set_loginuid is defined in the
>> patch :
>>
>> +########################################
>> +## <summary>
>> +## Set login uid
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`logging_set_loginuid',`
>> + gen_require(`
>> + attribute can_set_loginuid;
>> + attribute can_send_audit_msg;
>> + ')
>> +
>> + typeattribute $1 can_set_loginuid, can_send_audit_msg;
>> +
>> + allow $1 self:capability audit_control;
>> + allow $1 self:netlink_audit_socket { create_socket_perms
>> nlmsg_read nlsms_relay };
>>
>> +')
>>
> Looks like the typo is there, and that interface doesn't seem to be
> present in the upstream refpolicy.
>
> --
> Stephen Smalley
> National Security Agency
>
>
>
Send instant messages to your online friends
http://uk.messenger.yahoo.com
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list