Hi Louis,
do not loose your time with login.te module. It does not work, or at least it
does not allow login.
I could not fix the problem for myself but managed to find that my initial
problem with firefox is still not solved in f7 even with the latest policy.
So I am still looking for a solution of the firefox problem.
regards
Hal
--- Louis Lam <lshoujun(a)yahoo.com> wrote:
Hi Dan,
For RHEL5, I've upgraded the selinux policy rpms to version 2.4.6-79. I've
updated only the
following rpms
selinux-policy
selinux-policy-devel
selinux-policy-targeted
selinux-policy-strict
But I left the libselinux libraries alone since the rpm upgrade went through
without complains. I
can't use YUM because my system is not directly connected to the internet.
But I'm still faced with the problem of not being able to logon as root at
runlevel 5, gui login.
Do I still need the login.te module? Or is it advisable to upgrade the
selinux libraries as well?
Thanks,
Louis
--- Daniel J Walsh <dwalsh(a)redhat.com> wrote:
> Louis Lam wrote:
> > Hi Dan,
> >
> > I'm using the stock policy for FC7 2.6.4-8, not the latest policy. I'm
> > not too sure where to go and how to get the latest policy version. Do
> > i take the latest policy version and remake the source RPM? Or are
> > there pre-packaged rpms that I can use to upgrade?
> >
> You should be able to simply do a yum update.
> > You didn't see this problem in RHEL 5? Do i need the local.te module
> > if I use the "stock" RHEL 5? I tried switching to strict policy in
> > RHEL 5 and cannot login with root. But I can log in as a normal user.
> > Is it "normal" that this restriction be placed on root? Is the
> > local.te trying to enable root login?
> No this sounds like either a bug or a labeling problem in RHEL5. You
> should be able to login as root. You might want to update to the U1
> policy which is available on
http://people.redhat.com/dwalsh/SELinux/RHEL5
> >
> > Thanks,
> > Louis
> >
> > ----- Original Message ----
> > From: Daniel J Walsh <dwalsh(a)redhat.com>
> > To: Louis Lam <lshoujun(a)yahoo.com>
> > Cc: shintaro_fujiwara <shin216(a)xf7.so-net.ne.jp>; Hal
> > <hal_bg(a)yahoo.com>; fedora-selinux-list(a)redhat.com; cpebenito(a)tresys.com
> > Sent: Friday, August 10, 2007 11:17:42 PM
> > Subject: Re: Strict policy on FC6 and F7
> >
> > Louis Lam wrote:
> > > Hi,
> > >
> > > I'm still having problems compiling the local.te module. The problem
> > > i'm facing seems to be different from Hal's:
> > >
> > > --------------------
> > > local.te:11:ERROR 'permission nlsms_relay is not defined for class
> > > netlink_audit_socket' at token '
> > > ;' on line 80809:
> > > allow local_login_t self:netlink_audit_socket { { create {
> > > ioctl read getattr write setattr
> > > append bind connect getopt setopt shutdown } } nlmsg_read
> > nlsms_relay };
> > > #line 11
> > > /usr/bin/checkmodule: error(s) encountered while parsing configuration
> > > make: *** [tmp/local.mod] Error 1
> > > ---------------------
> > >
> > > My local.te file looks like this:
> > > -------------
> > > policy_module(local,1.0)
> > >
> > > require {
> > >
> > > type local_login_t;
> > > class netlink_audit_socket { append bind connect shutdown
> > > ioctl getattr setattr shutdown ge
> > > topt setopt write nlmsg_relay nlmsg_read create read };
> > > }
> > >
> > >
> > > logging_send_audit_msg(local_login_t)
> > > logging_set_loginuid(local_login_t)
> > >
> > > -------------
> > >
> > > Seems like the problem is with logging_set_loginuid macro. I'm not
> > > sure how to solve this problem though.
> > >
> > > BTW here are some details on my environment:
> > >
> > > 1. I'm using the stock policy for FC7 2.6.4-8
> > > 2. I did the compilation while running in targeted mode (will it
> > affect?)
> > > 3. The macro logging_set_loginuid is defined in the file
> > > policy-20070501.patch
> > >
> > > Here is an extract of how logging_set_loginuid is defined in the patch
:
> > >
> > > +########################################
> > > +## <summary>
> > > +## Set login uid
> > > +## </summary>
> > > +## <param name="domain">
> > > +## <summary>
> > > +## Domain allowed access.
> > > +## </summary>
> > > +## </param>
> > > +#
> > > +interface(`logging_set_loginuid',`
> > > + gen_require(`
> > > + attribute can_set_loginuid;
> > > + attribute can_send_audit_msg;
> > > + ')
> > > +
> > > + typeattribute $1 can_set_loginuid, can_send_audit_msg;
> > > +
> > > + allow $1 self:capability audit_control;
> > > + allow $1 self:netlink_audit_socket { create_socket_perms
> > > nlmsg_read nlsms_relay };
> > > +')
> > >
> > > Hope it helps in solving the problem...
> > >
> > > Thanks,
> > > Louis
> > I am not seeing this in RHEL5, FC6, F7 or F8. So are you sure you are
> > using the latest policy?
> >
> >
> > Send instant messages to your online friends
> >
http://uk.messenger.yahoo.com
>
>
Send instant messages to your online friends
http://uk.messenger.yahoo.com
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
____________________________________________________________________________________
Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to
get online.