Hi Dan,
I'm using the stock policy for FC7 2.6.4-8, not the latest policy. I'm not too sure where to go and how to get the latest policy version. Do i take the latest policy version and remake the source RPM? Or are there pre-packaged rpms that I can use to upgrade?
You didn't see this problem in RHEL 5? Do i need the local.te module if I use the "stock" RHEL 5? I tried switching to strict policy in RHEL 5 and cannot login with root. But I can log in as a normal user. Is it "normal" that this restriction be placed on root? Is the local.te trying to enable root login?
Thanks, Louis
----- Original Message ---- From: Daniel J Walsh dwalsh@redhat.com To: Louis Lam lshoujun@yahoo.com Cc: shintaro_fujiwara shin216@xf7.so-net.ne.jp; Hal hal_bg@yahoo.com; fedora-selinux-list@redhat.com; cpebenito@tresys.com Sent: Friday, August 10, 2007 11:17:42 PM Subject: Re: Strict policy on FC6 and F7
Louis Lam wrote:
Hi,
I'm still having problems compiling the local.te module. The problem i'm facing seems to be different from Hal's:
local.te:11:ERROR 'permission nlsms_relay is not defined for class netlink_audit_socket' at token ' ;' on line 80809: allow local_login_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlsms_relay }; #line 11 /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/local.mod] Error 1
My local.te file looks like this:
policy_module(local,1.0)
require {
type local_login_t; class netlink_audit_socket { append bind connect shutdown
ioctl getattr setattr shutdown ge topt setopt write nlmsg_relay nlmsg_read create read }; }
logging_send_audit_msg(local_login_t) logging_set_loginuid(local_login_t)
Seems like the problem is with logging_set_loginuid macro. I'm not sure how to solve this problem though.
BTW here are some details on my environment:
- I'm using the stock policy for FC7 2.6.4-8
- I did the compilation while running in targeted mode (will it affect?)
- The macro logging_set_loginuid is defined in the file
policy-20070501.patch
Here is an extract of how logging_set_loginuid is defined in the patch :
+######################################## +## <summary> +## Set login uid +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`logging_set_loginuid',`
gen_require(`
attribute can_set_loginuid;
attribute can_send_audit_msg;
')
typeattribute $1 can_set_loginuid, can_send_audit_msg;
allow $1 self:capability audit_control;
allow $1 self:netlink_audit_socket { create_socket_perms
nlmsg_read nlsms_relay }; +')
Hope it helps in solving the problem...
Thanks, Louis
I am not seeing this in RHEL5, FC6, F7 or F8. So are you sure you are using the latest policy?
Send instant messages to your online friends http://uk.messenger.yahoo.com
Louis Lam wrote:
Hi Dan,
I'm using the stock policy for FC7 2.6.4-8, not the latest policy. I'm not too sure where to go and how to get the latest policy version. Do i take the latest policy version and remake the source RPM? Or are there pre-packaged rpms that I can use to upgrade?
You should be able to simply do a yum update.
You didn't see this problem in RHEL 5? Do i need the local.te module if I use the "stock" RHEL 5? I tried switching to strict policy in RHEL 5 and cannot login with root. But I can log in as a normal user. Is it "normal" that this restriction be placed on root? Is the local.te trying to enable root login?
No this sounds like either a bug or a labeling problem in RHEL5. You should be able to login as root. You might want to update to the U1 policy which is available on http://people.redhat.com/dwalsh/SELinux/RHEL5
Thanks, Louis
----- Original Message ---- From: Daniel J Walsh dwalsh@redhat.com To: Louis Lam lshoujun@yahoo.com Cc: shintaro_fujiwara shin216@xf7.so-net.ne.jp; Hal hal_bg@yahoo.com; fedora-selinux-list@redhat.com; cpebenito@tresys.com Sent: Friday, August 10, 2007 11:17:42 PM Subject: Re: Strict policy on FC6 and F7
Louis Lam wrote:
Hi,
I'm still having problems compiling the local.te module. The problem i'm facing seems to be different from Hal's:
local.te:11:ERROR 'permission nlsms_relay is not defined for class netlink_audit_socket' at token ' ;' on line 80809: allow local_login_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read
nlsms_relay };
#line 11 /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/local.mod] Error 1
My local.te file looks like this:
policy_module(local,1.0)
require {
type local_login_t; class netlink_audit_socket { append bind connect shutdown
ioctl getattr setattr shutdown ge topt setopt write nlmsg_relay nlmsg_read create read }; }
logging_send_audit_msg(local_login_t) logging_set_loginuid(local_login_t)
Seems like the problem is with logging_set_loginuid macro. I'm not sure how to solve this problem though.
BTW here are some details on my environment:
- I'm using the stock policy for FC7 2.6.4-8
- I did the compilation while running in targeted mode (will it
affect?)
- The macro logging_set_loginuid is defined in the file
policy-20070501.patch
Here is an extract of how logging_set_loginuid is defined in the patch :
+######################################## +## <summary> +## Set login uid +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`logging_set_loginuid',`
gen_require(`
attribute can_set_loginuid;
attribute can_send_audit_msg;
')
typeattribute $1 can_set_loginuid, can_send_audit_msg;
allow $1 self:capability audit_control;
allow $1 self:netlink_audit_socket { create_socket_perms
nlmsg_read nlsms_relay }; +')
Hope it helps in solving the problem...
Thanks, Louis
I am not seeing this in RHEL5, FC6, F7 or F8. So are you sure you are using the latest policy?
Send instant messages to your online friends http://uk.messenger.yahoo.com
Hi Dan,
For RHEL5, I've upgraded the selinux policy rpms to version 2.4.6-79. I've updated only the following rpms
selinux-policy selinux-policy-devel selinux-policy-targeted selinux-policy-strict
But I left the libselinux libraries alone since the rpm upgrade went through without complains. I can't use YUM because my system is not directly connected to the internet.
But I'm still faced with the problem of not being able to logon as root at runlevel 5, gui login. Do I still need the login.te module? Or is it advisable to upgrade the selinux libraries as well?
Thanks, Louis
--- Daniel J Walsh dwalsh@redhat.com wrote:
Louis Lam wrote:
Hi Dan,
I'm using the stock policy for FC7 2.6.4-8, not the latest policy. I'm not too sure where to go and how to get the latest policy version. Do i take the latest policy version and remake the source RPM? Or are there pre-packaged rpms that I can use to upgrade?
You should be able to simply do a yum update.
You didn't see this problem in RHEL 5? Do i need the local.te module if I use the "stock" RHEL 5? I tried switching to strict policy in RHEL 5 and cannot login with root. But I can log in as a normal user. Is it "normal" that this restriction be placed on root? Is the local.te trying to enable root login?
No this sounds like either a bug or a labeling problem in RHEL5. You should be able to login as root. You might want to update to the U1 policy which is available on http://people.redhat.com/dwalsh/SELinux/RHEL5
Thanks, Louis
----- Original Message ---- From: Daniel J Walsh dwalsh@redhat.com To: Louis Lam lshoujun@yahoo.com Cc: shintaro_fujiwara shin216@xf7.so-net.ne.jp; Hal hal_bg@yahoo.com; fedora-selinux-list@redhat.com; cpebenito@tresys.com Sent: Friday, August 10, 2007 11:17:42 PM Subject: Re: Strict policy on FC6 and F7
Louis Lam wrote:
Hi,
I'm still having problems compiling the local.te module. The problem i'm facing seems to be different from Hal's:
local.te:11:ERROR 'permission nlsms_relay is not defined for class netlink_audit_socket' at token ' ;' on line 80809: allow local_login_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read
nlsms_relay };
#line 11 /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/local.mod] Error 1
My local.te file looks like this:
policy_module(local,1.0)
require {
type local_login_t; class netlink_audit_socket { append bind connect shutdown
ioctl getattr setattr shutdown ge topt setopt write nlmsg_relay nlmsg_read create read }; }
logging_send_audit_msg(local_login_t) logging_set_loginuid(local_login_t)
Seems like the problem is with logging_set_loginuid macro. I'm not sure how to solve this problem though.
BTW here are some details on my environment:
- I'm using the stock policy for FC7 2.6.4-8
- I did the compilation while running in targeted mode (will it
affect?)
- The macro logging_set_loginuid is defined in the file
policy-20070501.patch
Here is an extract of how logging_set_loginuid is defined in the patch :
+######################################## +## <summary> +## Set login uid +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`logging_set_loginuid',`
gen_require(`
attribute can_set_loginuid;
attribute can_send_audit_msg;
')
typeattribute $1 can_set_loginuid, can_send_audit_msg;
allow $1 self:capability audit_control;
allow $1 self:netlink_audit_socket { create_socket_perms
nlmsg_read nlsms_relay }; +')
Hope it helps in solving the problem...
Thanks, Louis
I am not seeing this in RHEL5, FC6, F7 or F8. So are you sure you are using the latest policy?
Send instant messages to your online friends http://uk.messenger.yahoo.com
Send instant messages to your online friends http://uk.messenger.yahoo.com
Hi Louis, do not loose your time with login.te module. It does not work, or at least it does not allow login.
I could not fix the problem for myself but managed to find that my initial problem with firefox is still not solved in f7 even with the latest policy.
So I am still looking for a solution of the firefox problem.
regards Hal
--- Louis Lam lshoujun@yahoo.com wrote:
Hi Dan,
For RHEL5, I've upgraded the selinux policy rpms to version 2.4.6-79. I've updated only the following rpms
selinux-policy selinux-policy-devel selinux-policy-targeted selinux-policy-strict
But I left the libselinux libraries alone since the rpm upgrade went through without complains. I can't use YUM because my system is not directly connected to the internet.
But I'm still faced with the problem of not being able to logon as root at runlevel 5, gui login. Do I still need the login.te module? Or is it advisable to upgrade the selinux libraries as well?
Thanks, Louis
--- Daniel J Walsh dwalsh@redhat.com wrote:
Louis Lam wrote:
Hi Dan,
I'm using the stock policy for FC7 2.6.4-8, not the latest policy. I'm not too sure where to go and how to get the latest policy version. Do i take the latest policy version and remake the source RPM? Or are there pre-packaged rpms that I can use to upgrade?
You should be able to simply do a yum update.
You didn't see this problem in RHEL 5? Do i need the local.te module if I use the "stock" RHEL 5? I tried switching to strict policy in RHEL 5 and cannot login with root. But I can log in as a normal user. Is it "normal" that this restriction be placed on root? Is the local.te trying to enable root login?
No this sounds like either a bug or a labeling problem in RHEL5. You should be able to login as root. You might want to update to the U1 policy which is available on http://people.redhat.com/dwalsh/SELinux/RHEL5
Thanks, Louis
----- Original Message ---- From: Daniel J Walsh dwalsh@redhat.com To: Louis Lam lshoujun@yahoo.com Cc: shintaro_fujiwara shin216@xf7.so-net.ne.jp; Hal hal_bg@yahoo.com; fedora-selinux-list@redhat.com; cpebenito@tresys.com Sent: Friday, August 10, 2007 11:17:42 PM Subject: Re: Strict policy on FC6 and F7
Louis Lam wrote:
Hi,
I'm still having problems compiling the local.te module. The problem i'm facing seems to be different from Hal's:
local.te:11:ERROR 'permission nlsms_relay is not defined for class netlink_audit_socket' at token ' ;' on line 80809: allow local_login_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read
nlsms_relay };
#line 11 /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/local.mod] Error 1
My local.te file looks like this:
policy_module(local,1.0)
require {
type local_login_t; class netlink_audit_socket { append bind connect shutdown
ioctl getattr setattr shutdown ge topt setopt write nlmsg_relay nlmsg_read create read }; }
logging_send_audit_msg(local_login_t) logging_set_loginuid(local_login_t)
Seems like the problem is with logging_set_loginuid macro. I'm not sure how to solve this problem though.
BTW here are some details on my environment:
- I'm using the stock policy for FC7 2.6.4-8
- I did the compilation while running in targeted mode (will it
affect?)
- The macro logging_set_loginuid is defined in the file
policy-20070501.patch
Here is an extract of how logging_set_loginuid is defined in the patch
:
+######################################## +## <summary> +## Set login uid +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`logging_set_loginuid',`
gen_require(`
attribute can_set_loginuid;
attribute can_send_audit_msg;
')
typeattribute $1 can_set_loginuid, can_send_audit_msg;
allow $1 self:capability audit_control;
allow $1 self:netlink_audit_socket { create_socket_perms
nlmsg_read nlsms_relay }; +')
Hope it helps in solving the problem...
Thanks, Louis
I am not seeing this in RHEL5, FC6, F7 or F8. So are you sure you are using the latest policy?
Send instant messages to your online friends http://uk.messenger.yahoo.com
Send instant messages to your online friends http://uk.messenger.yahoo.com
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
____________________________________________________________________________________ Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online. http://smallbusiness.yahoo.com/webhosting
Louis Lam wrote:
Hi Dan,
For RHEL5, I've upgraded the selinux policy rpms to version 2.4.6-79. I've updated only the following rpms
selinux-policy selinux-policy-devel selinux-policy-targeted selinux-policy-strict
But I left the libselinux libraries alone since the rpm upgrade went through without complains. I can't use YUM because my system is not directly connected to the internet.
But I'm still faced with the problem of not being able to logon as root at runlevel 5, gui login. Do I still need the login.te module? Or is it advisable to upgrade the selinux libraries as well?
What error are you seeing at the gui login?
Thanks, Louis
--- Daniel J Walsh dwalsh@redhat.com wrote:
Louis Lam wrote:
Hi Dan,
I'm using the stock policy for FC7 2.6.4-8, not the latest policy. I'm not too sure where to go and how to get the latest policy version. Do i take the latest policy version and remake the source RPM? Or are there pre-packaged rpms that I can use to upgrade?
You should be able to simply do a yum update.
You didn't see this problem in RHEL 5? Do i need the local.te module if I use the "stock" RHEL 5? I tried switching to strict policy in RHEL 5 and cannot login with root. But I can log in as a normal user. Is it "normal" that this restriction be placed on root? Is the local.te trying to enable root login?
No this sounds like either a bug or a labeling problem in RHEL5. You should be able to login as root. You might want to update to the U1 policy which is available on http://people.redhat.com/dwalsh/SELinux/RHEL5
Thanks, Louis
----- Original Message ---- From: Daniel J Walsh dwalsh@redhat.com To: Louis Lam lshoujun@yahoo.com Cc: shintaro_fujiwara shin216@xf7.so-net.ne.jp; Hal hal_bg@yahoo.com; fedora-selinux-list@redhat.com; cpebenito@tresys.com Sent: Friday, August 10, 2007 11:17:42 PM Subject: Re: Strict policy on FC6 and F7
Louis Lam wrote:
Hi,
I'm still having problems compiling the local.te module. The problem i'm facing seems to be different from Hal's:
local.te:11:ERROR 'permission nlsms_relay is not defined for class netlink_audit_socket' at token ' ;' on line 80809: allow local_login_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read
nlsms_relay };
#line 11 /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/local.mod] Error 1
My local.te file looks like this:
policy_module(local,1.0)
require {
type local_login_t; class netlink_audit_socket { append bind connect shutdown
ioctl getattr setattr shutdown ge topt setopt write nlmsg_relay nlmsg_read create read }; }
logging_send_audit_msg(local_login_t) logging_set_loginuid(local_login_t)
Seems like the problem is with logging_set_loginuid macro. I'm not sure how to solve this problem though.
BTW here are some details on my environment:
- I'm using the stock policy for FC7 2.6.4-8
- I did the compilation while running in targeted mode (will it
affect?)
- The macro logging_set_loginuid is defined in the file
policy-20070501.patch
Here is an extract of how logging_set_loginuid is defined in the patch :
+######################################## +## <summary> +## Set login uid +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`logging_set_loginuid',`
gen_require(`
attribute can_set_loginuid;
attribute can_send_audit_msg;
')
typeattribute $1 can_set_loginuid, can_send_audit_msg;
allow $1 self:capability audit_control;
allow $1 self:netlink_audit_socket { create_socket_perms
nlmsg_read nlsms_relay }; +')
Hope it helps in solving the problem...
Thanks, Louis
I am not seeing this in RHEL5, FC6, F7 or F8. So are you sure you are using the latest policy?
Send instant messages to your online friends http://uk.messenger.yahoo.com
Send instant messages to your online friends http://uk.messenger.yahoo.com
selinux@lists.fedoraproject.org