Hi Dan,
I'm using the stock policy for FC7 2.6.4-8, not the latest policy. I'm not too
sure where to go and how to get the latest policy version. Do i take the latest policy
version and remake the source RPM? Or are there pre-packaged rpms that I can use to
upgrade?
You didn't see this problem in RHEL 5? Do i need the local.te module if I use the
"stock" RHEL 5? I tried switching to strict policy in RHEL 5 and cannot login
with root. But I can log in as a normal user. Is it "normal" that this
restriction be placed on root? Is the local.te trying to enable root login?
Thanks,
Louis
----- Original Message ----
From: Daniel J Walsh <dwalsh(a)redhat.com>
To: Louis Lam <lshoujun(a)yahoo.com>
Cc: shintaro_fujiwara <shin216(a)xf7.so-net.ne.jp>; Hal <hal_bg(a)yahoo.com>;
fedora-selinux-list(a)redhat.com; cpebenito(a)tresys.com
Sent: Friday, August 10, 2007 11:17:42 PM
Subject: Re: Strict policy on FC6 and F7
Louis Lam wrote:
Hi,
I'm still having problems compiling the local.te module. The problem
i'm facing seems to be different from Hal's:
--------------------
local.te:11:ERROR 'permission nlsms_relay is not defined for class
netlink_audit_socket' at token '
;' on line 80809:
allow local_login_t self:netlink_audit_socket { { create {
ioctl read getattr write setattr
append bind connect getopt setopt shutdown } } nlmsg_read nlsms_relay };
#line 11
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/local.mod] Error 1
---------------------
My local.te file looks like this:
-------------
policy_module(local,1.0)
require {
type local_login_t;
class netlink_audit_socket { append bind connect shutdown
ioctl getattr setattr shutdown ge
topt setopt write nlmsg_relay nlmsg_read create read };
}
logging_send_audit_msg(local_login_t)
logging_set_loginuid(local_login_t)
-------------
Seems like the problem is with logging_set_loginuid macro. I'm not
sure how to solve this problem though.
BTW here are some details on my environment:
1. I'm using the stock policy for FC7 2.6.4-8
2. I did the compilation while running in targeted mode (will it affect?)
3. The macro logging_set_loginuid is defined in the file
policy-20070501.patch
Here is an extract of how logging_set_loginuid is defined in the patch :
+########################################
+## <summary>
+## Set login uid
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_set_loginuid',`
+ gen_require(`
+ attribute can_set_loginuid;
+ attribute can_send_audit_msg;
+ ')
+
+ typeattribute $1 can_set_loginuid, can_send_audit_msg;
+
+ allow $1 self:capability audit_control;
+ allow $1 self:netlink_audit_socket { create_socket_perms
nlmsg_read nlsms_relay };
+')
Hope it helps in solving the problem...
Thanks,
Louis
I am not seeing this in RHEL5, FC6, F7 or F8. So are you sure you are
using the latest policy?
Send instant messages to your online friends
http://uk.messenger.yahoo.com