failed to customize policy, SELinux won't let me
Stephen Smalley
sds at tycho.nsa.gov
Wed May 3 17:04:06 UTC 2006
On Wed, 2006-05-03 at 09:53 -0700, Florin Andrei wrote:
> Fresh FC5 install (not an update) on an Intel 32bit CPU.
> Applied all updates, reboot, let anacron do its job, reboot.
>
> Installed Postfix and Cyrus-IMAPd
> While testing Postfix with Cyrus I got this:
>
> May 3 09:38:25 stantz kernel: audit(1146674305.211:305): avc: denied
> { search } for pid=3441 comm="lmtp" name="lib" dev=hda2 ino=2293761
> scontext=user_u:system_r:postfix_master_t:s0
> tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
>
> OK, fine, I go here and follow the steps (all the time working in
> the /root/selinux directory):
>
> http://fedora.redhat.com/docs/selinux-faq-fc5/#faq-entry-local.te
>
> However, I can't seem to load the local module:
>
> # /usr/sbin/semodule -i local.pp
> /usr/sbin/semodule: Could not read file 'local.pp':
> # ls
> local.fc local.if local.pp local.te tmp
> # cat local.te
> policy_module(local, 1.0)
>
> require {
> type postfix_master_t;
> type var_lib_t;
> }
>
> allow postfix_master_t var_lib_t:dir search;
>
> In the logs I get this:
>
> audit(1146674668.001:307): avc: denied { search } for pid=3569
> comm="semodule" name="selinux" dev=hda4 ino=6501763
> scontext=user_u:system_r:semanage_t:s0
> tcontext=user_u:object_r:user_home_t:s0 tclass=dir
>
> What is going on?
Yes, I noticed this as well - semanage/semodule policy doesn't appear to
allow it to take input from user home directories presently. Nice from
an integrity point of view (don't take untrustworthy inputs), but likely
not workable for every day usage.
--
Stephen Smalley
National Security Agency
More information about the selinux
mailing list