need help for local.te
Stephen Smalley
sds at tycho.nsa.gov
Fri May 19 15:14:47 UTC 2006
On Fri, 2006-05-19 at 09:58 -0500, Hongwei Li wrote:
> Hi,
>
> I need help about local.te. My system:
>
> kernel: 2.6.16-1.2111_FC5smp
> selinux-policy-targeted: 2.2.38-1.fc5
> audit: 1.1.5-1
> sendmail: 8.13.6-0.FC5.1
> squirrelmail: 1.4.6-5.fc5
>
> When I try to create an email folder in squirrelmail, I got Error. So, I run
> the following to create my local.te and add my module. Here are what I run
> and get:
>
> # audit2allow -M local < /var/log/audit/audit.log
> Generating type enforcment file: local.te
> Compiling policy
> checkmodule -M -m -o local.mod local.te
> semodule_package -o local.pp -m local.mod
>
> ******************** IMPORTANT ***********************
>
> In order to load this newly created policy package into the kernel,
> you are required to execute
>
> semodule -i local.pp
>
> # ls -l
> total 40
> -rw-r--r-- 1 root root 2448 May 19 09:46 local.mod
> -rw-r--r-- 1 root root 2464 May 19 09:46 local.pp
> -rw-r--r-- 1 root root 733 May 19 09:46 local.te
>
> # semodule -i local.pp
> libsepol.check_assertion_helper: assertion on line 0 violated by allow httpd_t
> shadow_t:file { read };
> libsepol.check_assertions: 1 assertion violations occured
> libsemanage.semanage_expand_sandbox: Expand module failed
> semodule: Failed!
>
> How to solve the problem?
>
> Thanks!
This means that your local.te file includes a rule that allows httpd to
read your /etc/shadow file, and this violates an assertion in the base
policy. Review your local.te file, prune entries that are not
legitimate, and rebuild the .mod and .pp files, e.g.
# vi local.te # edit out bogus entries or replace them with dontaudit rules
# checkmodule -m -M -o local.mod local.te
# semodule_package -o local.pp -m local.mod
# semodule -i local.pp
--
Stephen Smalley
National Security Agency
More information about the selinux
mailing list