Strict policy on FC6 and F7

Louis Lam lshoujun at yahoo.com
Tue Aug 14 09:35:07 UTC 2007 

Hi Dan,

For RHEL5, I've upgraded the selinux policy rpms to version 2.4.6-79. I've updated only the
following rpms

selinux-policy
selinux-policy-devel
selinux-policy-targeted
selinux-policy-strict

But I left the libselinux libraries alone since the rpm upgrade went through without complains. I
can't use YUM because my system is not directly connected to the internet.

But I'm still faced with the problem of not being able to logon as root at runlevel 5, gui login.
Do I still need the login.te module? Or is it advisable to upgrade the selinux libraries as well?

Thanks,
Louis

--- Daniel J Walsh <dwalsh at redhat.com> wrote:

> Louis Lam wrote:
> > Hi Dan,
> >
> > I'm using the stock policy for FC7 2.6.4-8, not the latest policy. I'm 
> > not too sure where to go and how to get the latest policy version. Do 
> > i take the latest policy version and remake the source RPM? Or are 
> > there pre-packaged rpms that I can use to upgrade?
> >
> You should be able to simply do a yum update.
> > You didn't see this problem in RHEL 5? Do i need the local.te module 
> > if I use the "stock" RHEL 5? I tried switching to strict policy in 
> > RHEL 5 and cannot login with root. But I can log in as a normal user. 
> > Is it "normal" that this restriction be placed on root? Is the 
> > local.te trying to enable root login?
> No this sounds like either a bug or a labeling problem in RHEL5.  You 
> should be able to login as root.  You might want to update to the U1 
> policy which is available on http://people.redhat.com/dwalsh/SELinux/RHEL5
> >
> > Thanks,
> > Louis
> >
> > ----- Original Message ----
> > From: Daniel J Walsh <dwalsh at redhat.com>
> > To: Louis Lam <lshoujun at yahoo.com>
> > Cc: shintaro_fujiwara <shin216 at xf7.so-net.ne.jp>; Hal 
> > <hal_bg at yahoo.com>; fedora-selinux-list at redhat.com; cpebenito at tresys.com
> > Sent: Friday, August 10, 2007 11:17:42 PM
> > Subject: Re: Strict policy on FC6 and F7
> >
> > Louis Lam wrote:
> > > Hi,
> > >
> > > I'm still having problems compiling the local.te module. The problem
> > > i'm facing seems to be different from Hal's:
> > >
> > > --------------------
> > > local.te:11:ERROR 'permission nlsms_relay is not defined for class
> > > netlink_audit_socket' at token '
> > > ;' on line 80809:
> > >         allow local_login_t self:netlink_audit_socket { { create {
> > > ioctl read getattr write setattr
> > >  append bind connect getopt setopt shutdown } } nlmsg_read 
> > nlsms_relay };
> > > #line 11
> > > /usr/bin/checkmodule:  error(s) encountered while parsing configuration
> > > make: *** [tmp/local.mod] Error 1
> > > ---------------------
> > >
> > > My local.te file looks like this:
> > > -------------
> > > policy_module(local,1.0)
> > >
> > > require {
> > >
> > >         type local_login_t;
> > >         class netlink_audit_socket { append bind connect shutdown
> > > ioctl getattr setattr shutdown ge
> > > topt setopt write nlmsg_relay nlmsg_read create read };
> > > }
> > >
> > >
> > > logging_send_audit_msg(local_login_t)
> > > logging_set_loginuid(local_login_t)
> > >
> > > -------------
> > >
> > > Seems like the problem is with logging_set_loginuid macro. I'm not
> > > sure how to solve this problem though.
> > >
> > > BTW here are some details on my environment:
> > >
> > > 1. I'm using the stock policy for FC7 2.6.4-8
> > > 2. I did the compilation while running in targeted mode (will it 
> > affect?)
> > > 3. The macro logging_set_loginuid is defined in the file
> > > policy-20070501.patch
> > >
> > > Here is an extract of how logging_set_loginuid is defined in the patch :
> > >
> > > +########################################
> > > +## <summary>
> > > +##     Set login uid
> > > +## </summary>
> > > +## <param name="domain">
> > > +##     <summary>
> > > +##     Domain allowed access.
> > > +##     </summary>
> > > +## </param>
> > > +#
> > > +interface(`logging_set_loginuid',`
> > > +       gen_require(`
> > > +               attribute can_set_loginuid;
> > > +               attribute can_send_audit_msg;
> > > +       ')
> > > +
> > > +       typeattribute $1 can_set_loginuid, can_send_audit_msg;
> > > +
> > > +       allow $1 self:capability audit_control;
> > > +       allow $1 self:netlink_audit_socket { create_socket_perms
> > > nlmsg_read nlsms_relay };
> > > +')
> > >
> > > Hope it helps in solving the problem...
> > >
> > > Thanks,
> > > Louis
> > I am not seeing this in RHEL5, FC6, F7 or F8.  So are you sure you are
> > using the latest policy?
> >
> >
> > Send instant messages to your online friends 
> > http://uk.messenger.yahoo.com 
> 
> 


Send instant messages to your online friends http://uk.messenger.yahoo.com

More information about the selinux mailing list