weird dyntransition issue
Mr Dash Four
mr.dash.four at googlemail.com
Sun Mar 25 17:11:09 UTC 2012
> What does audit2why say?
>
Well, not what I expected :-\ :
-bash-4.1# audit2why < /var/log/audit/audit.log
Traceback (most recent call last):
File "/usr/bin/audit2allow", line 24, in <module>
import sepolgen.policygen as policygen
File "/usr/lib/python2.6/site-packages/sepolgen/policygen.py", line
33, in <module>
from setools import *
ImportError: No module named setools
So, I guess I have to transfer my audit.log on a machine which does have
setools (python) installed (the one I am getting this on is my dmz
server, so it is pretty constrained).
> Some shots in the dark:
>
> # get past dyntransition kiddy lock
> domain_dyntrans_type(sshd_t)
>
> # get past subject identity change kiddy lock
> domain_subj_id_change_exemption(sshd_t)
>
> # get past role change kiddy lock
> domain_role_change_exemption(sshd_t)
>
I'll try these, thanks Dominick! I'll introduce these one by one as
tunables and see what works.
Could it be that the new version of openssh introduced these new hooks,
which were not present in older versions? To me this whole issue is
caused entirely by openssh.
More information about the selinux
mailing list