weird dyntransition issue
Dominick Grift
dominick.grift at gmail.com
Sun Mar 25 18:22:08 UTC 2012
On Sun, 2012-03-25 at 18:11 +0100, Mr Dash Four wrote:
> > What does audit2why say?
> >
> Well, not what I expected :-\ :
>
> -bash-4.1# audit2why < /var/log/audit/audit.log
> Traceback (most recent call last):
> File "/usr/bin/audit2allow", line 24, in <module>
> import sepolgen.policygen as policygen
> File "/usr/lib/python2.6/site-packages/sepolgen/policygen.py", line
> 33, in <module>
> from setools import *
> ImportError: No module named setools
ouch
> So, I guess I have to transfer my audit.log on a machine which does have
> setools (python) installed (the one I am getting this on is my dmz
> server, so it is pretty constrained).
>
> > Some shots in the dark:
> >
> > # get past dyntransition kiddy lock
> > domain_dyntrans_type(sshd_t)
> >
> > # get past subject identity change kiddy lock
> > domain_subj_id_change_exemption(sshd_t)
> >
> > # get past role change kiddy lock
> > domain_role_change_exemption(sshd_t)
> >
> I'll try these, thanks Dominick! I'll introduce these one by one as
> tunables and see what works.
>
> Could it be that the new version of openssh introduced these new hooks,
> which were not present in older versions? To me this whole issue is
> caused entirely by openssh.
>
not likely, i am not sure though
More information about the selinux
mailing list