SELinux fails to apply local policy module

Suvayu Ali fatkasuvayu+linux at gmail.com
Mon Apr 15 16:59:43 UTC 2013 

Hi Daniel,

On Mon, Apr 15, 2013 at 08:56:56AM -0700, Daniel J Walsh wrote:
> 
> Does your application work?  If yes then no  reason to allow this avc.

It takes a while to start, but my application does work.  Is it then
possible to just ignore the alerts for this particular case.  I would
also prefer not to mess with my policies, lack of understanding being
the main reason.

That said, I do have another similar problem with a game in steam:

  SELinux is preventing /home/user/.local/share/Steam/ubuntu12_32/steam
  from using the execheap access on a process.

Raw Audit Messages:

  type=AVC msg=audit(1365646731.47:8579): avc: denied { execheap } for
  pid=6561 comm="steam"
  scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
  tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
  tclass=process

  type=SYSCALL msg=audit(1365646731.47:8579): arch=i386 syscall=capget
  success=no exit=EACCES a0=a937000 a1=c000 a2=7 a3=ffbe844c items=0
  ppid=1804 pid=6561 auid=500 uid=500 gid=500 euid=500 suid=500
  fsuid=500 egid=500 sgid=500 fsgid=500 ses=2 tty=pts9 comm=steam
  exe=/home/jallad/.local/share/Steam/ubuntu12_32/steam
  subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

  Hash: steam,unconfined_t,unconfined_t,process,execheap

This time however, the application does not work.  Again, adding the
custom policy fails in exactly the same manner.

> Looks like you have an old policy module that has crufted up your system.

This is up to date F18: selinux-policy-3.11.1-87.fc18.noarch.

> locate passanger.pp

This does not return anything.

> semodule -r passanger

  libsepol.scope_copy_callback: qpidd: Duplicate declaration in module:
  type/attribute qpidd_var_lib_t (No such file or directory).
  libsemanage.semanage_link_sandbox: Link packages failed (No such file
  or directory).
  semodule:  Failed!

The only time I messed with SELinux was when I installed a few custom
file contexts for a change root environment I use for my work.

  # semanage -o fcontext
  boolean -D
  login -D
  login -a -s unconfined_u -r 's0-s0:c0.c1023' __default__
  login -a -s unconfined_u -r 's0-s0:c0.c1023' root
  login -a -s system_u -r 's0-s0:c0.c1023' system_u
  user -D
  port -D
  interface -D
  node -D
  fcontext -D
  fcontext -a -f 'directory' -t root_t '/home/slc5'
  fcontext -a -f 'directory' -t mnt_t '/home/slc5/afs'
  fcontext -a -f 'directory' -t lib_t '/home/slc5/lib64'
  fcontext -a -f 'all files' -t lib_t '/home/slc5/lib64.*'
  fcontext -a -f 'directory' -t usr_t '/home/slc5/local'
  fcontext -a -f 'all files' -t usr_t '/home/slc5/local.*'
  fcontext -a -e /home/slc5/media /media
  fcontext -a -e /home/slc5/tmp /tmp
  fcontext -a -e /home/slc5/proc /proc
  fcontext -a -e /home/slc5/root /root
  fcontext -a -e /home/slc5/dev /dev
  fcontext -a -e /home/slc5/sys /sys
  fcontext -a -e /home/slc5/selinux /selinux
  fcontext -a -e /home/slc5/srv /srv
  fcontext -a -e /home/slc5/opt /opt
  fcontext -a -e /home/slc5/etc /etc
  fcontext -a -e /home/slc5/var /var
  fcontext -a -e /home/slc5/home /home
  fcontext -a -e /home/slc5/mnt /mnt
  fcontext -a -e /home/slc5/boot /boot
  fcontext -a -e /home/slc5/bin /bin
  fcontext -a -e /home/slc5/sbin /sbin
  fcontext -a -e /home/slc5/lib /lib
  fcontext -a -e /home/slc5/usr /usr

> What OS is this?  rhel6?

F18.

Thanks in advance.

-- 
Suvayu

Open source is the future. It sets us free.

More information about the users mailing list