SELinux fails to apply local policy module
Suvayu Ali
fatkasuvayu+linux at gmail.com
Mon Apr 15 16:59:43 UTC 2013
Hi Daniel,
On Mon, Apr 15, 2013 at 08:56:56AM -0700, Daniel J Walsh wrote:
>
> Does your application work? If yes then no reason to allow this avc.
It takes a while to start, but my application does work. Is it then
possible to just ignore the alerts for this particular case. I would
also prefer not to mess with my policies, lack of understanding being
the main reason.
That said, I do have another similar problem with a game in steam:
SELinux is preventing /home/user/.local/share/Steam/ubuntu12_32/steam
from using the execheap access on a process.
Raw Audit Messages:
type=AVC msg=audit(1365646731.47:8579): avc: denied { execheap } for
pid=6561 comm="steam"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=process
type=SYSCALL msg=audit(1365646731.47:8579): arch=i386 syscall=capget
success=no exit=EACCES a0=a937000 a1=c000 a2=7 a3=ffbe844c items=0
ppid=1804 pid=6561 auid=500 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 ses=2 tty=pts9 comm=steam
exe=/home/jallad/.local/share/Steam/ubuntu12_32/steam
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Hash: steam,unconfined_t,unconfined_t,process,execheap
This time however, the application does not work. Again, adding the
custom policy fails in exactly the same manner.
> Looks like you have an old policy module that has crufted up your system.
This is up to date F18: selinux-policy-3.11.1-87.fc18.noarch.
> locate passanger.pp
This does not return anything.
> semodule -r passanger
libsepol.scope_copy_callback: qpidd: Duplicate declaration in module:
type/attribute qpidd_var_lib_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file
or directory).
semodule: Failed!
The only time I messed with SELinux was when I installed a few custom
file contexts for a change root environment I use for my work.
# semanage -o fcontext
boolean -D
login -D
login -a -s unconfined_u -r 's0-s0:c0.c1023' __default__
login -a -s unconfined_u -r 's0-s0:c0.c1023' root
login -a -s system_u -r 's0-s0:c0.c1023' system_u
user -D
port -D
interface -D
node -D
fcontext -D
fcontext -a -f 'directory' -t root_t '/home/slc5'
fcontext -a -f 'directory' -t mnt_t '/home/slc5/afs'
fcontext -a -f 'directory' -t lib_t '/home/slc5/lib64'
fcontext -a -f 'all files' -t lib_t '/home/slc5/lib64.*'
fcontext -a -f 'directory' -t usr_t '/home/slc5/local'
fcontext -a -f 'all files' -t usr_t '/home/slc5/local.*'
fcontext -a -e /home/slc5/media /media
fcontext -a -e /home/slc5/tmp /tmp
fcontext -a -e /home/slc5/proc /proc
fcontext -a -e /home/slc5/root /root
fcontext -a -e /home/slc5/dev /dev
fcontext -a -e /home/slc5/sys /sys
fcontext -a -e /home/slc5/selinux /selinux
fcontext -a -e /home/slc5/srv /srv
fcontext -a -e /home/slc5/opt /opt
fcontext -a -e /home/slc5/etc /etc
fcontext -a -e /home/slc5/var /var
fcontext -a -e /home/slc5/home /home
fcontext -a -e /home/slc5/mnt /mnt
fcontext -a -e /home/slc5/boot /boot
fcontext -a -e /home/slc5/bin /bin
fcontext -a -e /home/slc5/sbin /sbin
fcontext -a -e /home/slc5/lib /lib
fcontext -a -e /home/slc5/usr /usr
> What OS is this? rhel6?
F18.
Thanks in advance.
--
Suvayu
Open source is the future. It sets us free.
More information about the users
mailing list