SELinux fails to apply local policy module

Tue Apr 16 00:32:23 UTC 2013

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/15/2013 09:59 AM, Suvayu Ali wrote:
> Hi Daniel,
> 
> On Mon, Apr 15, 2013 at 08:56:56AM -0700, Daniel J Walsh wrote:
>> 
>> Does your application work?  If yes then no  reason to allow this avc.
> 
> It takes a while to start, but my application does work.  Is it then 
> possible to just ignore the alerts for this particular case.  I would also
> prefer not to mess with my policies, lack of understanding being the main
> reason.
> 
> That said, I do have another similar problem with a game in steam:
> 
> SELinux is preventing /home/user/.local/share/Steam/ubuntu12_32/steam from
> using the execheap access on a process.
> 
> Raw Audit Messages:
> 
> type=AVC msg=audit(1365646731.47:8579): avc: denied { execheap } for 
> pid=6561 comm="steam" 
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
> tclass=process
> 
> type=SYSCALL msg=audit(1365646731.47:8579): arch=i386 syscall=capget 
> success=no exit=EACCES a0=a937000 a1=c000 a2=7 a3=ffbe844c items=0 
> ppid=1804 pid=6561 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
> egid=500 sgid=500 fsgid=500 ses=2 tty=pts9 comm=steam 
> exe=/home/jallad/.local/share/Steam/ubuntu12_32/steam 
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> 
> Hash: steam,unconfined_t,unconfined_t,process,execheap
> 
> This time however, the application does not work.  Again, adding the custom
> policy fails in exactly the same manner.
> 
>> Looks like you have an old policy module that has crufted up your
>> system.
> 
> This is up to date F18: selinux-policy-3.11.1-87.fc18.noarch.
> 
>> locate passanger.pp
> 
> This does not return anything.
> 
>> semodule -r passanger
> 
> libsepol.scope_copy_callback: qpidd: Duplicate declaration in module: 
> type/attribute qpidd_var_lib_t (No such file or directory). 
> libsemanage.semanage_link_sandbox: Link packages failed (No such file or
> directory). semodule:  Failed!
> 
> The only time I messed with SELinux was when I installed a few custom file
> contexts for a change root environment I use for my work.
> 
> # semanage -o fcontext boolean -D login -D login -a -s unconfined_u -r
> 's0-s0:c0.c1023' __default__ login -a -s unconfined_u -r 's0-s0:c0.c1023'
> root login -a -s system_u -r 's0-s0:c0.c1023' system_u user -D port -D 
> interface -D node -D fcontext -D fcontext -a -f 'directory' -t root_t
> '/home/slc5' fcontext -a -f 'directory' -t mnt_t '/home/slc5/afs' fcontext
> -a -f 'directory' -t lib_t '/home/slc5/lib64' fcontext -a -f 'all files' -t
> lib_t '/home/slc5/lib64.*' fcontext -a -f 'directory' -t usr_t
> '/home/slc5/local' fcontext -a -f 'all files' -t usr_t
> '/home/slc5/local.*' fcontext -a -e /home/slc5/media /media fcontext -a -e
> /home/slc5/tmp /tmp fcontext -a -e /home/slc5/proc /proc fcontext -a -e
> /home/slc5/root /root fcontext -a -e /home/slc5/dev /dev fcontext -a -e
> /home/slc5/sys /sys fcontext -a -e /home/slc5/selinux /selinux fcontext -a
> -e /home/slc5/srv /srv fcontext -a -e /home/slc5/opt /opt fcontext -a -e
> /home/slc5/etc /etc fcontext -a -e /home/slc5/var /var fcontext -a -e
> /home/slc5/home /home fcontext -a -e /home/slc5/mnt /mnt fcontext -a -e
> /home/slc5/boot /boot fcontext -a -e /home/slc5/bin /bin fcontext -a -e
> /home/slc5/sbin /sbin fcontext -a -e /home/slc5/lib /lib fcontext -a -e
> /home/slc5/usr /usr
> 
>> What OS is this?  rhel6?
> 
> F18.
> 
> Thanks in advance.
> 

You seem to have a lot of cruft in your policy directory.

Could you just remove the directory and reinstall policy.

# setenforce 0
# rm -rf /etc/selinux/targeted
# yum reinstall selinux-policy-targeted
# restorecon -R -v /etc/selinux/targeted
# semanage fcontext -a -e / /home/slc5

Should be all you need

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlFsnBcACgkQrlYvE4MpobMoxgCgjdD3ZBlF9xy1n51dpAt+lGFq
NTsAn0KAs4kYfklfrIKlfZp1YaXxez+D
=5knW
-----END PGP SIGNATURE-----