How do you expose a policy interface?
by Nathan Kinder
I'm writing two policy modules for two separate packages (389-ds-base
and 389-admin). I would like to expose some macros via an interface
from my dirsrv policy for use by the dirsrv-admin policy. I have
defined an interface in my dirsrv.if file and built and installed the
dirsrv policy module. Apparently, this doesn't expose the interface as
I get an error when building my dirsrv-admin policy that indicates that
it doesn't know anything about my new interface.
What is the proper way to expose a policy interface? Does my dirsrv.if
file need to be installed on the system somewhere specific?
Thanks,
-NGK
14 years, 6 months
unsubscrube
by steve westfall
OK... I have done this in the official fashion multiple times. Why am I
still on your
mailing list? Are you that clueless?
Steve Westfall
14 years, 7 months
Strange AVC
by Vadym Chepkov
Hi,
I am puzzled, what could have caused this kind of AVC:
type=SYSCALL msg=audit(1254270789.862:74347): arch=c000003e syscall=2 success=no exit=-13 a0=7f2929f52532 a1=0 a2=d a3=7fff325c4270 items=0 ppid=18807 pid=18808 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="uptime" exe="/usr/bin/uptime" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1254270789.862:74347): avc: denied { read } for pid=18808 comm="uptime" name="utmp" dev=sda1 ino=2474106 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
Sincerely yours,
Vadym Chepkov
14 years, 7 months
selinux-polgengui not working on Fedora 11
by Roberto Sassu
Hi all
i'm trying to use the utility selinux-polgengui under Fedora 11, but at the
end of the wizard process the program is unable to generate the policy and it
displays this message:
"too many values to unpack".
When i execute this from the shell, another message is also prompted:
/usr/share/system-config-selinux/polgengui.py:417: DeprecationWarning:
BaseException.message has been deprecated as of Python 2.6
self.error(e.message)
I have the distribution up to date and i use KDE 4.3.1 as window manager.
How to solve this issue?
Thanks for replies
14 years, 7 months
getsebool -d
by Matthew Ife
Would it be possible to add a description flag for getsebool so that it
will produce a description of a bool out to the user when they pass -d?
One of the problems of getsebool is that it only shows you what bools
are there but not what they are supposed to do. I expect this should
make it much more straightforward for sysadmins to implement selinux on
their systems.
Im aware that man pages do produce useful descriptions of bools however
I would think it would be much more convenient to do it this way. Also
some tunables for whatever reason might not be documented in man pages
or custom policy may not have man pages for it but it could add the bool
description in XML somewhere else.
Additionally getsebool -a -d should produce a description for all bools
so a sysadmin can grep for keywords.
How feasible would this be to do?
14 years, 7 months
Samba AVC
by Tony Molloy
Hi,
This is Centos 5.3 fully updated.
Im getting the following error from setroubleshoot
SELinux is preventing samba (smbd) "unlink" to ./log.cs244-34.old
(samba_log_t).
when samba tries to rotate the log files.
Running sealert I get the following ( edited )
Summary:
SELinux is preventing samba (smbd) "unlink" to ./log.cs244-24.old
(samba_log_t).
Detailed Description:
SELinux denied samba access to ./log.cs244-24.old. If you want to share this
directory with samba it has to have a file context label of samba_share_t. If
^^^^^^^^^^^^^
you did not intend to use ./log.cs244-24.old as a samba repository it could
indicate either a bug or it could signal a intrusion attempt.
Allowing Access:
You can alter the file context by executing chcon -R -t samba_share_t
'./log.cs244-24.old' You must also change the default file context files on
the
system in order to preserve them even on a full relabel. "semanage fcontext -a
-t samba_share_t './log.cs244-24.old'"
The following command will allow this access:
chcon -R -t samba_share_t './log.cs244-24.old'
Additional Information:
Source Context root:system_r:smbd_t
Target Context root:object_r:samba_log_t
Target Objects ./log.cs244-24.old [ file ]
Source smbd
Source Path /usr/sbin/smbd
Port <Unknown>
Host janus.x.y.z
Source RPM Packages samba-3.0.33-3.7.el5_3.1
Target RPM Packages
Policy RPM selinux-policy-2.4.6-203.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name samba_share
Host Name janus.x.y.z
Platform Linux janus.x.y.z 2.6.18-128.7.1.el5 #1 SMP
Mon Aug 24 08:21:56 EDT 2009 x86_64 x86_64
Alert Count 53
First Seen Fri Sep 25 15:54:24 2009
Last Seen Tue Sep 29 15:55:25 2009
Local ID e4426abc-3b0b-4df2-a380-3f0fba344c63
Line Numbers
Raw Audit Messages
host=janus.x.y.z type=AVC msg=audit(1254236125.438:70641): avc: denied {
unlink } for pid=27420 comm="smbd" name="log.cs244-24.old" dev=sda5
ino=164076 scontext=root:system_r:smbd_t:s0
tcontext=root:object_r:samba_log_t:s0 tclass=file
host=janus.x.y.z type=SYSCALL msg=audit(1254236125.438:70641): arch=c000003e
syscall=82 success=no exit=-13 a0=2b1b457b5220 a1=7fffa9a7ba90 a2=1f a3=0
items=0 ppid=3787 pid=27420 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=1675 comm="smbd" exe="/usr/sbin/smbd"
subj=root:system_r:smbd_t:s0 key=(null)
log.cs244-24.old is a file not a directory and it's located in
the /var/log/samba directory with permissions
system_u:object_r:samba_log_t samba
Any ideas,
Tony
--
Dept. of Comp. Sci.
University of Limerick.
14 years, 7 months