-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/19/2011 07:21 PM, Mr Dash Four wrote:
Yesterday I've upgraded my SELinux policy & tools on my FC13
machine to
bring it up to date with what is distributed with FC15 and later on did
a similar upgrade to the kernel as well (.38 - the latest released for
FC15), but SELinux is experiencing a few issues with the kernel. Here is
what I've upgraded:
old:
policycoreutils-python-2.0.83-33.8
policycoreutils-2.0.83-33.8
selinux-policy-3.7.19-101
selinux-policy-targeted-3.7.19-101
libsemanage-2.0.45-1
libsemanage-devel-2.0.45-1
libsemanage-static-2.0.45-1
libsemanage-python-2.0.45-1
libselinux-python-2.0.94-2
libselinux-2.0.94-2
libselinux-devel-2.0.94-2
libselinux-utils-2.0.94-2
libsepol-2.0.41-3
libsepol-devel-2.0.41-3
libsepol-static-2.0.41-3
new:
policycoreutils-python-2.0.86-7
policycoreutils-2.0.86-7
policycoreutils-gui-2.0.86-7
policycoreutils-newrole-2.0.86-7
policycoreutils-restorecond-2.0.86-7
selinux-policy-3.9.16-26
selinux-policy-targeted-3.9.16-26
libsemanage-2.0.46-4
libsemanage-devel-2.0.46-4
libsemanage-static-2.0.46-4
libsemanage-python-2.0.46-4
libselinux-python-2.0.99-4
libselinux-2.0.99-4
libselinux-devel-2.0.99-4
libselinux-utils-2.0.99-4
libsepol-2.0.42-2
libsepol-devel-2.0.42-2
libsepol-static-2.0.42-2
Most of the new SELinux policy & tools above have been compiled from
source - successfully - using the source rpm and just running rpmbuild
with no changes to the .spec file. Everything installed OK, though when
I recompiled and upgraded the kernel, it does boot up and works OK,
though I have this in my syslog from SELinux:
kernel: dracut: Loading SELinux policy
kernel: type=1404 audit(1308450301.855:2): enforcing=1 old_enforcing=0
auid=4294967295 ses=4294967295
kernel: SELinux: Permission audit_access in class file not defined in
policy.
kernel: SELinux: Permission audit_access in class dir not defined in
policy.
kernel: SELinux: Permission execmod in class dir not defined in policy.
kernel: SELinux: Permission audit_access in class lnk_file not defined
in policy.
kernel: SELinux: Permission open in class lnk_file not defined in policy.
kernel: SELinux: Permission execmod in class lnk_file not defined in
policy.
kernel: SELinux: Permission audit_access in class chr_file not defined
in policy.
kernel: SELinux: Permission audit_access in class blk_file not defined
in policy.
kernel: SELinux: Permission execmod in class blk_file not defined in
policy.
kernel: SELinux: Permission audit_access in class sock_file not defined
in policy.
kernel: SELinux: Permission execmod in class sock_file not defined in
policy.
kernel: SELinux: Permission audit_access in class fifo_file not defined
in policy.
kernel: SELinux: Permission execmod in class fifo_file not defined in
policy.
kernel: SELinux: Permission syslog in class capability2 not defined in
policy.
kernel: SELinux: the above unknown classes and permissions will be allowed
kernel: type=1403 audit(1308450302.288:3): policy loaded auid=4294967295
ses=4294967295
What could be the reason for this?
I remember getting similar messages when I attempted to upgrade the
kernel a couple of months ago from .34 to .37 - I had similar "not
defined in policy" messages then from what I remember, though they were
just a couple and certainly not the amount I am getting above. Is there
any way I could rectify this *without* doing a full upgrade to FC15?
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
Lines like
Permission audit_access in class file not defined in policy.
Mean the kernel understands what an audit_access means but the policy
does not mention it.
Looks like you are loading a policy that is older then the kernel. I
would make sure your FC15 policy is compiled and installed correctly.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAk3/KoQACgkQrlYvE4MpobMFXwCgw1TiS3fjTYg28GClIPSqF/4z
4WAAniX68YQGU2d24iG5Pw0cAqCop7fE
=XofD
-----END PGP SIGNATURE-----