"Tony Scully wrote:"
--089e0160d2f49b37d404e3a840f9
Content-Type: text/plain; charset=ISO-8859-1
Hi David,
Do you not need to compile the module with checkmodule(8) then package with
semodule_package(8) into a .pp file before importing it?
Oops, egg on face. I did compile but miss type when trying to install.
Typing ever the bain.
I don't think semodule can import a type enforcement (.te) file directly?
Unless this is new to Fedora19?
Cheers,
Tony
On Sun, Aug 11, 2013 at 3:06 AM, David Highley <
dhighley(a)highley-recommended.com> wrote:
> After doing a fedup upgrade process from Fedora 18 to Fedora 19 I'm
> getting the following error when trying to install a local policy to fix
> some avc issue:
> semodule -i *.te
> libsepol.module_package_read_offsets: wrong magic number for module
> package: expected 0xf97cff8f, got 0x75646f6d
> libsemanage.parse_module_headers: Could not parse module data.
> semodule: Failed on my_sosreport.te!
>
> The te file looks like this:
> module my_sosreport 1.0;
>
> require {
> type sosreport_t;
> type configfs_t;
> type devpts_t;
> type initctl_t;
> class chr_file { getattr };
> class dir { getattr };
> class fifo_file { getattr };
> }
>
> #============= sosreport_t ==============
> allow sosreport_t configfs_t:dir getattr;
> allow sosreport_t devpts_t:chr_file getattr;
> allow sosreport_t initctl_t:fifo_file getattr;
>
> The audit avc look like the following:
> ----
> time->Sat Aug 10 16:38:22 2013
> type=SYSCALL msg=audit(1376177902.497:110): arch=c000003e syscall=16
> success=no
> exit=-65 a0=3 a1=8940 a2=7fff72ed5bf0 a3=7fff72ed59a0 items=0 ppid=3710
> pid=3736
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> ses=429
> 4967295 tty=(none) comm="brctl" exe="/usr/sbin/brctl"
> subj=system_u:system_r:sos
> report_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1376177902.497:110): avc: denied { module_request }
> for pi
> d=3736 comm="brctl" kmod="bridge"
> scontext=system_u:system_r:sosreport_t:s0-s0:c
> 0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=system
> ----
> time->Sat Aug 10 16:38:22 2013
> type=SYSCALL msg=audit(1376177902.968:111): arch=c000003e syscall=6
> success=no e
> xit=-13 a0=7fff425f9af0 a1=1dcd140 a2=1dcd140 a3=fffff800 items=0
> ppid=3710 pid=
> 3764 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 ses
> =4294967295 tty=(none) comm="ls" exe="/usr/bin/ls"
> subj=system_u:system_r:sosrep
> ort_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1376177902.968:111): avc: denied { getattr } for
> pid=3764
> comm="ls" path="/dev/initctl" dev="devtmpfs" ino=8906
> scontext=system_u:system_r
> :sosreport_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initctl_t:s0
> tclass=fifo_
> file
> ----
> ----
> time->Sat Aug 10 16:38:22 2013
> type=SYSCALL msg=audit(1376177902.980:112): arch=c000003e syscall=6
> success=no exit=-13 a0=7fff425f9af0 a1=1ddbb30 a2=1ddbb30 a3=fffffff8
> items=0 ppid=3710 pid=3764 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ls"
> exe="/usr/bin/ls" subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023
> key=(null)
> type=AVC msg=audit(1376177902.980:112): avc: denied { getattr } for
> pid=3764 comm="ls" path="/dev/pts/ptmx" dev="devpts"
ino=2
> scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
> ----
> time->Sat Aug 10 16:38:23 2013
> type=SYSCALL msg=audit(1376177903.375:113): arch=c000003e syscall=4
> success=no exit=-13 a0=2051cb0 a1=7fff82adf0c0 a2=7fff82adf0c0 a3=0
> items=0 ppid=3710 pid=3772 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="df"
> exe="/usr/bin/df" subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023
> key=(null)
> type=AVC msg=audit(1376177903.375:113): avc: denied { getattr } for
> pid=3772 comm="df" path="/sys/fs/pstore" dev="pstore"
ino=9238
> scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:pstorefs_t:s0 tclass=dir
> ----
> time->Sat Aug 10 16:38:23 2013
> type=SYSCALL msg=audit(1376177903.408:114): arch=c000003e syscall=4
> success=no exit=-13 a0=2052470 a1=7fff82adf0c0 a2=7fff82adf0c0 a3=0
> items=0 ppid=3710 pid=3772 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="df"
> exe="/usr/bin/df" subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023
> key=(null)
> type=AVC msg=audit(1376177903.408:114): avc: denied { getattr } for
> pid=3772 comm="df" path="/sys/kernel/config"
dev="configfs" ino=15409
> scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:configfs_t:s0 tclass=dir
> ----
> time->Sat Aug 10 16:38:24 2013
> type=SYSCALL msg=audit(1376177904.575:115): arch=c000003e syscall=41
> success=no exit=-13 a0=10 a1=80803 a2=f a3=d2be50 items=0 ppid=3710
> pid=3803 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 ses=4294967295 tty=(none) comm="lsusb"
exe="/usr/bin/lsusb"
> subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1376177904.575:115): avc: denied { create } for
> pid=3803 comm="lsusb"
> scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023
> tclass=netlink_kobject_uevent_socket
>
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/selinux
--089e0160d2f49b37d404e3a840f9
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Hi David,<div><br></div><div
style>Do you not need to comp=
ile the module with checkmodule(8) then package with semodule_package(8) in=
to a .pp file before importing it?</div><div
style><br></div><div style>I d=
on't think semodule can import a type enforcement (.te) file directly? =
=A0Unless this is new to Fedora19?</div>
<div style><br></div><div style>Cheers,</div><div
style>Tony</div></div><di=
v class=3D"gmail_extra"><br><br><div
class=3D"gmail_quote">On Sun, Aug 11, =
2013 at 3:06 AM, David Highley <span dir=3D"ltr"><<a
href=3D"mailto:dhig=
hley(a)highley-recommended.com"
target=3D"_blank">dhighley@highley-recommende=
d.com</a>></span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0
.8ex;border-left:1p=
x #ccc solid;padding-left:1ex">After doing a fedup upgrade process from Fed=
ora 18 to Fedora 19 I'm<br>
getting the following error when trying to install a local policy to fix<br=
>
some avc issue:<br>
semodule -i *.te<br>
libsepol.module_package_read_offsets: wrong magic number for module<br>
package: =A0expected 0xf97cff8f, got 0x75646f6d<br>
libsemanage.parse_module_headers: Could not parse module data.<br>
semodule: =A0Failed on my_sosreport.te!<br>
<br>
The te file looks like this:<br>
module my_sosreport 1.0;<br>
<br>
require {<br>
=A0 =A0 =A0 =A0 type sosreport_t;<br>
=A0 =A0 =A0 =A0 type configfs_t;<br>
=A0 =A0 =A0 =A0 type devpts_t;<br>
=A0 =A0 =A0 =A0 type initctl_t;<br>
=A0 =A0 =A0 =A0 class chr_file { getattr };<br>
=A0 =A0 =A0 =A0 class dir { getattr };<br>
=A0 =A0 =A0 =A0 class fifo_file { getattr };<br>
}<br>
<br>
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D sosreport_t =3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D<br>
allow sosreport_t configfs_t:dir getattr;<br>
allow sosreport_t devpts_t:chr_file getattr;<br>
allow sosreport_t initctl_t:fifo_file getattr;<br>
<br>
The audit avc look like the following:<br>
----<br>
time->Sat Aug 10 16:38:22 2013<br>
type=3DSYSCALL msg=3Daudit(1376177902.497:110): arch=3Dc000003e syscall=3D1=
6<br>
success=3Dno<br>
exit=3D-65 a0=3D3 a1=3D8940 a2=3D7fff72ed5bf0 a3=3D7fff72ed59a0 items=3D0 p=
pid=3D3710<br>
pid=3D3736<br>
=A0auid=3D4294967295 uid=3D0 gid=3D0 euid=3D0 suid=3D0 fsuid=3D0 egid=3D0 s=
gid=3D0 fsgid=3D0<br>
ses=3D429<br>
4967295 tty=3D(none) comm=3D"brctl"
exe=3D"/usr/sbin/brctl&q=
uot;<br>
subj=3Dsystem_u:system_r:sos<br>
report_t:s0-s0:c0.c1023 key=3D(null)<br>
type=3DAVC msg=3Daudit(1376177902.497:110): avc: =A0denied =A0{ module_requ=
est }<br>
for =A0pi<br>
d=3D3736 comm=3D"brctl" kmod=3D"bridge"<br>
scontext=3Dsystem_u:system_r:sosreport_t:s0-s0:c<br>
0.c1023 tcontext=3Dsystem_u:system_r:kernel_t:s0 tclass=3Dsystem<br>
----<br>
time->Sat Aug 10 16:38:22 2013<br>
type=3DSYSCALL msg=3Daudit(1376177902.968:111): arch=3Dc000003e syscall=3D6=
<br>
success=3Dno e<br>
xit=3D-13 a0=3D7fff425f9af0 a1=3D1dcd140 a2=3D1dcd140 a3=3Dfffff800 items=
=3D0<br>
ppid=3D3710 pid=3D<br>
3764 auid=3D4294967295 uid=3D0 gid=3D0 euid=3D0 suid=3D0 fsuid=3D0 egid=3D0=
sgid=3D0<br>
fsgid=3D0 ses<br>
=3D4294967295 tty=3D(none) comm=3D"ls"
exe=3D"/usr/bin/ls&qu=
ot;<br>
subj=3Dsystem_u:system_r:sosrep<br>
ort_t:s0-s0:c0.c1023 key=3D(null)<br>
type=3DAVC msg=3Daudit(1376177902.968:111): avc: =A0denied =A0{ getattr } f=
or<br>
pid=3D3764<br>
comm=3D"ls" path=3D"/dev/initctl"
dev=3D"devtmpfs&=
quot; ino=3D8906<br>
scontext=3Dsystem_u:system_r<br>
:sosreport_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:object_r:initctl_t:s0<br>
tclass=3Dfifo_<br>
file<br>
----<br>
----<br>
time->Sat Aug 10 16:38:22 2013<br>
type=3DSYSCALL msg=3Daudit(1376177902.980:112): arch=3Dc000003e syscall=3D6=
<br>
success=3Dno exit=3D-13 a0=3D7fff425f9af0 a1=3D1ddbb30 a2=3D1ddbb30 a3=3Dff=
fffff8<br>
items=3D0 ppid=3D3710 pid=3D3764 auid=3D4294967295 uid=3D0 gid=3D0 euid=3D0=
suid=3D0<br>
fsuid=3D0 egid=3D0 sgid=3D0 fsgid=3D0 ses=3D4294967295 tty=3D(none) comm=3D=
"ls"<br>
exe=3D"/usr/bin/ls" subj=3Dsystem_u:system_r:sosreport_t:s0-s0:c0=
.c1023<br>
key=3D(null)<br>
type=3DAVC msg=3Daudit(1376177902.980:112): avc: =A0denied =A0{ getattr } f=
or<br>
pid=3D3764 comm=3D"ls" path=3D"/dev/pts/ptmx"
dev=3D&qu=
ot;devpts" ino=3D2<br>
scontext=3Dsystem_u:system_r:sosreport_t:s0-s0:c0.c1023<br>
tcontext=3Dsystem_u:object_r:devpts_t:s0 tclass=3Dchr_file<br>
----<br>
time->Sat Aug 10 16:38:23 2013<br>
type=3DSYSCALL msg=3Daudit(1376177903.375:113): arch=3Dc000003e syscall=3D4=
<br>
success=3Dno exit=3D-13 a0=3D2051cb0 a1=3D7fff82adf0c0 a2=3D7fff82adf0c0 a3=
=3D0<br>
items=3D0 ppid=3D3710 pid=3D3772 auid=3D4294967295 uid=3D0 gid=3D0 euid=3D0=
suid=3D0<br>
fsuid=3D0 egid=3D0 sgid=3D0 fsgid=3D0 ses=3D4294967295 tty=3D(none) comm=3D=
"df"<br>
exe=3D"/usr/bin/df" subj=3Dsystem_u:system_r:sosreport_t:s0-s0:c0=
.c1023<br>
key=3D(null)<br>
type=3DAVC msg=3Daudit(1376177903.375:113): avc: =A0denied =A0{ getattr } f=
or<br>
pid=3D3772 comm=3D"df" path=3D"/sys/fs/pstore"
dev=3D&q=
uot;pstore" ino=3D9238<br>
scontext=3Dsystem_u:system_r:sosreport_t:s0-s0:c0.c1023<br>
tcontext=3Dsystem_u:object_r:pstorefs_t:s0 tclass=3Ddir<br>
----<br>
time->Sat Aug 10 16:38:23 2013<br>
type=3DSYSCALL msg=3Daudit(1376177903.408:114): arch=3Dc000003e syscall=3D4=
<br>
success=3Dno exit=3D-13 a0=3D2052470 a1=3D7fff82adf0c0 a2=3D7fff82adf0c0 a3=
=3D0<br>
items=3D0 ppid=3D3710 pid=3D3772 auid=3D4294967295 uid=3D0 gid=3D0 euid=3D0=
suid=3D0<br>
fsuid=3D0 egid=3D0 sgid=3D0 fsgid=3D0 ses=3D4294967295 tty=3D(none) comm=3D=
"df"<br>
exe=3D"/usr/bin/df" subj=3Dsystem_u:system_r:sosreport_t:s0-s0:c0=
.c1023<br>
key=3D(null)<br>
type=3DAVC msg=3Daudit(1376177903.408:114): avc: =A0denied =A0{ getattr } f=
or<br>
pid=3D3772 comm=3D"df" path=3D"/sys/kernel/config"
dev=
=3D"configfs" ino=3D15409<br>
scontext=3Dsystem_u:system_r:sosreport_t:s0-s0:c0.c1023<br>
tcontext=3Dsystem_u:object_r:configfs_t:s0 tclass=3Ddir<br>
----<br>
time->Sat Aug 10 16:38:24 2013<br>
type=3DSYSCALL msg=3Daudit(1376177904.575:115): arch=3Dc000003e syscall=3D4=
1<br>
success=3Dno exit=3D-13 a0=3D10 a1=3D80803 a2=3Df a3=3Dd2be50 items=3D0 ppi=
d=3D3710<br>
pid=3D3803 auid=3D4294967295 uid=3D0 gid=3D0 euid=3D0 suid=3D0 fsuid=3D0 eg=
id=3D0 sgid=3D0<br>
fsgid=3D0 ses=3D4294967295 tty=3D(none) comm=3D"lsusb" exe=3D&quo=
t;/usr/bin/lsusb"<br>
subj=3Dsystem_u:system_r:sosreport_t:s0-s0:c0.c1023 key=3D(null)<br>
type=3DAVC msg=3Daudit(1376177904.575:115): avc: =A0denied =A0{ create } fo=
r<br>
pid=3D3803 comm=3D"lsusb"<br>
scontext=3Dsystem_u:system_r:sosreport_t:s0-s0:c0.c1023<br>
tcontext=3Dsystem_u:system_r:sosreport_t:s0-s0:c0.c1023<br>
tclass=3Dnetlink_kobject_uevent_socket<br>
<br>
--<br>
selinux mailing list<br>
<a
href=3D"mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproj=
ect.org</a><br>
<a
href=3D"https://admin.fedoraproject.org/mailman/listinfo/selinux"
target=
=3D"_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></b=
lockquote></div><br></div>
--089e0160d2f49b37d404e3a840f9--
--
Regards,
David Highley
Highley Recommended, Inc. Phone: (206) 669-0081
2927 SW 339th Street WEB:
http://www.highley-recommended.com
Federal Way, WA 98023-7732