-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
$ sesearch --allow -SC -T | grep unconfined_login ERROR: policydb version 25 does not match my version range 15-24 ERROR: Unable to open policy /etc/selinux/targeted/policy/policy.25. ERROR: Success
by the way: looks like if i set unconfined_login to off that then sulogin_t is not allowed to execute shell_exec_t?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/30/2011 07:56 PM, Dominick Grift wrote:
$ sesearch --allow -SC -T | grep unconfined_login ERROR: policydb version 25 does not match my version range 15-24 ERROR: Unable to open policy /etc/selinux/targeted/policy/policy.25. ERROR: Success
by the way: looks like if i set unconfined_login to off that then sulogin_t is not allowed to execute shell_exec_t?
i meant on instead of off, i think its because my root was mapped to unconfined_u: so at least that part of unconfined_login works.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/30/2011 08:07 PM, Dominick Grift wrote:
On 03/30/2011 07:56 PM, Dominick Grift wrote:
$ sesearch --allow -SC -T | grep unconfined_login ERROR: policydb version 25 does not match my version range 15-24 ERROR: Unable to open policy /etc/selinux/targeted/policy/policy.25. ERROR: Success
by the way: looks like if i set unconfined_login to off that then sulogin_t is not allowed to execute shell_exec_t?
i meant on instead of off, i think its because my root was mapped to unconfined_u: so at least that part of unconfined_login works.
ifdef(`enable_mls',` sysadm_shell_domtrans(sulogin_t) ',` optional_policy(` unconfined_shell_domtrans(sulogin_t) ') ')
should that not be:
sysadm_shell_domtrans(sulogin_t)
ifndef(`enable_mls`,' optional_policy(` unconfined_shell_domtrans(sulogin_t) ') ')
Because one can also map root to sysadm_u in targeted policy.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/30/2011 08:18 PM, Dominick Grift wrote:
On 03/30/2011 08:07 PM, Dominick Grift wrote:
On 03/30/2011 07:56 PM, Dominick Grift wrote:
$ sesearch --allow -SC -T | grep unconfined_login ERROR: policydb version 25 does not match my version range 15-24 ERROR: Unable to open policy /etc/selinux/targeted/policy/policy.25. ERROR: Success
by the way: looks like if i set unconfined_login to off that then sulogin_t is not allowed to execute shell_exec_t?
i meant on instead of off, i think its because my root was mapped to unconfined_u: so at least that part of unconfined_login works.
ifdef(`enable_mls',` sysadm_shell_domtrans(sulogin_t) ',` optional_policy(` unconfined_shell_domtrans(sulogin_t) ') ')
should that not be:
sysadm_shell_domtrans(sulogin_t)
ifndef(`enable_mls`,' optional_policy(` unconfined_shell_domtrans(sulogin_t) ') ')
Because one can also map root to sysadm_u in targeted policy.
BTW i suspect we also need this in ssh.te;
ifndef(`enable_mls`,' optional_policy(` unconfined_shell_domtrans(sshd_t) ') ')
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/30/2011 02:21 PM, Dominick Grift wrote:
On 03/30/2011 08:18 PM, Dominick Grift wrote:
On 03/30/2011 08:07 PM, Dominick Grift wrote:
On 03/30/2011 07:56 PM, Dominick Grift wrote:
$ sesearch --allow -SC -T | grep unconfined_login ERROR: policydb version 25 does not match my version range 15-24 ERROR: Unable to open policy /etc/selinux/targeted/policy/policy.25. ERROR: Success
by the way: looks like if i set unconfined_login to off that then sulogin_t is not allowed to execute shell_exec_t?
i meant on instead of off, i think its because my root was mapped to unconfined_u: so at least that part of unconfined_login works.
ifdef(`enable_mls',` sysadm_shell_domtrans(sulogin_t) ',` optional_policy(` unconfined_shell_domtrans(sulogin_t) ') ')
should that not be:
sysadm_shell_domtrans(sulogin_t)
ifndef(`enable_mls`,' optional_policy(` unconfined_shell_domtrans(sulogin_t) ') ')
Because one can also map root to sysadm_u in targeted policy.
BTW i suspect we also need this in ssh.te;
ifndef(`enable_mls`,' optional_policy(` unconfined_shell_domtrans(sshd_t) ') ')
- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Yes, Could you make the change to fedora.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/30/2011 08:45 PM, Daniel J Walsh wrote:
On 03/30/2011 02:21 PM, Dominick Grift wrote:
On 03/30/2011 08:18 PM, Dominick Grift wrote:
On 03/30/2011 08:07 PM, Dominick Grift wrote:
On 03/30/2011 07:56 PM, Dominick Grift wrote:
$ sesearch --allow -SC -T | grep unconfined_login ERROR: policydb version 25 does not match my version range 15-24 ERROR: Unable to open policy /etc/selinux/targeted/policy/policy.25. ERROR: Success
by the way: looks like if i set unconfined_login to off that then sulogin_t is not allowed to execute shell_exec_t?
i meant on instead of off, i think its because my root was mapped to unconfined_u: so at least that part of unconfined_login works.
ifdef(`enable_mls',` sysadm_shell_domtrans(sulogin_t) ',` optional_policy(` unconfined_shell_domtrans(sulogin_t) ') ')
should that not be:
sysadm_shell_domtrans(sulogin_t)
ifndef(`enable_mls`,' optional_policy(` unconfined_shell_domtrans(sulogin_t) ') ')
Because one can also map root to sysadm_u in targeted policy.
BTW i suspect we also need this in ssh.te;
ifndef(`enable_mls`,' optional_policy(` unconfined_shell_domtrans(sshd_t) ') ')
No its already there. Something else is wrong. I suspect that it may be conflicting with ssh_sysadm_login since unconfined_t is also an unpriv user.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/30/2011 01:56 PM, Dominick Grift wrote:
$ sesearch --allow -SC -T | grep unconfined_login ERROR: policydb version 25 does not match my version range 15-24 ERROR: Unable to open policy /etc/selinux/targeted/policy/policy.25. ERROR: Success
by the way: looks like if i set unconfined_login to off that then sulogin_t is not allowed to execute shell_exec_t?
- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Need to rebuild setools. Should be fixed tomorrow.
Open a bug on sulogin_t
On Wed, 2011-03-30 at 14:43 -0400, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/30/2011 01:56 PM, Dominick Grift wrote:
$ sesearch --allow -SC -T | grep unconfined_login ERROR: policydb version 25 does not match my version range 15-24 ERROR: Unable to open policy /etc/selinux/targeted/policy/policy.25. ERROR: Success
Need to rebuild setools. Should be fixed tomorrow.
What kernel libsepol and setools do you have? I'm sure dan is right that him rebuilding will fix it, I just want to make sure that we don't have a problem I don't understand/recognize....
-Eric
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/31/2011 03:19 PM, Eric Paris wrote:
On Wed, 2011-03-30 at 14:43 -0400, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/30/2011 01:56 PM, Dominick Grift wrote:
$ sesearch --allow -SC -T | grep unconfined_login ERROR: policydb version 25 does not match my version range 15-24 ERROR: Unable to open policy /etc/selinux/targeted/policy/policy.25. ERROR: Success
Need to rebuild setools. Should be fixed tomorrow.
What kernel libsepol and setools do you have? I'm sure dan is right that him rebuilding will fix it, I just want to make sure that we don't have a problem I don't understand/recognize....
-Eric
$ uname -r 2.6.39-0.rc0.git11.0.fc16.x86_64
$ rpm -qa | grep libsepol libsepol-2.0.42-3.fc16.x86_64
$ rpm -qa | grep setools setools-libs-python-3.3.7-13.fc16.x86_64 setools-libs-3.3.7-13.fc16.x86_64 setools-console-3.3.7-13.fc16.x86_64
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/31/2011 09:22 AM, Dominick Grift wrote:
On 03/31/2011 03:19 PM, Eric Paris wrote:
On Wed, 2011-03-30 at 14:43 -0400, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/30/2011 01:56 PM, Dominick Grift wrote:
$ sesearch --allow -SC -T | grep unconfined_login ERROR: policydb version 25 does not match my version range 15-24 ERROR: Unable to open policy /etc/selinux/targeted/policy/policy.25. ERROR: Success
Need to rebuild setools. Should be fixed tomorrow.
What kernel libsepol and setools do you have? I'm sure dan is right that him rebuilding will fix it, I just want to make sure that we don't have a problem I don't understand/recognize....
-Eric
$ uname -r 2.6.39-0.rc0.git11.0.fc16.x86_64
$ rpm -qa | grep libsepol libsepol-2.0.42-3.fc16.x86_64
$ rpm -qa | grep setools setools-libs-python-3.3.7-13.fc16.x86_64 setools-libs-3.3.7-13.fc16.x86_64 setools-console-3.3.7-13.fc16.x86_64
I am not seeing this with this combination.
setools was just built last night.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/31/2011 03:26 PM, Daniel J Walsh wrote:
On 03/31/2011 09:22 AM, Dominick Grift wrote:
On 03/31/2011 03:19 PM, Eric Paris wrote:
On Wed, 2011-03-30 at 14:43 -0400, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/30/2011 01:56 PM, Dominick Grift wrote:
$ sesearch --allow -SC -T | grep unconfined_login ERROR: policydb version 25 does not match my version range 15-24 ERROR: Unable to open policy /etc/selinux/targeted/policy/policy.25. ERROR: Success
Need to rebuild setools. Should be fixed tomorrow.
What kernel libsepol and setools do you have? I'm sure dan is right that him rebuilding will fix it, I just want to make sure that we don't have a problem I don't understand/recognize....
-Eric
$ uname -r 2.6.39-0.rc0.git11.0.fc16.x86_64
$ rpm -qa | grep libsepol libsepol-2.0.42-3.fc16.x86_64
$ rpm -qa | grep setools setools-libs-python-3.3.7-13.fc16.x86_64 setools-libs-3.3.7-13.fc16.x86_64 setools-console-3.3.7-13.fc16.x86_64
I am not seeing this with this combination.
setools was just built last night.
updating fixed it:
$ rpm -qa | grep setools setools-libs-3.3.7-14.fc16.x86_64 setools-console-3.3.7-14.fc16.x86_64 setools-libs-python-3.3.7-14.fc16.x86_64
On Thu, 2011-03-31 at 15:22 +0200, Dominick Grift wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/31/2011 03:19 PM, Eric Paris wrote:
On Wed, 2011-03-30 at 14:43 -0400, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/30/2011 01:56 PM, Dominick Grift wrote:
$ sesearch --allow -SC -T | grep unconfined_login ERROR: policydb version 25 does not match my version range 15-24 ERROR: Unable to open policy /etc/selinux/targeted/policy/policy.25. ERROR: Success
Need to rebuild setools. Should be fixed tomorrow.
What kernel libsepol and setools do you have? I'm sure dan is right that him rebuilding will fix it, I just want to make sure that we don't have a problem I don't understand/recognize....
-Eric
$ uname -r 2.6.39-0.rc0.git11.0.fc16.x86_64
$ rpm -qa | grep libsepol libsepol-2.0.42-3.fc16.x86_64
$ rpm -qa | grep setools setools-libs-python-3.3.7-13.fc16.x86_64 setools-libs-3.3.7-13.fc16.x86_64 setools-console-3.3.7-13.fc16.x86_64
Thanks. I understand your issue, and I know it sucks. But it should get fixed with the rebuild/update Dan mentioned.
-Eric
selinux@lists.fedoraproject.org