shintaro_fujiwara wrote:
I think F7 strict policy is broken. Let's wait for a while until SELinux guys fix it. I decided to play with FC6 this time.
2007-08-08 (水) の 14:43 -0700 に Hal さんは書きました:
Authentication failed again:( but meanwhile I have checked firefox on strict policy on FC7 it does not work.
--- shintaro_fujiwara shin216@xf7.so-net.ne.jp wrote:
2007-08-08 (æ°´) ã® 13:32 -0700 ã« Hal ã•ã‚“ã¯æ›¸ãã¾ã—ãŸ:
Well I manged to compile the module, but it does not work for me. Compiled,loaded,set enforcing and: "authentication failed" again.
I do not know if I am stupid, but I can not get a long with this Selinux...
Does this nodule work for you guys????
hal
--- "Christopher J. PeBenito" cpebenito@tresys.com wrote:
On Wed, 2007-08-08 at 12:39 -0700, Hal wrote:
I have tryed with logging_send_audit_msgs(local_login_t)
But still: [root@localhost hal]# make -f /usr/share/selinux/devel/Makefile
local.pp
Compiling strict local module /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp local.te:9:ERROR 'unknown class capability used in rule' at token ';'
on
line
81105: #line 9 allow local_login_t self:capability audit_write;
Because we did not write
class capability { audit_write };
in require brace.
write it and try again. Did you make it?
As a matter of fact, I have another problem on strict policy. I ended up breaking F7 altogether eliminating libselinux with --nodeps. Now I'm trying to upgrade FC6 to F7. You can upgrade FC6 to F7, if you are tired of your process on F7. Do not stop trying strict policy.Never surrender. It's rewarding, and SELinux guys will guide you to the right place.
/usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/local.mod] Error 1
I really have no idea what all this means. there is nowhere "allow" in local.te. if it is in this macros at the
end...
Do I need to install the policy source and edit it?
It is in the interface. You need to change this:
>> module local 1.0; >>
to this:
policy_module(local,1.0)
It will automatically require all of the kernel object classes.
-- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150
Luggage? GPS? Comic books? Check out fitting gifts for grads at Yahoo! Search http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=...
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Sick sense of humor? Visit Yahoo! TV's Comedy with an Edge to see what's on, when. http://tv.yahoo.com/collections/222
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I am not sure what is broken on Firefox on Strict policy as of Fedora 7. I have begun the merge of strict and targeted in rawhide Fedora Core 8/Test1. I have done some rewriting of the Mozilla/Firefox policy. There were several problems in the existing policy and several problems in the way the OS is designed. Mainly these dealt with the use of the /tmp file system by gnome.
I have rewritten the mozilla policy to use one of three booleans.
firefox no network access (r/only) Firefox with network access (R/O on homedir) Firefox with network access (r/w on homedir)
firefox currently transitions form the user domain to userdoman_mozilla_t. So for example
user_t - > user_mozilla_t. But I am allowing firefox to r/w user_tmp_t as well as user_mozilla_tmp_t.
This allows firefox to interact with X sockets, gdm_files, iceauth files, orbitz files. Trying to lock this down does not work.
So if you want to use a locked down firefox, I would recommend looking at Fedora 8 Test1, and setting up a xguest user.
xguest users can only access the web via firefox and are totally locked down.