On Wed, 2007-05-09 at 14:29 -0500, Hongwei Li wrote:
On Wed, 2007-05-09 at 13:47 -0500, Hongwei Li wrote:
Hi,
I have a fc6 linux box: kernel-2.6.20-1.2944.fc6, selinux-policy-2.4.6-62.fc6 and selinux-policy-targeted-2.4.6-62.fc6, audit-1.4.2-5.fc6. The system works and I was trying to add some settings to the selinux policy by running audit2allow. It was okay before noon:
# audit2allow -M local < /var/log/audit/audit.log # semodule -i local.pp
The new modules were added and it works. However, later, I can't do it again, but always get error:
# audit2allow -M local < /var/log/audit/audit.log compilation failed: (unknown source)::ERROR 'syntax error' at token '' on line 6:
/usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/bin/checkmodule: loading policy configuration from local.te
and the file local.te has only one line:
module local 1.0;
not like before. Can somebody tell what is wrong? "on line 6" of what file? I reboot the system, still the same.
What version of policycoreutils?
The implication is that there were no avc denials in /var/log/audit/audit.log, and thus the generated module was empty. Possibly your audit logs were automatically rotated?
You should really be using the -a option btw, e.g. audit2allow -a -M local That will pull all messages from audit, including older audit logs I believe.
-- Stephen Smalley National Security Agency
Yes, you are right -- there was no avc denials in the audit.log. Now, I set enforced and try a squirrelmail plugin change_passwd, it creates some avc denials, and then it works:
# audit2allow -a -M local ******************** IMPORTANT *********************** To make this policy package active, execute:
semodule -i local.pp
However, it fails when I run: # semodule -i local.pp libsepol.check_assertion_helper: assertion on line 0 violated by allow httpd_t shadow_t:file { read }; libsepol.check_assertions: 1 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed
Actually, this has been an old problem since fc5 linux (not in fc4 or earlier) -- once set enforced, password cannot be changed from squirrelmail (web site), modules with "shadow..." cannot be added. Is there anyway to change it? The reason is simple: my squirrelmail users need to change their password from within squirrelmail (web site) and I want to set selinux enforced.
BTW, I have policycoreutils-1.34.1-7.fc6 and targeted policy.
Ideally you wouldn't be running that plugin directly in httpd_t.
The assertions aka neverallow rules can be overridden, but they are there as a warning to you that you are trying to allow something that is unsafe, in this case allowing your httpd processes to directly access your shadow file. It would be better if that plugin ran in a separate process in its own domain.
To allow it anyway, you can create use the refpolicy interface to allow such access, which will also add the type to the right attribute to satisfy the assertion/neverallow rule. In this case, that would mean adding: auth_rw_shadow(httpd_t) to your local.te file and then running: # make -f /usr/share/selinux/devel/Makefile # semodule -i local.pp