On Wed, 2007-05-09 at 13:47 -0500, Hongwei Li wrote:
Hi,
I have a fc6 linux box: kernel-2.6.20-1.2944.fc6, selinux-policy-2.4.6-62.fc6 and selinux-policy-targeted-2.4.6-62.fc6, audit-1.4.2-5.fc6. The system works and I was trying to add some settings to the selinux policy by running audit2allow. It was okay before noon:
# audit2allow -M local < /var/log/audit/audit.log # semodule -i local.pp
The new modules were added and it works. However, later, I can't do it again, but always get error:
# audit2allow -M local < /var/log/audit/audit.log compilation failed: (unknown source)::ERROR 'syntax error' at token '' on line 6:
/usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/bin/checkmodule: loading policy configuration from local.te
and the file local.te has only one line:
module local 1.0;
not like before. Can somebody tell what is wrong? "on line 6" of what file? I reboot the system, still the same.
What version of policycoreutils?
The implication is that there were no avc denials in /var/log/audit/audit.log, and thus the generated module was empty. Possibly your audit logs were automatically rotated?
You should really be using the -a option btw, e.g. audit2allow -a -M local That will pull all messages from audit, including older audit logs I believe.
-- Stephen Smalley National Security Agency
Yes, you are right -- there was no avc denials in the audit.log. Now, I set enforced and try a squirrelmail plugin change_passwd, it creates some avc denials, and then it works:
# audit2allow -a -M local ******************** IMPORTANT *********************** To make this policy package active, execute:
semodule -i local.pp
However, it fails when I run: # semodule -i local.pp libsepol.check_assertion_helper: assertion on line 0 violated by allow httpd_t shadow_t:file { read }; libsepol.check_assertions: 1 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed
Actually, this has been an old problem since fc5 linux (not in fc4 or earlier) -- once set enforced, password cannot be changed from squirrelmail (web site), modules with "shadow..." cannot be added. Is there anyway to change it? The reason is simple: my squirrelmail users need to change their password from within squirrelmail (web site) and I want to set selinux enforced.
BTW, I have policycoreutils-1.34.1-7.fc6 and targeted policy.
I appreciate all the help!
Hongwei Li