Hi,
I have a fc6 linux box: kernel-2.6.20-1.2944.fc6, selinux-policy-2.4.6-62.fc6 and selinux-policy-targeted-2.4.6-62.fc6, audit-1.4.2-5.fc6. The system works and I was trying to add some settings to the selinux policy by running audit2allow. It was okay before noon:
# audit2allow -M local < /var/log/audit/audit.log # semodule -i local.pp
The new modules were added and it works. However, later, I can't do it again, but always get error:
# audit2allow -M local < /var/log/audit/audit.log compilation failed: (unknown source)::ERROR 'syntax error' at token '' on line 6:
/usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/bin/checkmodule: loading policy configuration from local.te
and the file local.te has only one line:
module local 1.0;
not like before. Can somebody tell what is wrong? "on line 6" of what file? I reboot the system, still the same.
Thanks a lot!
Hongwei Li
On Wed, 2007-05-09 at 13:47 -0500, Hongwei Li wrote:
Hi,
I have a fc6 linux box: kernel-2.6.20-1.2944.fc6, selinux-policy-2.4.6-62.fc6 and selinux-policy-targeted-2.4.6-62.fc6, audit-1.4.2-5.fc6. The system works and I was trying to add some settings to the selinux policy by running audit2allow. It was okay before noon:
# audit2allow -M local < /var/log/audit/audit.log # semodule -i local.pp
The new modules were added and it works. However, later, I can't do it again, but always get error:
# audit2allow -M local < /var/log/audit/audit.log compilation failed: (unknown source)::ERROR 'syntax error' at token '' on line 6:
/usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/bin/checkmodule: loading policy configuration from local.te
and the file local.te has only one line:
module local 1.0;
not like before. Can somebody tell what is wrong? "on line 6" of what file? I reboot the system, still the same.
What version of policycoreutils?
The implication is that there were no avc denials in /var/log/audit/audit.log, and thus the generated module was empty. Possibly your audit logs were automatically rotated?
You should really be using the -a option btw, e.g. audit2allow -a -M local That will pull all messages from audit, including older audit logs I believe.
On Wed, 2007-05-09 at 13:47 -0500, Hongwei Li wrote:
Hi,
I have a fc6 linux box: kernel-2.6.20-1.2944.fc6, selinux-policy-2.4.6-62.fc6 and selinux-policy-targeted-2.4.6-62.fc6, audit-1.4.2-5.fc6. The system works and I was trying to add some settings to the selinux policy by running audit2allow. It was okay before noon:
# audit2allow -M local < /var/log/audit/audit.log # semodule -i local.pp
The new modules were added and it works. However, later, I can't do it again, but always get error:
# audit2allow -M local < /var/log/audit/audit.log compilation failed: (unknown source)::ERROR 'syntax error' at token '' on line 6:
/usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/bin/checkmodule: loading policy configuration from local.te
and the file local.te has only one line:
module local 1.0;
not like before. Can somebody tell what is wrong? "on line 6" of what file? I reboot the system, still the same.
What version of policycoreutils?
The implication is that there were no avc denials in /var/log/audit/audit.log, and thus the generated module was empty. Possibly your audit logs were automatically rotated?
You should really be using the -a option btw, e.g. audit2allow -a -M local That will pull all messages from audit, including older audit logs I believe.
-- Stephen Smalley National Security Agency
Yes, you are right -- there was no avc denials in the audit.log. Now, I set enforced and try a squirrelmail plugin change_passwd, it creates some avc denials, and then it works:
# audit2allow -a -M local ******************** IMPORTANT *********************** To make this policy package active, execute:
semodule -i local.pp
However, it fails when I run: # semodule -i local.pp libsepol.check_assertion_helper: assertion on line 0 violated by allow httpd_t shadow_t:file { read }; libsepol.check_assertions: 1 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed
Actually, this has been an old problem since fc5 linux (not in fc4 or earlier) -- once set enforced, password cannot be changed from squirrelmail (web site), modules with "shadow..." cannot be added. Is there anyway to change it? The reason is simple: my squirrelmail users need to change their password from within squirrelmail (web site) and I want to set selinux enforced.
BTW, I have policycoreutils-1.34.1-7.fc6 and targeted policy.
I appreciate all the help!
Hongwei Li
On Wed, 2007-05-09 at 14:29 -0500, Hongwei Li wrote:
On Wed, 2007-05-09 at 13:47 -0500, Hongwei Li wrote:
Hi,
I have a fc6 linux box: kernel-2.6.20-1.2944.fc6, selinux-policy-2.4.6-62.fc6 and selinux-policy-targeted-2.4.6-62.fc6, audit-1.4.2-5.fc6. The system works and I was trying to add some settings to the selinux policy by running audit2allow. It was okay before noon:
# audit2allow -M local < /var/log/audit/audit.log # semodule -i local.pp
The new modules were added and it works. However, later, I can't do it again, but always get error:
# audit2allow -M local < /var/log/audit/audit.log compilation failed: (unknown source)::ERROR 'syntax error' at token '' on line 6:
/usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/bin/checkmodule: loading policy configuration from local.te
and the file local.te has only one line:
module local 1.0;
not like before. Can somebody tell what is wrong? "on line 6" of what file? I reboot the system, still the same.
What version of policycoreutils?
The implication is that there were no avc denials in /var/log/audit/audit.log, and thus the generated module was empty. Possibly your audit logs were automatically rotated?
You should really be using the -a option btw, e.g. audit2allow -a -M local That will pull all messages from audit, including older audit logs I believe.
-- Stephen Smalley National Security Agency
Yes, you are right -- there was no avc denials in the audit.log. Now, I set enforced and try a squirrelmail plugin change_passwd, it creates some avc denials, and then it works:
# audit2allow -a -M local ******************** IMPORTANT *********************** To make this policy package active, execute:
semodule -i local.pp
However, it fails when I run: # semodule -i local.pp libsepol.check_assertion_helper: assertion on line 0 violated by allow httpd_t shadow_t:file { read }; libsepol.check_assertions: 1 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed
Actually, this has been an old problem since fc5 linux (not in fc4 or earlier) -- once set enforced, password cannot be changed from squirrelmail (web site), modules with "shadow..." cannot be added. Is there anyway to change it? The reason is simple: my squirrelmail users need to change their password from within squirrelmail (web site) and I want to set selinux enforced.
BTW, I have policycoreutils-1.34.1-7.fc6 and targeted policy.
Ideally you wouldn't be running that plugin directly in httpd_t.
The assertions aka neverallow rules can be overridden, but they are there as a warning to you that you are trying to allow something that is unsafe, in this case allowing your httpd processes to directly access your shadow file. It would be better if that plugin ran in a separate process in its own domain.
To allow it anyway, you can create use the refpolicy interface to allow such access, which will also add the type to the right attribute to satisfy the assertion/neverallow rule. In this case, that would mean adding: auth_rw_shadow(httpd_t) to your local.te file and then running: # make -f /usr/share/selinux/devel/Makefile # semodule -i local.pp
On Wed, 2007-05-09 at 14:29 -0500, Hongwei Li wrote:
On Wed, 2007-05-09 at 13:47 -0500, Hongwei Li wrote:
Hi,
I have a fc6 linux box: kernel-2.6.20-1.2944.fc6, selinux-policy-2.4.6-62.fc6 and selinux-policy-targeted-2.4.6-62.fc6, audit-1.4.2-5.fc6.
...
The implication is that there were no avc denials in /var/log/audit/audit.log, and thus the generated module was empty. Possibly your audit logs were automatically rotated?
You should really be using the -a option btw, e.g. audit2allow -a -M local That will pull all messages from audit, including older audit logs I believe.
-- Stephen Smalley National Security Agency
...
However, it fails when I run: # semodule -i local.pp libsepol.check_assertion_helper: assertion on line 0 violated by allow httpd_t shadow_t:file { read }; libsepol.check_assertions: 1 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed
Actually, this has been an old problem since fc5 linux (not in fc4 or earlier) -- once set enforced, password cannot be changed from squirrelmail (web site), modules with "shadow..." cannot be added. Is there anyway to change it? The reason is simple: my squirrelmail users need to change their password from within squirrelmail (web site) and I want to set selinux enforced.
BTW, I have policycoreutils-1.34.1-7.fc6 and targeted policy.
Ideally you wouldn't be running that plugin directly in httpd_t.
The assertions aka neverallow rules can be overridden, but they are there as a warning to you that you are trying to allow something that is unsafe, in this case allowing your httpd processes to directly access your shadow file. It would be better if that plugin ran in a separate process in its own domain.
To allow it anyway, you can create use the refpolicy interface to allow such access, which will also add the type to the right attribute to satisfy the assertion/neverallow rule. In this case, that would mean adding: auth_rw_shadow(httpd_t) to your local.te file and then running: # make -f /usr/share/selinux/devel/Makefile # semodule -i local.pp
-- Stephen Smalley National Security Agency
Thank you for help! However, I got error when doing it. # make -f /usr/share/selinux/devel/Makefile Compiling targeted localb module /usr/bin/checkmodule: loading policy configuration from tmp/localb.tmp localb.te:6:ERROR 'syntax error' at token '' on line 78455:
/usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/localb.mod] Error 1
My local.te is:
module local 1.0;
require { type portmap_t; type home_root_t; type system_mail_t; type nfsd_t; type crond_t; type httpd_t; type restorecon_t; type shadow_t; class dir { search getattr }; class file read; class fifo_file read; }
auth_rw_shadow(httpd_t);
#============= httpd_t ============== allow httpd_t shadow_t:file read;
#============= nfsd_t ============== allow nfsd_t crond_t:fifo_file read;
#============= portmap_t ============== allow portmap_t crond_t:fifo_file read;
#============= restorecon_t ============== allow restorecon_t crond_t:fifo_file read;
#============= system_mail_t ============== allow system_mail_t home_root_t:dir { search getattr }; allow system_mail_t httpd_t:file read;
What "syntax error" is? Did I add the line auth_rw_shadow(httpd_t); incorrectly?
I have selinux-policy-devel.noarch 0:2.4.6-62.fc6 installed.
Thanks!
Hongwei
On Wed, 2007-05-09 at 16:05 -0500, Hongwei Li wrote:
Thank you for help! However, I got error when doing it. # make -f /usr/share/selinux/devel/Makefile Compiling targeted localb module /usr/bin/checkmodule: loading policy configuration from tmp/localb.tmp localb.te:6:ERROR 'syntax error' at token '' on line 78455:
/usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/localb.mod] Error 1
The above error is on something called "localb.te", not "local.te". Do you have multiple .te files in your working directory? If so, move them elsewhere or move local.te into its own subdirectory, cd there, and try again.
My local.te is:
module local 1.0;
require { type portmap_t; type home_root_t; type system_mail_t; type nfsd_t; type crond_t; type httpd_t; type restorecon_t; type shadow_t; class dir { search getattr }; class file read; class fifo_file read; }
auth_rw_shadow(httpd_t);
#============= httpd_t ============== allow httpd_t shadow_t:file read;
#============= nfsd_t ============== allow nfsd_t crond_t:fifo_file read;
#============= portmap_t ============== allow portmap_t crond_t:fifo_file read;
#============= restorecon_t ============== allow restorecon_t crond_t:fifo_file read;
#============= system_mail_t ============== allow system_mail_t home_root_t:dir { search getattr }; allow system_mail_t httpd_t:file read;
What "syntax error" is? Did I add the line auth_rw_shadow(httpd_t); incorrectly?
I have selinux-policy-devel.noarch 0:2.4.6-62.fc6 installed.
Thanks!
Hongwei
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Wed, 2007-05-09 at 16:05 -0500, Hongwei Li wrote:
Thank you for help! However, I got error when doing it. # make -f /usr/share/selinux/devel/Makefile Compiling targeted localb module /usr/bin/checkmodule: loading policy configuration from tmp/localb.tmp localb.te:6:ERROR 'syntax error' at token '' on line 78455:
/usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/localb.mod] Error 1
The above error is on something called "localb.te", not "local.te". Do you have multiple .te files in your working directory? If so, move them elsewhere or move local.te into its own subdirectory, cd there, and try again.
Yes, I did have localb.te for testing. I removed it, rerun the command and now it is working. Thank you very, very much!
Hongwei
selinux@lists.fedoraproject.org