Hi,
I'm trying to enable strict policy on fc7, need to do this too. But i got this error when I tried to compile the module
[root@localhost local_module_for_login]# make -f /usr/share/selinux/devel/Makefile local.pp Compiling targeted local module /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp local.te:10:ERROR 'unknown class capability used in rule' at token ';' on line 80642: #line 10 allow local_login_t self:capability audit_write; /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/local.mod] Error 1
Thanks & Rgds, Louis
----- Original Message ---- From: shintaro_fujiwara shin216@xf7.so-net.ne.jp To: Hal hal_bg@yahoo.com; fedora-selinux-list@redhat.com Sent: Tuesday, August 7, 2007 5:27:16 PM Subject: Re: Strict policy on FC6 and F7
2007-08-07 (火) の 09:48 -0700 に Hal さんは書きました:
Hallo
After a problem with the strict policy in FC6: firefox does not start under strict policy. No messages at all. I decided to check if firefox under strict policy on F7 works. I have installed F7 and enabled strict policy. But from now on I can no longer login in enforcing is on . When I enter username and password and I get permission denied even for root in GDM. In console I just get new "username" prompt.
I do not understand why firefox does not start in fc6 and can not longin on F7 under strict policy?
What might be wrong? Because, now you're in enforcing mode,
please disable SELinux and login. Install devel policy.
#yum install selinux-policy-devel
Please install this module.
#vim local.te
module local 1.0;
require { type local_login_t; class netlink_audit_socket { append bind connect shutdown ioctl getattr setattr shutdown getopt setopt write nlmsg_relay nlmsg_read create read }; }
logging_send_audit_msg(local_login_t) logging_set_loginuid(local_login_t)
#make -f /usr/share/selinux/devel/Makefile local.pp #semodule -i local.pp #semodule -l|grep local
Set SELinux enforcing.
Did it work?
Hal
____________________________________________________________________________________
Luggage? GPS? Comic books? Check out fitting gifts for grads at Yahoo! Search http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=...
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Send instant messages to your online friends http://uk.messenger.yahoo.com
Hi So far it did not work. This is what I get: [root@localhost hal]# make -f /usr/share/selinux/devel/Makefile local.pp Compiling strict local module /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp local.te:9:ERROR 'syntax error' at token 'logging_send_audit_msg' on line 81076: logging_send_audit_msg(local_login_t) } /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/local.mod] Error 1
Hal
--- Louis Lam lshoujun@yahoo.com wrote:
Hi,
I'm trying to enable strict policy on fc7, need to do this too. But i got this error when I tried to compile the module
[root@localhost local_module_for_login]# make -f /usr/share/selinux/devel/Makefile local.pp Compiling targeted local module /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp local.te:10:ERROR 'unknown class capability used in rule' at token ';' on line 80642: #line 10 allow local_login_t self:capability audit_write; /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/local.mod] Error 1
Thanks & Rgds, Louis
----- Original Message ---- From: shintaro_fujiwara shin216@xf7.so-net.ne.jp To: Hal hal_bg@yahoo.com; fedora-selinux-list@redhat.com Sent: Tuesday, August 7, 2007 5:27:16 PM Subject: Re: Strict policy on FC6 and F7
2007-08-07 (²Ð) ¤Î 09:48 -0700 ¤Ë Hal ¤µ¤ó¤Ï½ñ¤¤Þ¤·¤¿:
Hallo
After a problem with the strict policy in FC6: firefox does not start under strict policy. No messages at all. I decided to check if firefox under
strict
policy on F7 works. I have installed F7 and enabled strict policy. But from now on I can no
longer
login in enforcing is on . When I enter username and password and I get permission denied even for root in GDM. In console I just get new
"username"
prompt.
I do not understand why firefox does not start in fc6 and can not longin on F7 under strict policy?
What might be wrong? Because, now you're in enforcing mode,
please disable SELinux and login. Install devel policy.
#yum install selinux-policy-devel
Please install this module.
#vim local.te
module local 1.0;
require { type local_login_t; class netlink_audit_socket { append bind connect shutdown ioctl getattr setattr shutdown getopt setopt write nlmsg_relay nlmsg_read create read }; }
logging_send_audit_msg(local_login_t) logging_set_loginuid(local_login_t)
#make -f /usr/share/selinux/devel/Makefile local.pp #semodule -i local.pp #semodule -l|grep local
Set SELinux enforcing.
Did it work?
Hal
____________________________________________________________________________________
Luggage? GPS? Comic books? Check out fitting gifts for grads at Yahoo! Search http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=...
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Send instant messages to your online friends http://uk.messenger.yahoo.com
____________________________________________________________________________________ Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online. http://smallbusiness.yahoo.com/webhosting
2007-08-08 (水) の 02:57 -0700 に Hal さんは書きました:
Hi So far it did not work. This is what I get: [root@localhost hal]# make -f /usr/share/selinux/devel/Makefile local.ppfe Compiling strict local module /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp local.te:9:ERROR 'syntax error' at token 'logging_send_audit_msg' on line 81076: logging_send_audit_msg(local_login_t) } /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/local.mod] Error 1
All right. I've checked Tresys page and foud interface name is...
http://oss.tresys.com/docs/refpolicy/api/interfaces.html
logging_send_audit_msgs
Try this.
Solved?
I have an another problem on strict policy, so keep in touch. Cheers!
Hal
--- Louis Lam lshoujun@yahoo.com wrote:
Hi,
I'm trying to enable strict policy on fc7, need to do this too. But i got this error when I tried to compile the module
[root@localhost local_module_for_login]# make -f /usr/share/selinux/devel/Makefile local.pp Compiling targeted local module /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp local.te:10:ERROR 'unknown class capability used in rule' at token ';' on line 80642: #line 10 allow local_login_t self:capability audit_write; /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/local.mod] Error 1
Thanks & Rgds, Louis
----- Original Message ---- From: shintaro_fujiwara shin216@xf7.so-net.ne.jp To: Hal hal_bg@yahoo.com; fedora-selinux-list@redhat.com Sent: Tuesday, August 7, 2007 5:27:16 PM Subject: Re: Strict policy on FC6 and F7
2007-08-07 (²Ð) ¤Î 09:48 -0700 ¤Ë Hal ¤µ¤ó¤Ï½ñ¤¤Þ¤·¤¿:
Hallo
After a problem with the strict policy in FC6: firefox does not start under strict policy. No messages at all. I decided to check if firefox under
strict
policy on F7 works. I have installed F7 and enabled strict policy. But from now on I can no
longer
login in enforcing is on . When I enter username and password and I get permission denied even for root in GDM. In console I just get new
"username"
prompt.
I do not understand why firefox does not start in fc6 and can not longin on F7 under strict policy?
What might be wrong? Because, now you're in enforcing mode,
please disable SELinux and login. Install devel policy.
#yum install selinux-policy-devel
Please install this module.
#vim local.te
module local 1.0;
require { type local_login_t; class netlink_audit_socket { append bind connect shutdown ioctl getattr setattr shutdown getopt setopt write nlmsg_relay nlmsg_read create read }; }
logging_send_audit_msg(local_login_t) logging_set_loginuid(local_login_t)
#make -f /usr/share/selinux/devel/Makefile local.pp #semodule -i local.pp #semodule -l|grep local
Set SELinux enforcing.
Did it work?
Hal
Luggage? GPS? Comic books? Check out fitting gifts for grads at Yahoo! Search http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=...
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Send instant messages to your online friends http://uk.messenger.yahoo.com
Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online. http://smallbusiness.yahoo.com/webhosting
Ooops This seems to be the same problem as Hal has.
My suggestion is, do not use allow sentence, but use interface. Please read Hal and I might solve this problem. comment out those line same as interface says. I mean,
#aloow locao_login_t ...
You can do it ! Because I already solved it.
2007-08-08 (水) の 02:11 -0700 に Louis Lam さんは書きました:
Hi,
I'm trying to enable strict policy on fc7, need to do this too. But i got this error when I tried to compile the module
[root@localhost local_module_for_login]# make -f /usr/share/selinux/devel/Makefile local.pp Compiling targeted local module /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp local.te:10:ERROR 'unknown class capability used in rule' at token ';' on line 80642: #line 10 allow local_login_t self:capability audit_write; /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/local.mod] Error 1
Thanks & Rgds, Louis
----- Original Message ---- From: shintaro_fujiwara shin216@xf7.so-net.ne.jp To: Hal hal_bg@yahoo.com; fedora-selinux-list@redhat.com Sent: Tuesday, August 7, 2007 5:27:16 PM Subject: Re: Strict policy on FC6 and F7
2007-08-07 (火) の 09:48 -0700 に Hal さんは書きました:
Hallo
After a problem with the strict policy in FC6: firefox does not
start under
strict policy. No messages at all. I decided to check if firefox
under strict
policy on F7 works. I have installed F7 and enabled strict policy. But from now on I can
no longer
login in enforcing is on . When I enter username and password and I
get
permission denied even for root in GDM. In console I just get new
"username"
prompt.
I do not understand why firefox does not start in fc6 and can not longin on F7 under strict policy?
What might be wrong? Because, now you're in enforcing mode,
please disable SELinux and login. Install devel policy.
#yum install selinux-policy-devel
Please install this module.
#vim local.te
module local 1.0;
require { type local_login_t; class netlink_audit_socket { append bind connect shutdown ioctl getattr setattr shutdown getopt setopt write nlmsg_relay nlmsg_read create read }; }
logging_send_audit_msg(local_login_t) logging_set_loginuid(local_login_t)
#make -f /usr/share/selinux/devel/Makefile local.pp #semodule -i local.pp #semodule -l|grep local
Set SELinux enforcing.
Did it work?
Hal
Luggage? GPS? Comic books? Check out fitting gifts for grads at Yahoo! Search http://search.yahoo.com/search?fr=oni_on_mail&p=graduation
+gifts&cs=bz
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Send instant messages to your online friends http://uk.messenger.yahoo.com
I have tryed with logging_send_audit_msgs(local_login_t)
But still: [root@localhost hal]# make -f /usr/share/selinux/devel/Makefile local.pp Compiling strict local module /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp local.te:9:ERROR 'unknown class capability used in rule' at token ';' on line 81105: #line 9 allow local_login_t self:capability audit_write; /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/local.mod] Error 1
I really have no idea what all this means. there is nowhere "allow" in local.te. if it is in this macros at the end... Do I need to install the policy source and edit it?
However, I am more interested in solving the Firefox problem on fc6. On the other hand I do not understand how can login be disabled in the strict policy in F7. Is this a bug or a feature. I am really confused.
--- shintaro_fujiwara shin216@xf7.so-net.ne.jp wrote:
Ooops This seems to be the same problem as Hal has.
My suggestion is, do not use allow sentence, but use interface. Please read Hal and I might solve this problem. comment out those line same as interface says. I mean,
#aloow locao_login_t ...
You can do it ! Because I already solved it.
2007-08-08 (æ°´) ã® 02:11 -0700 ã« Louis Lam ããã¯æ¸ãã¾ãã:
Hi,
I'm trying to enable strict policy on fc7, need to do this too. But i got this error when I tried to compile the module
[root@localhost local_module_for_login]# make -f /usr/share/selinux/devel/Makefile local.pp Compiling targeted local module /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp local.te:10:ERROR 'unknown class capability used in rule' at token ';' on line 80642: #line 10 allow local_login_t self:capability audit_write; /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/local.mod] Error 1
Thanks & Rgds, Louis
----- Original Message ---- From: shintaro_fujiwara shin216@xf7.so-net.ne.jp To: Hal hal_bg@yahoo.com; fedora-selinux-list@redhat.com Sent: Tuesday, August 7, 2007 5:27:16 PM Subject: Re: Strict policy on FC6 and F7
2007-08-07 (ç«) ã® 09:48 -0700 ã« Hal ããã¯æ¸ãã¾ãã:
Hallo
After a problem with the strict policy in FC6: firefox does not
start under
strict policy. No messages at all. I decided to check if firefox
under strict
policy on F7 works. I have installed F7 and enabled strict policy. But from now on I can
no longer
login in enforcing is on . When I enter username and password and I
get
permission denied even for root in GDM. In console I just get new
"username"
prompt.
I do not understand why firefox does not start in fc6 and can not longin on F7 under strict policy?
What might be wrong? Because, now you're in enforcing mode,
please disable SELinux and login. Install devel policy.
#yum install selinux-policy-devel
Please install this module.
#vim local.te
module local 1.0;
require { type local_login_t; class netlink_audit_socket { append bind connect shutdown ioctl getattr setattr shutdown getopt setopt write nlmsg_relay nlmsg_read create read }; }
logging_send_audit_msg(local_login_t) logging_set_loginuid(local_login_t)
#make -f /usr/share/selinux/devel/Makefile local.pp #semodule -i local.pp #semodule -l|grep local
Set SELinux enforcing.
Did it work?
Hal
____________________________________________________________________________________
Luggage? GPS? Comic books? Check out fitting gifts for grads at Yahoo! Search http://search.yahoo.com/search?fr=oni_on_mail&p=graduation
+gifts&cs=bz
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Send instant messages to your online friends http://uk.messenger.yahoo.com
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
____________________________________________________________________________________ Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail, news, photos & more. http://mobile.yahoo.com/go?refer=1GNXIC
On Wed, 2007-08-08 at 12:39 -0700, Hal wrote:
I have tryed with logging_send_audit_msgs(local_login_t)
But still: [root@localhost hal]# make -f /usr/share/selinux/devel/Makefile local.pp Compiling strict local module /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp local.te:9:ERROR 'unknown class capability used in rule' at token ';' on line 81105: #line 9 allow local_login_t self:capability audit_write; /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/local.mod] Error 1
I really have no idea what all this means. there is nowhere "allow" in local.te. if it is in this macros at the end... Do I need to install the policy source and edit it?
It is in the interface. You need to change this:
module local 1.0;
to this:
policy_module(local,1.0)
It will automatically require all of the kernel object classes.
Well I manged to compile the module, but it does not work for me. Compiled,loaded,set enforcing and: "authentication failed" again.
I do not know if I am stupid, but I can not get a long with this Selinux...
Does this nodule work for you guys????
hal
--- "Christopher J. PeBenito" cpebenito@tresys.com wrote:
On Wed, 2007-08-08 at 12:39 -0700, Hal wrote:
I have tryed with logging_send_audit_msgs(local_login_t)
But still: [root@localhost hal]# make -f /usr/share/selinux/devel/Makefile local.pp Compiling strict local module /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp local.te:9:ERROR 'unknown class capability used in rule' at token ';' on
line
81105: #line 9 allow local_login_t self:capability audit_write; /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/local.mod] Error 1
I really have no idea what all this means. there is nowhere "allow" in local.te. if it is in this macros at the end... Do I need to install the policy source and edit it?
It is in the interface. You need to change this:
module local 1.0;
to this:
policy_module(local,1.0)
It will automatically require all of the kernel object classes.
-- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150
____________________________________________________________________________________ Luggage? GPS? Comic books? Check out fitting gifts for grads at Yahoo! Search http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=...
2007-08-08 (水) の 13:32 -0700 に Hal さんは書きました:
Well I manged to compile the module, but it does not work for me. Compiled,loaded,set enforcing and: "authentication failed" again.
I do not know if I am stupid, but I can not get a long with this Selinux...
Does this nodule work for you guys????
hal
--- "Christopher J. PeBenito" cpebenito@tresys.com wrote:
On Wed, 2007-08-08 at 12:39 -0700, Hal wrote:
I have tryed with logging_send_audit_msgs(local_login_t)
But still: [root@localhost hal]# make -f /usr/share/selinux/devel/Makefile local.pp Compiling strict local module /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp local.te:9:ERROR 'unknown class capability used in rule' at token ';' on
line
81105: #line 9 allow local_login_t self:capability audit_write;
Because we did not write
class capability { audit_write };
in require brace.
write it and try again. Did you make it?
As a matter of fact, I have another problem on strict policy. I ended up breaking F7 altogether eliminating libselinux with --nodeps. Now I'm trying to upgrade FC6 to F7. You can upgrade FC6 to F7, if you are tired of your process on F7. Do not stop trying strict policy.Never surrender. It's rewarding, and SELinux guys will guide you to the right place.
/usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/local.mod] Error 1
I really have no idea what all this means. there is nowhere "allow" in local.te. if it is in this macros at the end... Do I need to install the policy source and edit it?
It is in the interface. You need to change this:
module local 1.0;
to this:
policy_module(local,1.0)
It will automatically require all of the kernel object classes.
-- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150
____________________________________________________________________________________
Luggage? GPS? Comic books? Check out fitting gifts for grads at Yahoo! Search http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=...
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Authentication failed again:( but meanwhile I have checked firefox on strict policy on FC7 it does not work.
--- shintaro_fujiwara shin216@xf7.so-net.ne.jp wrote:
2007-08-08 (æ°´) ã® 13:32 -0700 ã« Hal ããã¯æ¸ãã¾ãã:
Well I manged to compile the module, but it does not work for me. Compiled,loaded,set enforcing and: "authentication failed" again.
I do not know if I am stupid, but I can not get a long with this Selinux...
Does this nodule work for you guys????
hal
--- "Christopher J. PeBenito" cpebenito@tresys.com wrote:
On Wed, 2007-08-08 at 12:39 -0700, Hal wrote:
I have tryed with logging_send_audit_msgs(local_login_t)
But still: [root@localhost hal]# make -f /usr/share/selinux/devel/Makefile
local.pp
Compiling strict local module /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp local.te:9:ERROR 'unknown class capability used in rule' at token ';'
on
line
81105: #line 9 allow local_login_t self:capability audit_write;
Because we did not write
class capability { audit_write };
in require brace.
write it and try again. Did you make it?
As a matter of fact, I have another problem on strict policy. I ended up breaking F7 altogether eliminating libselinux with --nodeps. Now I'm trying to upgrade FC6 to F7. You can upgrade FC6 to F7, if you are tired of your process on F7. Do not stop trying strict policy.Never surrender. It's rewarding, and SELinux guys will guide you to the right place.
/usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/local.mod] Error 1
I really have no idea what all this means. there is nowhere "allow" in local.te. if it is in this macros at the
end...
Do I need to install the policy source and edit it?
It is in the interface. You need to change this:
module local 1.0;
to this:
policy_module(local,1.0)
It will automatically require all of the kernel object classes.
-- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150
____________________________________________________________________________________
Luggage? GPS? Comic books? Check out fitting gifts for grads at Yahoo! Search http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=...
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
____________________________________________________________________________________ Sick sense of humor? Visit Yahoo! TV's Comedy with an Edge to see what's on, when. http://tv.yahoo.com/collections/222
I think F7 strict policy is broken. Let's wait for a while until SELinux guys fix it. I decided to play with FC6 this time.
2007-08-08 (水) の 14:43 -0700 に Hal さんは書きました:
Authentication failed again:( but meanwhile I have checked firefox on strict policy on FC7 it does not work.
--- shintaro_fujiwara shin216@xf7.so-net.ne.jp wrote:
2007-08-08 (æ°´) ã® 13:32 -0700 ã« Hal ã•ã‚“ã¯æ›¸ãã¾ã—ãŸ:
Well I manged to compile the module, but it does not work for me. Compiled,loaded,set enforcing and: "authentication failed" again.
I do not know if I am stupid, but I can not get a long with this Selinux...
Does this nodule work for you guys????
hal
--- "Christopher J. PeBenito" cpebenito@tresys.com wrote:
On Wed, 2007-08-08 at 12:39 -0700, Hal wrote:
I have tryed with logging_send_audit_msgs(local_login_t)
But still: [root@localhost hal]# make -f /usr/share/selinux/devel/Makefile
local.pp
Compiling strict local module /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp local.te:9:ERROR 'unknown class capability used in rule' at token ';'
on
line
81105: #line 9 allow local_login_t self:capability audit_write;
Because we did not write
class capability { audit_write };
in require brace.
write it and try again. Did you make it?
As a matter of fact, I have another problem on strict policy. I ended up breaking F7 altogether eliminating libselinux with --nodeps. Now I'm trying to upgrade FC6 to F7. You can upgrade FC6 to F7, if you are tired of your process on F7. Do not stop trying strict policy.Never surrender. It's rewarding, and SELinux guys will guide you to the right place.
/usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/local.mod] Error 1
I really have no idea what all this means. there is nowhere "allow" in local.te. if it is in this macros at the
end...
Do I need to install the policy source and edit it?
It is in the interface. You need to change this:
> module local 1.0;
to this:
policy_module(local,1.0)
It will automatically require all of the kernel object classes.
-- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150
Luggage? GPS? Comic books? Check out fitting gifts for grads at Yahoo! Search http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=...
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Sick sense of humor? Visit Yahoo! TV's Comedy with an Edge to see what's on, when. http://tv.yahoo.com/collections/222
shintaro_fujiwara wrote:
I think F7 strict policy is broken. Let's wait for a while until SELinux guys fix it. I decided to play with FC6 this time.
2007-08-08 (水) の 14:43 -0700 に Hal さんは書きました:
Authentication failed again:( but meanwhile I have checked firefox on strict policy on FC7 it does not work.
--- shintaro_fujiwara shin216@xf7.so-net.ne.jp wrote:
2007-08-08 (æ°´) ã® 13:32 -0700 ã« Hal ã•ã‚“ã¯æ›¸ãã¾ã—ãŸ:
Well I manged to compile the module, but it does not work for me. Compiled,loaded,set enforcing and: "authentication failed" again.
I do not know if I am stupid, but I can not get a long with this Selinux...
Does this nodule work for you guys????
hal
--- "Christopher J. PeBenito" cpebenito@tresys.com wrote:
On Wed, 2007-08-08 at 12:39 -0700, Hal wrote:
I have tryed with logging_send_audit_msgs(local_login_t)
But still: [root@localhost hal]# make -f /usr/share/selinux/devel/Makefile
local.pp
Compiling strict local module /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp local.te:9:ERROR 'unknown class capability used in rule' at token ';'
on
line
81105: #line 9 allow local_login_t self:capability audit_write;
Because we did not write
class capability { audit_write };
in require brace.
write it and try again. Did you make it?
As a matter of fact, I have another problem on strict policy. I ended up breaking F7 altogether eliminating libselinux with --nodeps. Now I'm trying to upgrade FC6 to F7. You can upgrade FC6 to F7, if you are tired of your process on F7. Do not stop trying strict policy.Never surrender. It's rewarding, and SELinux guys will guide you to the right place.
/usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/local.mod] Error 1
I really have no idea what all this means. there is nowhere "allow" in local.te. if it is in this macros at the
end...
Do I need to install the policy source and edit it?
It is in the interface. You need to change this:
>> module local 1.0; >>
to this:
policy_module(local,1.0)
It will automatically require all of the kernel object classes.
-- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150
Luggage? GPS? Comic books? Check out fitting gifts for grads at Yahoo! Search http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=...
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Sick sense of humor? Visit Yahoo! TV's Comedy with an Edge to see what's on, when. http://tv.yahoo.com/collections/222
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I am not sure what is broken on Firefox on Strict policy as of Fedora 7. I have begun the merge of strict and targeted in rawhide Fedora Core 8/Test1. I have done some rewriting of the Mozilla/Firefox policy. There were several problems in the existing policy and several problems in the way the OS is designed. Mainly these dealt with the use of the /tmp file system by gnome.
I have rewritten the mozilla policy to use one of three booleans.
firefox no network access (r/only) Firefox with network access (R/O on homedir) Firefox with network access (r/w on homedir)
firefox currently transitions form the user domain to userdoman_mozilla_t. So for example
user_t - > user_mozilla_t. But I am allowing firefox to r/w user_tmp_t as well as user_mozilla_tmp_t.
This allows firefox to interact with X sockets, gdm_files, iceauth files, orbitz files. Trying to lock this down does not work.
So if you want to use a locked down firefox, I would recommend looking at Fedora 8 Test1, and setting up a xguest user.
xguest users can only access the web via firefox and are totally locked down.
selinux@lists.fedoraproject.org