List Archive: gentoo-hardened
Actually what you have there is a mislabeled file. Here's the relevant
poop:
# cd /etc/selinux/strict/contexts/files
# grep ld.so.cache file_contexts
/etc/ld\.so\.cache -- system_u:object_r:ld_so_cache_t
/etc/ld\.so\.preload -- system_u:object_r:ld_so_cache_t
# ls -Z /etc/ld.so.cache
-rw-r--r-- root root root:object_r:ld_so_cache_t /etc/ld.so.cache
See if this does the trick:
# restorecon -v /etc/ld.so.cache
If that doesn't change it, your system is not firing the rule properly
or else it is missing from the file_contexts file for some reason. I've
had some rules fail to fire on an x86_64 box because there were issues
matching the /lib symlink to the /lib64 target and so forth.Also, have
you done an rlpkg to relabel your filesystem lately?
Dominik J. Fischer wrote:
> Dear list,
>
> I am running a freshly intalled SELinux system with
> sec-policy/selinux-base-policy 20070329 in strict/permissive mode.
>
> When I try to write a TE module for my avc denials the compiler doesn't
> resolve the necesary types. For example, considerung the following avc
> entry for type consoletype:
>
> vmdefault # dmesg | grep avc
> audit(1190988750.096:3): avc: denied { read } for pid=26115
> comm="consoletype" name="ld.so.cache" dev=sda1 ino=336323476
> scontext=system_u:system_r:consoletype_t tcontext=root:object_r:etc_t
> tclass=file
> audit(1190988750.096:4): avc: denied { getattr } for pid=26115
> comm="consoletype" name="ld.so.cache" dev=sda1 ino=336323476
> scontext=system_u:system_r:consoletype_t tcontext=root:object_r:etc_t
> tclass=file
>
> My policy module looks like this:
>
> policy_module(local,1.0.0)
> type local_t;
> files_read_etc_files(consoletype_t)
>
> When I try to compile, the compiler gives me an unknown type error:
>
> vmdefault include # make -f /usr/share/selinux/strict/include/Makefile
> Compiling strict local module
> /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp
> local.te:11:ERROR 'unknown type consoletype_t' at token ';' on line
> 78133:
> allow consoletype_t etc_t:dir { getattr search read lock
> ioctl };
> #line 11
> /usr/bin/checkmodule: error(s) encountered while parsing configuration
> make: *** [tmp/local.mod] Error 1
>
> Seems to me that the compiler does not resolve the types against the
> base policy.
>
> Any ideas? Comments are highly appreciated.
>
> Dominik
>
>
--
gentoo-hardened@g.o mailing list
|
|
