| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
On 28.05.2012 11:13, Sven Vermeulen wrote: |
| 5 |
> Hi guys 'n girls, |
| 6 |
> |
| 7 |
> The next iteration of our policies is now in the hardened-dev |
| 8 |
> overlay. For ~arch users, this is one you will probably need to |
| 9 |
> install through a small workaround, but first the changes: |
| 10 |
> |
| 11 |
> #417937 Do not audit access to device_t:chr_file by dmesg |
| 12 |
> #417857 Support dynamic /run directories #413719 |
| 13 |
> Correct udev context in /run/udev <no bug> Backporting |
| 14 |
> SEPostgresql changes <no bug> Update udev file contexts |
| 15 |
> (udevadm and udevd binaries) #417821 Mark |
| 16 |
> /etc/selinux/*/modules as semanage_store_t (fixes permission issue |
| 17 |
> on .../modules/tmp) |
| 18 |
> |
| 19 |
> ~arch users will, if they have -r9 or -r10 installed, need to do |
| 20 |
> the following steps first: |
| 21 |
> |
| 22 |
> """ setenforce 0 semanage fcontext -a -t semanage_store_t |
| 23 |
> "/etc/selinux/strict/modules" restorecon -R |
| 24 |
> /etc/selinux/strict/modules setenforce 1 """ |
| 25 |
> |
| 26 |
> This is because otherwise any attempt to load the new policy will |
| 27 |
> result in a failure. Of course, substitute "strict" with your |
| 28 |
> SELinux policy type you have installed. |
| 29 |
> |
| 30 |
> This also means that r9 and r10 are no candidates for |
| 31 |
> stabilization. And since r8 is fairly low on changes, r11 is the |
| 32 |
> next stabilization candidate. |
| 33 |
> |
| 34 |
> Wkr, Sven Vermeulen |
| 35 |
> |
| 36 |
|
| 37 |
Hi, |
| 38 |
|
| 39 |
I've got some problems with r11 on mcs. The error is: |
| 40 |
|
| 41 |
Creating mcs base module base.conf |
| 42 |
Compiling mcs base module |
| 43 |
/usr/bin/checkmodule: loading policy configuration from base.conf |
| 44 |
base.conf:2184:ERROR 'permission execute is not defined' at token ';' |
| 45 |
on line 2184: |
| 46 |
( h1 dom h2 ); |
| 47 |
mlsconstrain db_schema { drop getattr setattr relabelfrom execute } |
| 48 |
/usr/bin/checkmodule: error(s) encountered while parsing configuration |
| 49 |
make: *** [tmp/base.mod] Error 1 |
| 50 |
|
| 51 |
The error is introduced in |
| 52 |
"0098-all-sepostgresql_updates_backport-r11.patch". |
| 53 |
|
| 54 |
In older versions db_schema is db_language (which by the way is in the |
| 55 |
older versions defined two times). If I remove the "execute" from |
| 56 |
db_schema it builds. I don't know if db_schema needs execute, if not |
| 57 |
it should be dropped, otherwise execute should be defined for |
| 58 |
db_schema, I think. |
| 59 |
|
| 60 |
WKR |
| 61 |
|
| 62 |
Hinnerk van Bruinehsen |
| 63 |
|
| 64 |
|
| 65 |
|
| 66 |
-----BEGIN PGP SIGNATURE----- |
| 67 |
Version: GnuPG v2.0.19 (GNU/Linux) |
| 68 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ |
| 69 |
|
| 70 |
iQEcBAEBAgAGBQJPxOuhAAoJEJwwOFaNFkYc1hkIAI0IPqIVub5DgflWjMaxo2dW |
| 71 |
fWFsXmtyDWQ6peRf+FgKszwDe+XHw1IL9bW9UdVDd7/ClN+8tJnTm5Da1cd5txN4 |
| 72 |
gx+QyUiahw6WL4sgb9aQZo+Fkfm1YpdU3VsFvjtLbxvmiRG6LHAuwY7e8nvEDC5h |
| 73 |
REkpjMc/F5tWaT0WGd8UobYzY75MABGaH94ZwInIkl3KVPT8dMM6OSJ8Z4tmeWaT |
| 74 |
q45moIerdk5mQFu/cYcB3V/29QSx3Z3nI/Ehk547RWoAvBqCNyn6GknpF0nh+jYb |
| 75 |
q4N28fsnnHnj55g39LHZJqV2IqfRzIsWsgcUmJKzCI7As7VMePLNZtlB0shl7/Y= |
| 76 |
=mCYS |
| 77 |
-----END PGP SIGNATURE----- |
Archives