1 |
On 24/11/16 17:07, Jason Zaman wrote: |
2 |
> That warning is harmless, i'll remove the line from the policy later. |
3 |
> for now ignore it or manually remove the line to silence the warning. |
4 |
> http://blog.perfinion.com/2016/10/selinux-userspace-26-released/ |
5 |
|
6 |
Sorry Jason, but I am not making much progress. I have emerged as you |
7 |
suggested with the 20151208-r6 versions (and setools4). When I repeat |
8 |
the search for portage_sandbox I get the same results as before: |
9 |
|
10 |
# sesearch -s portage_sandbox_t -t portage_tmp_t -A |
11 |
allow portage_sandbox_t non_auth_file_type:dir { search read lock |
12 |
getattr ioctl open }; |
13 |
allow portage_sandbox_t non_auth_file_type:file { read lock ioctl open |
14 |
getattr }; |
15 |
allow portage_sandbox_t non_auth_file_type:lnk_file { read getattr }; |
16 |
allow portage_sandbox_t portage_tmp_t:dir { rename search setattr read |
17 |
lock create reparent getattr write ioctl link rmdir remove_name unlink |
18 |
open add_name }; |
19 |
allow portage_sandbox_t portage_tmp_t:fifo_file { rename setattr read |
20 |
lock create getattr write ioctl link unlink open append }; |
21 |
allow portage_sandbox_t portage_tmp_t:file { rename execute setattr read |
22 |
lock create getattr execute_no_trans write relabelfrom ioctl link |
23 |
relabelto unlink open append }; |
24 |
allow portage_sandbox_t portage_tmp_t:lnk_file { rename setattr read |
25 |
lock create getattr write ioctl link unlink }; |
26 |
allow portage_sandbox_t portage_tmp_t:sock_file { rename setattr read |
27 |
lock create getattr write ioctl link unlink open append }; |
28 |
|
29 |
There is still no relableto/from in the dir rule. I am not sure the |
30 |
module rebuild worked. I tried the semodule -B again with -v and it all |
31 |
happens rather quickly: |
32 |
|
33 |
# semodule -B -v |
34 |
Committing changes: |
35 |
libsemanage.add_user: user system_u not in password file |
36 |
Ok: transaction number 0. |
37 |
|
38 |
Doesn't seem like it spent long rebuilding all those policies, but then |
39 |
I wouldn't know if it is supposed to be quick? |
40 |
|
41 |
Also, there doesn't seem to be a very easy way to confirm what policy |
42 |
version is in place? I once saw a listing from semodule -l that included |
43 |
version information but it doesn't happen on my system. |
44 |
|
45 |
Robert |