| 1 |
On Thu, Nov 24, 2016 at 09:13:35PM +0000, Robert Sharp wrote: |
| 2 |
> On 24/11/16 17:07, Jason Zaman wrote: |
| 3 |
> > That warning is harmless, i'll remove the line from the policy later. |
| 4 |
> > for now ignore it or manually remove the line to silence the warning. |
| 5 |
> > http://blog.perfinion.com/2016/10/selinux-userspace-26-released/ |
| 6 |
> |
| 7 |
> Sorry Jason, but I am not making much progress. I have emerged as you |
| 8 |
> suggested with the 20151208-r6 versions (and setools4). When I repeat |
| 9 |
> the search for portage_sandbox I get the same results as before: |
| 10 |
|
| 11 |
OH! I just looked harder at my configs, I do have this locally on my |
| 12 |
laptop: |
| 13 |
allow portage_sandbox_t portage_tmp_t:dir { relabelfrom relabelto }; |
| 14 |
I hadnt added it to the policies yet tho. I forgot why I needed it :(. |
| 15 |
Do all packages fail without it or only some? |
| 16 |
I will add it to the next policy release, I guess it was my fault all |
| 17 |
along :-P, sorry about that. |
| 18 |
|
| 19 |
> # sesearch -s portage_sandbox_t -t portage_tmp_t -A |
| 20 |
> allow portage_sandbox_t non_auth_file_type:dir { search read lock |
| 21 |
> getattr ioctl open }; |
| 22 |
> allow portage_sandbox_t non_auth_file_type:file { read lock ioctl open |
| 23 |
> getattr }; |
| 24 |
> allow portage_sandbox_t non_auth_file_type:lnk_file { read getattr }; |
| 25 |
> allow portage_sandbox_t portage_tmp_t:dir { rename search setattr read |
| 26 |
> lock create reparent getattr write ioctl link rmdir remove_name unlink |
| 27 |
> open add_name }; |
| 28 |
> allow portage_sandbox_t portage_tmp_t:fifo_file { rename setattr read |
| 29 |
> lock create getattr write ioctl link unlink open append }; |
| 30 |
> allow portage_sandbox_t portage_tmp_t:file { rename execute setattr read |
| 31 |
> lock create getattr execute_no_trans write relabelfrom ioctl link |
| 32 |
> relabelto unlink open append }; |
| 33 |
> allow portage_sandbox_t portage_tmp_t:lnk_file { rename setattr read |
| 34 |
> lock create getattr write ioctl link unlink }; |
| 35 |
> allow portage_sandbox_t portage_tmp_t:sock_file { rename setattr read |
| 36 |
> lock create getattr write ioctl link unlink open append }; |
| 37 |
> |
| 38 |
> There is still no relableto/from in the dir rule. I am not sure the |
| 39 |
> module rebuild worked. I tried the semodule -B again with -v and it all |
| 40 |
> happens rather quickly: |
| 41 |
> |
| 42 |
> # semodule -B -v |
| 43 |
> Committing changes: |
| 44 |
> libsemanage.add_user: user system_u not in password file |
| 45 |
> Ok: transaction number 0. |
| 46 |
> |
| 47 |
> Doesn't seem like it spent long rebuilding all those policies, but then |
| 48 |
> I wouldn't know if it is supposed to be quick? |
| 49 |
> |
| 50 |
> Also, there doesn't seem to be a very easy way to confirm what policy |
| 51 |
> version is in place? I once saw a listing from semodule -l that included |
| 52 |
> version information but it doesn't happen on my system. |
| 53 |
The policy versions that semodule reports are what the policy_module |
| 54 |
line in the source which was annoying to look up too. newer userspace is |
| 55 |
based off CIL which doesnt have those version numbers at all anymore. |
| 56 |
|
| 57 |
-- Jason |
Archives