1 |
On Thu, Nov 24, 2016 at 09:13:35PM +0000, Robert Sharp wrote: |
2 |
> On 24/11/16 17:07, Jason Zaman wrote: |
3 |
> > That warning is harmless, i'll remove the line from the policy later. |
4 |
> > for now ignore it or manually remove the line to silence the warning. |
5 |
> > http://blog.perfinion.com/2016/10/selinux-userspace-26-released/ |
6 |
> |
7 |
> Sorry Jason, but I am not making much progress. I have emerged as you |
8 |
> suggested with the 20151208-r6 versions (and setools4). When I repeat |
9 |
> the search for portage_sandbox I get the same results as before: |
10 |
|
11 |
OH! I just looked harder at my configs, I do have this locally on my |
12 |
laptop: |
13 |
allow portage_sandbox_t portage_tmp_t:dir { relabelfrom relabelto }; |
14 |
I hadnt added it to the policies yet tho. I forgot why I needed it :(. |
15 |
Do all packages fail without it or only some? |
16 |
I will add it to the next policy release, I guess it was my fault all |
17 |
along :-P, sorry about that. |
18 |
|
19 |
> # sesearch -s portage_sandbox_t -t portage_tmp_t -A |
20 |
> allow portage_sandbox_t non_auth_file_type:dir { search read lock |
21 |
> getattr ioctl open }; |
22 |
> allow portage_sandbox_t non_auth_file_type:file { read lock ioctl open |
23 |
> getattr }; |
24 |
> allow portage_sandbox_t non_auth_file_type:lnk_file { read getattr }; |
25 |
> allow portage_sandbox_t portage_tmp_t:dir { rename search setattr read |
26 |
> lock create reparent getattr write ioctl link rmdir remove_name unlink |
27 |
> open add_name }; |
28 |
> allow portage_sandbox_t portage_tmp_t:fifo_file { rename setattr read |
29 |
> lock create getattr write ioctl link unlink open append }; |
30 |
> allow portage_sandbox_t portage_tmp_t:file { rename execute setattr read |
31 |
> lock create getattr execute_no_trans write relabelfrom ioctl link |
32 |
> relabelto unlink open append }; |
33 |
> allow portage_sandbox_t portage_tmp_t:lnk_file { rename setattr read |
34 |
> lock create getattr write ioctl link unlink }; |
35 |
> allow portage_sandbox_t portage_tmp_t:sock_file { rename setattr read |
36 |
> lock create getattr write ioctl link unlink open append }; |
37 |
> |
38 |
> There is still no relableto/from in the dir rule. I am not sure the |
39 |
> module rebuild worked. I tried the semodule -B again with -v and it all |
40 |
> happens rather quickly: |
41 |
> |
42 |
> # semodule -B -v |
43 |
> Committing changes: |
44 |
> libsemanage.add_user: user system_u not in password file |
45 |
> Ok: transaction number 0. |
46 |
> |
47 |
> Doesn't seem like it spent long rebuilding all those policies, but then |
48 |
> I wouldn't know if it is supposed to be quick? |
49 |
> |
50 |
> Also, there doesn't seem to be a very easy way to confirm what policy |
51 |
> version is in place? I once saw a listing from semodule -l that included |
52 |
> version information but it doesn't happen on my system. |
53 |
The policy versions that semodule reports are what the policy_module |
54 |
line in the source which was annoying to look up too. newer userspace is |
55 |
based off CIL which doesnt have those version numbers at all anymore. |
56 |
|
57 |
-- Jason |