this is showing up with the latest kernel in enforcing mode..
(I have not update the policy and/or selinux userspace)
[ 12.803882] type=1400 audit(1295457694.801:3): avc: denied { syslog
} for pid=1540 comm="rsyslogd" capability=34
scontext=system_u:system_r:init_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=capability2
[ 12.803888] ------------[ cut here ]------------
[ 12.803894] WARNING: at kernel/printk.c:430 do_syslog+0x40d/0x441()
[ 12.803896] Hardware name: iMac9,1
[ 12.803898] Attempt to access syslog with CAP_SYS_ADMIN but no
CAP_SYSLOG (deprecated and denied).
[ 12.803900] Modules linked in: twofish_generic twofish_x86_64
twofish_common ctr ah4 esp4 authenc uhci_hcd hci_uart rfcomm
lib80211_crypt_tkip nf_nat_irc hidp nf_conntrack_irc wl(P) nf_nat_ftp
l2cap nf_nat nf_conntrack_ipv4 coretemp nf_defrag_ipv4 acpi_cpufreq
mperf appletouch nf_conntrack_ftp nf_conntrack iptable_filter button
uvcvideo processor btusb ip_tables videodev evdev bluetooth x_tables
applesmc i2c_nforce2 firewire_ohci firewire_core forcedeth ohci_hcd ehci_hcd
[ 12.803943] Pid: 1540, comm: rsyslogd Tainted: P 2.6.38-rc1 #5
[ 12.803946] Call Trace:
[ 12.803950] [<ffffffff81060c64>] ? warn_slowpath_common+0x80/0x98
[ 12.803954] [<ffffffff81060d10>] ? warn_slowpath_fmt+0x41/0x43
[ 12.803958] [<ffffffff81062088>] ? do_syslog+0x40d/0x441
[ 12.803963] [<ffffffff811fcc1f>] ? do_raw_spin_lock+0x6b/0x118
[ 12.803968] [<ffffffff81143ca7>] ? kmsg_open+0x17/0x19
[ 12.803972] [<ffffffff8113b01f>] ? proc_reg_open+0xac/0x149
[ 12.803975] [<ffffffff81143c90>] ? kmsg_open+0x0/0x19
[ 12.803979] [<ffffffff81143c78>] ? kmsg_release+0x0/0x18
[ 12.803982] [<ffffffff8113af73>] ? proc_reg_open+0x0/0x149
[ 12.803987] [<ffffffff810f7b2f>] ? __dentry_open+0x15d/0x282
[ 12.803991] [<ffffffff810f7d25>] ? nameidata_to_filp+0x50/0x57
[ 12.803995] [<ffffffff8110336b>] ? finish_open+0x9c/0x1a3
[ 12.803999] [<ffffffff81104964>] ? do_path_lookup+0x66/0x109
[ 12.804015] [<ffffffff81105816>] ? do_filp_open+0x1b6/0x6a4
[ 12.804019] [<ffffffff810f42a8>] ? check_object+0x13b/0x1e8
[ 12.804023] [<ffffffff811fcbab>] ? do_raw_spin_unlock+0x8f/0x98
[ 12.804027] [<ffffffff8110f481>] ? alloc_fd+0x111/0x123
[ 12.804031] [<ffffffff810f7903>] ? do_sys_open+0x5b/0xed
[ 12.804035] [<ffffffff810f79be>] ? sys_open+0x1b/0x1d
[ 12.804039] [<ffffffff8102d092>] ? system_call_fastpath+0x16/0x1b
[ 12.804042] ---[ end trace 03d1aa6aedda8529 ]---
when using audit2allow I get:
allow init_t self:capability2 syslog;
which gives an error when trying to install the module, due to the
policy not knowing what capability2 is
system is ubuntu maverick, if this is already in(refpolicy) then I'll
pull the latest when I get a chance..
Justin P. Mattock
On 01/19/11 13:06, Justin P. Mattock wrote:
> this is showing up with the latest kernel in enforcing mode..
> (I have not update the policy and/or selinux userspace)
>
> [ 12.803882] type=1400 audit(1295457694.801:3): avc: denied { syslog
> } for pid=1540 comm="rsyslogd" capability=34
> scontext=system_u:system_r:init_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=capability2
[cut]
> when using audit2allow I get:
>
> allow init_t self:capability2 syslog;
>
> which gives an error when trying to install the module, due to the
> policy not knowing what capability2 is
>
> system is ubuntu maverick, if this is already in(refpolicy) then I'll
> pull the latest when I get a chance..
Support for this capability is upstream in refpolicy.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 01/19/11 11:23, Christopher J. PeBenito wrote:
> On 01/19/11 13:06, Justin P. Mattock wrote:
>> this is showing up with the latest kernel in enforcing mode..
>> (I have not update the policy and/or selinux userspace)
>>
>> [ 12.803882] type=1400 audit(1295457694.801:3): avc: denied { syslog
>> } for pid=1540 comm="rsyslogd" capability=34
>> scontext=system_u:system_r:init_t:s0
>> tcontext=system_u:system_r:init_t:s0 tclass=capability2
> [cut]
>> when using audit2allow I get:
>>
>> allow init_t self:capability2 syslog;
>>
>> which gives an error when trying to install the module, due to the
>> policy not knowing what capability2 is
>>
>> system is ubuntu maverick, if this is already in(refpolicy) then I'll
>> pull the latest when I get a chance..
>
> Support for this capability is upstream in refpolicy.
>
all right... then I shall pull the latest, and load her up!!
Thanks..
Justin P. Mattock
On 01/19/11 11:30, Justin P. Mattock wrote:
> On 01/19/11 11:23, Christopher J. PeBenito wrote:
>> On 01/19/11 13:06, Justin P. Mattock wrote:
>>> this is showing up with the latest kernel in enforcing mode..
>>> (I have not update the policy and/or selinux userspace)
>>>
>>> [ 12.803882] type=1400 audit(1295457694.801:3): avc: denied { syslog
>>> } for pid=1540 comm="rsyslogd" capability=34
>>> scontext=system_u:system_r:init_t:s0
>>> tcontext=system_u:system_r:init_t:s0 tclass=capability2
>> [cut]
>>> when using audit2allow I get:
>>>
>>> allow init_t self:capability2 syslog;
>>>
>>> which gives an error when trying to install the module, due to the
>>> policy not knowing what capability2 is
>>>
>>> system is ubuntu maverick, if this is already in(refpolicy) then I'll
>>> pull the latest when I get a chance..
>>
>> Support for this capability is upstream in refpolicy.
>>
>
well... after building and trying to install, seems I need to do this:
From dae5d4d75ab5db99fde09a67f9a1df240f85fbdd Mon Sep 17 00:00:00 2001
From: Justin P. Mattock <[email protected]>
Date: Mon, 24 Jan 2011 11:13:31 -0800
Subject: [PATCH] modified: policy/modules/kernel/domain.te
Signed-off-by: Justin P. Mattock <[email protected]>
diff --git a/policy/modules/kernel/domain.te
b/policy/modules/kernel/domain.te
index bc534c1..77c363b 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -24,7 +24,8 @@ attribute unconfined_domain_type;
# Domains that can mmap low memory.
attribute mmap_low_domain_type;
-neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
+#neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
# Domains that can set their current context
# (perform dynamic transitions)
--
1.6.5.GIT
in order for the policy to build all the way... is anybody else hitting
this, or is this just me..
Justin P. Mattock
On 01/24/11 11:30, Justin P. Mattock wrote:
> On 01/19/11 11:30, Justin P. Mattock wrote:
>> On 01/19/11 11:23, Christopher J. PeBenito wrote:
>>> On 01/19/11 13:06, Justin P. Mattock wrote:
>>>> this is showing up with the latest kernel in enforcing mode..
>>>> (I have not update the policy and/or selinux userspace)
>>>>
>>>> [ 12.803882] type=1400 audit(1295457694.801:3): avc: denied { syslog
>>>> } for pid=1540 comm="rsyslogd" capability=34
>>>> scontext=system_u:system_r:init_t:s0
>>>> tcontext=system_u:system_r:init_t:s0 tclass=capability2
>>> [cut]
>>>> when using audit2allow I get:
>>>>
>>>> allow init_t self:capability2 syslog;
>>>>
>>>> which gives an error when trying to install the module, due to the
>>>> policy not knowing what capability2 is
>>>>
>>>> system is ubuntu maverick, if this is already in(refpolicy) then I'll
>>>> pull the latest when I get a chance..
>>>
>>> Support for this capability is upstream in refpolicy.
>>>
>>
>
>
> well... after building and trying to install, seems I need to do this:
>
> From dae5d4d75ab5db99fde09a67f9a1df240f85fbdd Mon Sep 17 00:00:00 2001
> From: Justin P. Mattock <[email protected]>
> Date: Mon, 24 Jan 2011 11:13:31 -0800
> Subject: [PATCH] modified: policy/modules/kernel/domain.te
>
> Signed-off-by: Justin P. Mattock <[email protected]>
>
>
> diff --git a/policy/modules/kernel/domain.te
> b/policy/modules/kernel/domain.te
> index bc534c1..77c363b 100644
> --- a/policy/modules/kernel/domain.te
> +++ b/policy/modules/kernel/domain.te
> @@ -24,7 +24,8 @@ attribute unconfined_domain_type;
>
> # Domains that can mmap low memory.
> attribute mmap_low_domain_type;
> -neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
> +#neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
>
> # Domains that can set their current context
> # (perform dynamic transitions)
Oops.. forgot to post the error:
pp -i /usr/share/selinux/mcs/xprint.pp -i
/usr/share/selinux/mcs/xscreensaver.pp -i
/usr/share/selinux/mcs/xserver.pp -i /usr/share/selinux/mcs/yam.pp -i
/usr/share/selinux/mcs/zabbix.pp -i /usr/share/selinux/mcs/zebra.pp -i
/usr/share/selinux/mcs/zosremote.pp
libsepol.check_assertion_helper: neverallow violated by allow apmd_t
apmd_t:memprotect { mmap_zero };
libsemanage.semanage_expand_sandbox: Expand module failed
/usr/sbin/semodule: Failed!
make: *** [load] Error 1
Justin P. Mattock
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/24/2011 08:34 PM, Justin P. Mattock wrote:
> On 01/24/11 11:30, Justin P. Mattock wrote:
>> On 01/19/11 11:30, Justin P. Mattock wrote:
>>> On 01/19/11 11:23, Christopher J. PeBenito wrote:
>>>> On 01/19/11 13:06, Justin P. Mattock wrote:
>>>>> this is showing up with the latest kernel in enforcing mode..
>>>>> (I have not update the policy and/or selinux userspace)
>>>>>
>>>>> [ 12.803882] type=1400 audit(1295457694.801:3): avc: denied { syslog
>>>>> } for pid=1540 comm="rsyslogd" capability=34
>>>>> scontext=system_u:system_r:init_t:s0
>>>>> tcontext=system_u:system_r:init_t:s0 tclass=capability2
>>>> [cut]
>>>>> when using audit2allow I get:
>>>>>
>>>>> allow init_t self:capability2 syslog;
>>>>>
>>>>> which gives an error when trying to install the module, due to the
>>>>> policy not knowing what capability2 is
>>>>>
>>>>> system is ubuntu maverick, if this is already in(refpolicy) then I'll
>>>>> pull the latest when I get a chance..
>>>>
>>>> Support for this capability is upstream in refpolicy.
>>>>
>>>
>>
>>
>> well... after building and trying to install, seems I need to do this:
>>
instead add this to policy/modules/services/apm.te:
domain_mmap_low(apmd_t)
and set boolean: mmap_low_allowed to on to allow apmd_t to mmap low if
needed
note though that toggling this boolean also allow wine and
"whatsitsname" to mmap low.
>> From dae5d4d75ab5db99fde09a67f9a1df240f85fbdd Mon Sep 17 00:00:00 2001
>> From: Justin P. Mattock <[email protected]>
>> Date: Mon, 24 Jan 2011 11:13:31 -0800
>> Subject: [PATCH] modified: policy/modules/kernel/domain.te
>>
>> Signed-off-by: Justin P. Mattock <[email protected]>
>>
>>
>> diff --git a/policy/modules/kernel/domain.te
>> b/policy/modules/kernel/domain.te
>> index bc534c1..77c363b 100644
>> --- a/policy/modules/kernel/domain.te
>> +++ b/policy/modules/kernel/domain.te
>> @@ -24,7 +24,8 @@ attribute unconfined_domain_type;
>>
>> # Domains that can mmap low memory.
>> attribute mmap_low_domain_type;
>> -neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
>> +#neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
>>
>> # Domains that can set their current context
>> # (perform dynamic transitions)
>
> Oops.. forgot to post the error:
>
> pp -i /usr/share/selinux/mcs/xprint.pp -i
> /usr/share/selinux/mcs/xscreensaver.pp -i
> /usr/share/selinux/mcs/xserver.pp -i /usr/share/selinux/mcs/yam.pp -i
> /usr/share/selinux/mcs/zabbix.pp -i /usr/share/selinux/mcs/zebra.pp -i
> /usr/share/selinux/mcs/zosremote.pp
> libsepol.check_assertion_helper: neverallow violated by allow apmd_t
> apmd_t:memprotect { mmap_zero };
> libsemanage.semanage_expand_sandbox: Expand module failed
> /usr/sbin/semodule: Failed!
> make: *** [load] Error 1
>
>
> Justin P. Mattock
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk094K4ACgkQMlxVo39jgT9FUwCfXmy2cKoTO5Zvte5nzPExQ1Nr
LOYAoLcsMPdSEktlPzEKG8FeF3M7LCG4
=cQ5o
-----END PGP SIGNATURE-----
On 01/24/2011 12:27 PM, Dominick Grift wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01/24/2011 08:34 PM, Justin P. Mattock wrote:
>> On 01/24/11 11:30, Justin P. Mattock wrote:
>>> On 01/19/11 11:30, Justin P. Mattock wrote:
>>>> On 01/19/11 11:23, Christopher J. PeBenito wrote:
>>>>> On 01/19/11 13:06, Justin P. Mattock wrote:
>>>>>> this is showing up with the latest kernel in enforcing mode..
>>>>>> (I have not update the policy and/or selinux userspace)
>>>>>>
>>>>>> [ 12.803882] type=1400 audit(1295457694.801:3): avc: denied { syslog
>>>>>> } for pid=1540 comm="rsyslogd" capability=34
>>>>>> scontext=system_u:system_r:init_t:s0
>>>>>> tcontext=system_u:system_r:init_t:s0 tclass=capability2
>>>>> [cut]
>>>>>> when using audit2allow I get:
>>>>>>
>>>>>> allow init_t self:capability2 syslog;
>>>>>>
>>>>>> which gives an error when trying to install the module, due to the
>>>>>> policy not knowing what capability2 is
>>>>>>
>>>>>> system is ubuntu maverick, if this is already in(refpolicy) then I'll
>>>>>> pull the latest when I get a chance..
>>>>>
>>>>> Support for this capability is upstream in refpolicy.
>>>>>
>>>>
>>>
>>>
>>> well... after building and trying to install, seems I need to do this:
>>>
>
> instead add this to policy/modules/services/apm.te:
>
> domain_mmap_low(apmd_t)
>
just added this, and now I can build all the way through...
> and set boolean: mmap_low_allowed to on to allow apmd_t to mmap low if
> needed
>
> note though that toggling this boolean also allow wine and
> "whatsitsname" to mmap low.
>
not sure.. this was hitting on a fresh build of the policy no modules or
avc's being added yet(stock policy)
>>> From dae5d4d75ab5db99fde09a67f9a1df240f85fbdd Mon Sep 17 00:00:00 2001
>>> From: Justin P. Mattock<[email protected]>
>>> Date: Mon, 24 Jan 2011 11:13:31 -0800
>>> Subject: [PATCH] modified: policy/modules/kernel/domain.te
>>>
>>> Signed-off-by: Justin P. Mattock<[email protected]>
>>>
>>>
>>> diff --git a/policy/modules/kernel/domain.te
>>> b/policy/modules/kernel/domain.te
>>> index bc534c1..77c363b 100644
>>> --- a/policy/modules/kernel/domain.te
>>> +++ b/policy/modules/kernel/domain.te
>>> @@ -24,7 +24,8 @@ attribute unconfined_domain_type;
>>>
>>> # Domains that can mmap low memory.
>>> attribute mmap_low_domain_type;
>>> -neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
>>> +#neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
>>>
>>> # Domains that can set their current context
>>> # (perform dynamic transitions)
>>
>> Oops.. forgot to post the error:
>>
>> pp -i /usr/share/selinux/mcs/xprint.pp -i
>> /usr/share/selinux/mcs/xscreensaver.pp -i
>> /usr/share/selinux/mcs/xserver.pp -i /usr/share/selinux/mcs/yam.pp -i
>> /usr/share/selinux/mcs/zabbix.pp -i /usr/share/selinux/mcs/zebra.pp -i
>> /usr/share/selinux/mcs/zosremote.pp
>> libsepol.check_assertion_helper: neverallow violated by allow apmd_t
>> apmd_t:memprotect { mmap_zero };
>> libsemanage.semanage_expand_sandbox: Expand module failed
>> /usr/sbin/semodule: Failed!
>> make: *** [load] Error 1
>>
>>
>> Justin P. Mattock
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.16 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk094K4ACgkQMlxVo39jgT9FUwCfXmy2cKoTO5Zvte5nzPExQ1Nr
> LOYAoLcsMPdSEktlPzEKG8FeF3M7LCG4
> =cQ5o
> -----END PGP SIGNATURE-----
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
Justin P. Mattock
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/24/2011 09:57 PM, Justin P. Mattock wrote:
> On 01/24/2011 12:27 PM, Dominick Grift wrote:
> On 01/24/2011 08:34 PM, Justin P. Mattock wrote:
>>>> On 01/24/11 11:30, Justin P. Mattock wrote:
>>>>> On 01/19/11 11:30, Justin P. Mattock wrote:
>>>>>> On 01/19/11 11:23, Christopher J. PeBenito wrote:
>>>>>>> On 01/19/11 13:06, Justin P. Mattock wrote:
>>>>>>>> this is showing up with the latest kernel in enforcing mode..
>>>>>>>> (I have not update the policy and/or selinux userspace)
>>>>>>>>
>>>>>>>> [ 12.803882] type=1400 audit(1295457694.801:3): avc: denied { syslog
>>>>>>>> } for pid=1540 comm="rsyslogd" capability=34
>>>>>>>> scontext=system_u:system_r:init_t:s0
>>>>>>>> tcontext=system_u:system_r:init_t:s0 tclass=capability2
>>>>>>> [cut]
>>>>>>>> when using audit2allow I get:
>>>>>>>>
>>>>>>>> allow init_t self:capability2 syslog;
>>>>>>>>
>>>>>>>> which gives an error when trying to install the module, due to the
>>>>>>>> policy not knowing what capability2 is
>>>>>>>>
>>>>>>>> system is ubuntu maverick, if this is already in(refpolicy) then
>>>>>>>> I'll
>>>>>>>> pull the latest when I get a chance..
>>>>>>>
>>>>>>> Support for this capability is upstream in refpolicy.
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> well... after building and trying to install, seems I need to do this:
>>>>>
>
> instead add this to policy/modules/services/apm.te:
>
> domain_mmap_low(apmd_t)
>
>
>> just added this, and now I can build all the way through...
>
> and set boolean: mmap_low_allowed to on to allow apmd_t to mmap low if
> needed
>
> note though that toggling this boolean also allow wine and
> "whatsitsname" to mmap low.
>
>
>> not sure.. this was hitting on a fresh build of the policy no modules or
>> avc's being added yet(stock policy)
stock refpolicy? i am looking at it right now and it has no such rule in
there... so i dont know where this came from.
>
>>>>> From dae5d4d75ab5db99fde09a67f9a1df240f85fbdd Mon Sep 17 00:00:00
>>>>> 2001
>>>>> From: Justin P. Mattock<[email protected]>
>>>>> Date: Mon, 24 Jan 2011 11:13:31 -0800
>>>>> Subject: [PATCH] modified: policy/modules/kernel/domain.te
>>>>>
>>>>> Signed-off-by: Justin P. Mattock<[email protected]>
>>>>>
>>>>>
>>>>> diff --git a/policy/modules/kernel/domain.te
>>>>> b/policy/modules/kernel/domain.te
>>>>> index bc534c1..77c363b 100644
>>>>> --- a/policy/modules/kernel/domain.te
>>>>> +++ b/policy/modules/kernel/domain.te
>>>>> @@ -24,7 +24,8 @@ attribute unconfined_domain_type;
>>>>>
>>>>> # Domains that can mmap low memory.
>>>>> attribute mmap_low_domain_type;
>>>>> -neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
>>>>> +#neverallow { domain -mmap_low_domain_type } self:memprotect
>>>>> mmap_zero;
>>>>>
>>>>> # Domains that can set their current context
>>>>> # (perform dynamic transitions)
>>>>
>>>> Oops.. forgot to post the error:
>>>>
>>>> pp -i /usr/share/selinux/mcs/xprint.pp -i
>>>> /usr/share/selinux/mcs/xscreensaver.pp -i
>>>> /usr/share/selinux/mcs/xserver.pp -i /usr/share/selinux/mcs/yam.pp -i
>>>> /usr/share/selinux/mcs/zabbix.pp -i /usr/share/selinux/mcs/zebra.pp -i
>>>> /usr/share/selinux/mcs/zosremote.pp
>>>> libsepol.check_assertion_helper: neverallow violated by allow apmd_t
>>>> apmd_t:memprotect { mmap_zero };
>>>> libsemanage.semanage_expand_sandbox: Expand module failed
>>>> /usr/sbin/semodule: Failed!
>>>> make: *** [load] Error 1
>>>>
>>>>
>>>> Justin P. Mattock
>>>> _______________________________________________
>>>> refpolicy mailing list
>>>> refpolicy at oss.tresys.com
>>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>
_______________________________________________
refpolicy mailing list
refpolicy at oss.tresys.com
http://oss.tresys.com/mailman/listinfo/refpolicy
>>
> Justin P. Mattock
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk096REACgkQMlxVo39jgT/vrQCdEtZJ9sA0mRXHQCbkqODL6UIc
NyQAniSYMHfKeRt3sTv1EwwzPpQOi0oT
=OU1v
-----END PGP SIGNATURE-----
On 01/24/2011 01:03 PM, Dominick Grift wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01/24/2011 09:57 PM, Justin P. Mattock wrote:
>> On 01/24/2011 12:27 PM, Dominick Grift wrote:
>> On 01/24/2011 08:34 PM, Justin P. Mattock wrote:
>>>>> On 01/24/11 11:30, Justin P. Mattock wrote:
>>>>>> On 01/19/11 11:30, Justin P. Mattock wrote:
>>>>>>> On 01/19/11 11:23, Christopher J. PeBenito wrote:
>>>>>>>> On 01/19/11 13:06, Justin P. Mattock wrote:
>>>>>>>>> this is showing up with the latest kernel in enforcing mode..
>>>>>>>>> (I have not update the policy and/or selinux userspace)
>>>>>>>>>
>>>>>>>>> [ 12.803882] type=1400 audit(1295457694.801:3): avc: denied { syslog
>>>>>>>>> } for pid=1540 comm="rsyslogd" capability=34
>>>>>>>>> scontext=system_u:system_r:init_t:s0
>>>>>>>>> tcontext=system_u:system_r:init_t:s0 tclass=capability2
>>>>>>>> [cut]
>>>>>>>>> when using audit2allow I get:
>>>>>>>>>
>>>>>>>>> allow init_t self:capability2 syslog;
>>>>>>>>>
>>>>>>>>> which gives an error when trying to install the module, due to the
>>>>>>>>> policy not knowing what capability2 is
>>>>>>>>>
>>>>>>>>> system is ubuntu maverick, if this is already in(refpolicy) then
>>>>>>>>> I'll
>>>>>>>>> pull the latest when I get a chance..
>>>>>>>>
>>>>>>>> Support for this capability is upstream in refpolicy.
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> well... after building and trying to install, seems I need to do this:
>>>>>>
>>
>> instead add this to policy/modules/services/apm.te:
>>
>> domain_mmap_low(apmd_t)
>>
>>
>>> just added this, and now I can build all the way through...
>>
>> and set boolean: mmap_low_allowed to on to allow apmd_t to mmap low if
>> needed
>>
>> note though that toggling this boolean also allow wine and
>> "whatsitsname" to mmap low.
>>
>>
>>> not sure.. this was hitting on a fresh build of the policy no modules or
>>> avc's being added yet(stock policy)
>
> stock refpolicy? i am looking at it right now and it has no such rule in
> there... so i dont know where this came from.
>
hmm... well I have loaded the policy from oct(not sure if this is in
there), then with the new policy make install, make load(then I hit)
maybe some kind of leak or something from the old policy since I have
not rebooted
Justin P. Mattock
> stock refpolicy? i am looking at it right now and it has no such rule in
> there... so i dont know where this came from.
>
ahh.. I think I figured it out.. after removing /etc/selinux/policyname
then rebuilding(no commits added etc..) everything builds properly.
(I had an old policy which was causing the conflict)
thanks for the help on this..
Justin P. Mattock