From: domg472@gmail.com (Dominick Grift) Date: Mon, 24 Jan 2011 21:27:26 +0100 Subject: [refpolicy] WARNING: at kernel/printk.c:430 do_syslog+0x40d/0x441() In-Reply-To: <4D3DD428.1090506@gmail.com> References: <4D372829.5090509@gmail.com> <4D373A36.3050504@tresys.com> <4D373BC5.9080609@gmail.com> <4D3DD360.9090807@gmail.com> <4D3DD428.1090506@gmail.com> Message-ID: <4D3DE0AE.4050806@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/24/2011 08:34 PM, Justin P. Mattock wrote: > On 01/24/11 11:30, Justin P. Mattock wrote: >> On 01/19/11 11:30, Justin P. Mattock wrote: >>> On 01/19/11 11:23, Christopher J. PeBenito wrote: >>>> On 01/19/11 13:06, Justin P. Mattock wrote: >>>>> this is showing up with the latest kernel in enforcing mode.. >>>>> (I have not update the policy and/or selinux userspace) >>>>> >>>>> [ 12.803882] type=1400 audit(1295457694.801:3): avc: denied { syslog >>>>> } for pid=1540 comm="rsyslogd" capability=34 >>>>> scontext=system_u:system_r:init_t:s0 >>>>> tcontext=system_u:system_r:init_t:s0 tclass=capability2 >>>> [cut] >>>>> when using audit2allow I get: >>>>> >>>>> allow init_t self:capability2 syslog; >>>>> >>>>> which gives an error when trying to install the module, due to the >>>>> policy not knowing what capability2 is >>>>> >>>>> system is ubuntu maverick, if this is already in(refpolicy) then I'll >>>>> pull the latest when I get a chance.. >>>> >>>> Support for this capability is upstream in refpolicy. >>>> >>> >> >> >> well... after building and trying to install, seems I need to do this: >> instead add this to policy/modules/services/apm.te: domain_mmap_low(apmd_t) and set boolean: mmap_low_allowed to on to allow apmd_t to mmap low if needed note though that toggling this boolean also allow wine and "whatsitsname" to mmap low. >> From dae5d4d75ab5db99fde09a67f9a1df240f85fbdd Mon Sep 17 00:00:00 2001 >> From: Justin P. Mattock >> Date: Mon, 24 Jan 2011 11:13:31 -0800 >> Subject: [PATCH] modified: policy/modules/kernel/domain.te >> >> Signed-off-by: Justin P. Mattock >> >> >> diff --git a/policy/modules/kernel/domain.te >> b/policy/modules/kernel/domain.te >> index bc534c1..77c363b 100644 >> --- a/policy/modules/kernel/domain.te >> +++ b/policy/modules/kernel/domain.te >> @@ -24,7 +24,8 @@ attribute unconfined_domain_type; >> >> # Domains that can mmap low memory. >> attribute mmap_low_domain_type; >> -neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero; >> +#neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero; >> >> # Domains that can set their current context >> # (perform dynamic transitions) > > Oops.. forgot to post the error: > > pp -i /usr/share/selinux/mcs/xprint.pp -i > /usr/share/selinux/mcs/xscreensaver.pp -i > /usr/share/selinux/mcs/xserver.pp -i /usr/share/selinux/mcs/yam.pp -i > /usr/share/selinux/mcs/zabbix.pp -i /usr/share/selinux/mcs/zebra.pp -i > /usr/share/selinux/mcs/zosremote.pp > libsepol.check_assertion_helper: neverallow violated by allow apmd_t > apmd_t:memprotect { mmap_zero }; > libsemanage.semanage_expand_sandbox: Expand module failed > /usr/sbin/semodule: Failed! > make: *** [load] Error 1 > > > Justin P. Mattock > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk094K4ACgkQMlxVo39jgT9FUwCfXmy2cKoTO5Zvte5nzPExQ1Nr LOYAoLcsMPdSEktlPzEKG8FeF3M7LCG4 =cQ5o -----END PGP SIGNATURE-----