From: justinmattock@gmail.com (Justin P. Mattock) Date: Mon, 24 Jan 2011 12:57:37 -0800 Subject: [refpolicy] WARNING: at kernel/printk.c:430 do_syslog+0x40d/0x441() In-Reply-To: <4D3DE0AE.4050806@gmail.com> References: <4D372829.5090509@gmail.com> <4D373A36.3050504@tresys.com> <4D373BC5.9080609@gmail.com> <4D3DD360.9090807@gmail.com> <4D3DD428.1090506@gmail.com> <4D3DE0AE.4050806@gmail.com> Message-ID: <4D3DE7C1.2080001@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 01/24/2011 12:27 PM, Dominick Grift wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/24/2011 08:34 PM, Justin P. Mattock wrote: >> On 01/24/11 11:30, Justin P. Mattock wrote: >>> On 01/19/11 11:30, Justin P. Mattock wrote: >>>> On 01/19/11 11:23, Christopher J. PeBenito wrote: >>>>> On 01/19/11 13:06, Justin P. Mattock wrote: >>>>>> this is showing up with the latest kernel in enforcing mode.. >>>>>> (I have not update the policy and/or selinux userspace) >>>>>> >>>>>> [ 12.803882] type=1400 audit(1295457694.801:3): avc: denied { syslog >>>>>> } for pid=1540 comm="rsyslogd" capability=34 >>>>>> scontext=system_u:system_r:init_t:s0 >>>>>> tcontext=system_u:system_r:init_t:s0 tclass=capability2 >>>>> [cut] >>>>>> when using audit2allow I get: >>>>>> >>>>>> allow init_t self:capability2 syslog; >>>>>> >>>>>> which gives an error when trying to install the module, due to the >>>>>> policy not knowing what capability2 is >>>>>> >>>>>> system is ubuntu maverick, if this is already in(refpolicy) then I'll >>>>>> pull the latest when I get a chance.. >>>>> >>>>> Support for this capability is upstream in refpolicy. >>>>> >>>> >>> >>> >>> well... after building and trying to install, seems I need to do this: >>> > > instead add this to policy/modules/services/apm.te: > > domain_mmap_low(apmd_t) > just added this, and now I can build all the way through... > and set boolean: mmap_low_allowed to on to allow apmd_t to mmap low if > needed > > note though that toggling this boolean also allow wine and > "whatsitsname" to mmap low. > not sure.. this was hitting on a fresh build of the policy no modules or avc's being added yet(stock policy) >>> From dae5d4d75ab5db99fde09a67f9a1df240f85fbdd Mon Sep 17 00:00:00 2001 >>> From: Justin P. Mattock >>> Date: Mon, 24 Jan 2011 11:13:31 -0800 >>> Subject: [PATCH] modified: policy/modules/kernel/domain.te >>> >>> Signed-off-by: Justin P. Mattock >>> >>> >>> diff --git a/policy/modules/kernel/domain.te >>> b/policy/modules/kernel/domain.te >>> index bc534c1..77c363b 100644 >>> --- a/policy/modules/kernel/domain.te >>> +++ b/policy/modules/kernel/domain.te >>> @@ -24,7 +24,8 @@ attribute unconfined_domain_type; >>> >>> # Domains that can mmap low memory. >>> attribute mmap_low_domain_type; >>> -neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero; >>> +#neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero; >>> >>> # Domains that can set their current context >>> # (perform dynamic transitions) >> >> Oops.. forgot to post the error: >> >> pp -i /usr/share/selinux/mcs/xprint.pp -i >> /usr/share/selinux/mcs/xscreensaver.pp -i >> /usr/share/selinux/mcs/xserver.pp -i /usr/share/selinux/mcs/yam.pp -i >> /usr/share/selinux/mcs/zabbix.pp -i /usr/share/selinux/mcs/zebra.pp -i >> /usr/share/selinux/mcs/zosremote.pp >> libsepol.check_assertion_helper: neverallow violated by allow apmd_t >> apmd_t:memprotect { mmap_zero }; >> libsemanage.semanage_expand_sandbox: Expand module failed >> /usr/sbin/semodule: Failed! >> make: *** [load] Error 1 >> >> >> Justin P. Mattock >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.16 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk094K4ACgkQMlxVo39jgT9FUwCfXmy2cKoTO5Zvte5nzPExQ1Nr > LOYAoLcsMPdSEktlPzEKG8FeF3M7LCG4 > =cQ5o > -----END PGP SIGNATURE----- > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > Justin P. Mattock