From: domg472@gmail.com (Dominick Grift) Date: Mon, 24 Jan 2011 22:03:13 +0100 Subject: [refpolicy] WARNING: at kernel/printk.c:430 do_syslog+0x40d/0x441() In-Reply-To: <4D3DE7C1.2080001@gmail.com> References: <4D372829.5090509@gmail.com> <4D373A36.3050504@tresys.com> <4D373BC5.9080609@gmail.com> <4D3DD360.9090807@gmail.com> <4D3DD428.1090506@gmail.com> <4D3DE0AE.4050806@gmail.com> <4D3DE7C1.2080001@gmail.com> Message-ID: <4D3DE911.7040401@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/24/2011 09:57 PM, Justin P. Mattock wrote: > On 01/24/2011 12:27 PM, Dominick Grift wrote: > On 01/24/2011 08:34 PM, Justin P. Mattock wrote: >>>> On 01/24/11 11:30, Justin P. Mattock wrote: >>>>> On 01/19/11 11:30, Justin P. Mattock wrote: >>>>>> On 01/19/11 11:23, Christopher J. PeBenito wrote: >>>>>>> On 01/19/11 13:06, Justin P. Mattock wrote: >>>>>>>> this is showing up with the latest kernel in enforcing mode.. >>>>>>>> (I have not update the policy and/or selinux userspace) >>>>>>>> >>>>>>>> [ 12.803882] type=1400 audit(1295457694.801:3): avc: denied { syslog >>>>>>>> } for pid=1540 comm="rsyslogd" capability=34 >>>>>>>> scontext=system_u:system_r:init_t:s0 >>>>>>>> tcontext=system_u:system_r:init_t:s0 tclass=capability2 >>>>>>> [cut] >>>>>>>> when using audit2allow I get: >>>>>>>> >>>>>>>> allow init_t self:capability2 syslog; >>>>>>>> >>>>>>>> which gives an error when trying to install the module, due to the >>>>>>>> policy not knowing what capability2 is >>>>>>>> >>>>>>>> system is ubuntu maverick, if this is already in(refpolicy) then >>>>>>>> I'll >>>>>>>> pull the latest when I get a chance.. >>>>>>> >>>>>>> Support for this capability is upstream in refpolicy. >>>>>>> >>>>>> >>>>> >>>>> >>>>> well... after building and trying to install, seems I need to do this: >>>>> > > instead add this to policy/modules/services/apm.te: > > domain_mmap_low(apmd_t) > > >> just added this, and now I can build all the way through... > > and set boolean: mmap_low_allowed to on to allow apmd_t to mmap low if > needed > > note though that toggling this boolean also allow wine and > "whatsitsname" to mmap low. > > >> not sure.. this was hitting on a fresh build of the policy no modules or >> avc's being added yet(stock policy) stock refpolicy? i am looking at it right now and it has no such rule in there... so i dont know where this came from. > >>>>> From dae5d4d75ab5db99fde09a67f9a1df240f85fbdd Mon Sep 17 00:00:00 >>>>> 2001 >>>>> From: Justin P. Mattock >>>>> Date: Mon, 24 Jan 2011 11:13:31 -0800 >>>>> Subject: [PATCH] modified: policy/modules/kernel/domain.te >>>>> >>>>> Signed-off-by: Justin P. Mattock >>>>> >>>>> >>>>> diff --git a/policy/modules/kernel/domain.te >>>>> b/policy/modules/kernel/domain.te >>>>> index bc534c1..77c363b 100644 >>>>> --- a/policy/modules/kernel/domain.te >>>>> +++ b/policy/modules/kernel/domain.te >>>>> @@ -24,7 +24,8 @@ attribute unconfined_domain_type; >>>>> >>>>> # Domains that can mmap low memory. >>>>> attribute mmap_low_domain_type; >>>>> -neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero; >>>>> +#neverallow { domain -mmap_low_domain_type } self:memprotect >>>>> mmap_zero; >>>>> >>>>> # Domains that can set their current context >>>>> # (perform dynamic transitions) >>>> >>>> Oops.. forgot to post the error: >>>> >>>> pp -i /usr/share/selinux/mcs/xprint.pp -i >>>> /usr/share/selinux/mcs/xscreensaver.pp -i >>>> /usr/share/selinux/mcs/xserver.pp -i /usr/share/selinux/mcs/yam.pp -i >>>> /usr/share/selinux/mcs/zabbix.pp -i /usr/share/selinux/mcs/zebra.pp -i >>>> /usr/share/selinux/mcs/zosremote.pp >>>> libsepol.check_assertion_helper: neverallow violated by allow apmd_t >>>> apmd_t:memprotect { mmap_zero }; >>>> libsemanage.semanage_expand_sandbox: Expand module failed >>>> /usr/sbin/semodule: Failed! >>>> make: *** [load] Error 1 >>>> >>>> >>>> Justin P. Mattock >>>> _______________________________________________ >>>> refpolicy mailing list >>>> refpolicy at oss.tresys.com >>>> http://oss.tresys.com/mailman/listinfo/refpolicy > _______________________________________________ refpolicy mailing list refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy >> > Justin P. Mattock -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk096REACgkQMlxVo39jgT/vrQCdEtZJ9sA0mRXHQCbkqODL6UIc NyQAniSYMHfKeRt3sTv1EwwzPpQOi0oT =OU1v -----END PGP SIGNATURE-----