From: justinmattock@gmail.com (Justin P. Mattock) Date: Mon, 24 Jan 2011 13:08:03 -0800 Subject: [refpolicy] WARNING: at kernel/printk.c:430 do_syslog+0x40d/0x441() In-Reply-To: <4D3DE911.7040401@gmail.com> References: <4D372829.5090509@gmail.com> <4D373A36.3050504@tresys.com> <4D373BC5.9080609@gmail.com> <4D3DD360.9090807@gmail.com> <4D3DD428.1090506@gmail.com> <4D3DE0AE.4050806@gmail.com> <4D3DE7C1.2080001@gmail.com> <4D3DE911.7040401@gmail.com> Message-ID: <4D3DEA33.6070805@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 01/24/2011 01:03 PM, Dominick Grift wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/24/2011 09:57 PM, Justin P. Mattock wrote: >> On 01/24/2011 12:27 PM, Dominick Grift wrote: >> On 01/24/2011 08:34 PM, Justin P. Mattock wrote: >>>>> On 01/24/11 11:30, Justin P. Mattock wrote: >>>>>> On 01/19/11 11:30, Justin P. Mattock wrote: >>>>>>> On 01/19/11 11:23, Christopher J. PeBenito wrote: >>>>>>>> On 01/19/11 13:06, Justin P. Mattock wrote: >>>>>>>>> this is showing up with the latest kernel in enforcing mode.. >>>>>>>>> (I have not update the policy and/or selinux userspace) >>>>>>>>> >>>>>>>>> [ 12.803882] type=1400 audit(1295457694.801:3): avc: denied { syslog >>>>>>>>> } for pid=1540 comm="rsyslogd" capability=34 >>>>>>>>> scontext=system_u:system_r:init_t:s0 >>>>>>>>> tcontext=system_u:system_r:init_t:s0 tclass=capability2 >>>>>>>> [cut] >>>>>>>>> when using audit2allow I get: >>>>>>>>> >>>>>>>>> allow init_t self:capability2 syslog; >>>>>>>>> >>>>>>>>> which gives an error when trying to install the module, due to the >>>>>>>>> policy not knowing what capability2 is >>>>>>>>> >>>>>>>>> system is ubuntu maverick, if this is already in(refpolicy) then >>>>>>>>> I'll >>>>>>>>> pull the latest when I get a chance.. >>>>>>>> >>>>>>>> Support for this capability is upstream in refpolicy. >>>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> well... after building and trying to install, seems I need to do this: >>>>>> >> >> instead add this to policy/modules/services/apm.te: >> >> domain_mmap_low(apmd_t) >> >> >>> just added this, and now I can build all the way through... >> >> and set boolean: mmap_low_allowed to on to allow apmd_t to mmap low if >> needed >> >> note though that toggling this boolean also allow wine and >> "whatsitsname" to mmap low. >> >> >>> not sure.. this was hitting on a fresh build of the policy no modules or >>> avc's being added yet(stock policy) > > stock refpolicy? i am looking at it right now and it has no such rule in > there... so i dont know where this came from. > hmm... well I have loaded the policy from oct(not sure if this is in there), then with the new policy make install, make load(then I hit) maybe some kind of leak or something from the old policy since I have not rebooted Justin P. Mattock