Saturday, December 09, 2006

Debian SE Linux policy bug

checkmodule -m -o local.mod local.te
semodule_package -o local.pp -m local.mod
semodule -u local.pp

Save the following policy as local.te and then run the above commands to make semodule work correctly and to also allow restorecon to access the console on boot.

module local 1.0;

require {
class chr_file { read write };
class fd use;
type restorecon_t;
type tmpfs_t;
type initrc_t;
type semanage_t;
role system_r;

allow restorecon_t tmpfs_t:chr_file { read write };
allow semanage_t initrc_t:fd use;


DavidHärdeman said...

Good, that fixes the first issue I mentioned on the Debian SELinux list (here).

Now, one question, the SELinux stuff in Debian currently seems to assume that all packets must be labeled using iptables and the SECMARK stuff or there will be audit messages for lots of applications using the network. I've solved it for now using the /etc/selinux/refpolicy-targeted/contexts/netfilter_contexts file as a basis, but this seems undocumented. Have I misunderstood something?

Kevin Mark said...

Hi Russel,
as a Debian SELinux newbie, is this for any policy, targeted or strict? I run strict with enforcing off (until I can figure out the issue with my remaining apps).