FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 06-25-2011, 07:57 PM
Mr Dash Four
 
Default strange semodule_expand error during linking

I am trying to build a cut-down version of the targeted policy where I
have turned quite a few modules in modules-targeted.conf to "off"
instead of "module" (i.e. no compilation and inclusion in the final
version of the policy). Compilation and linking goes well, though during
the final stage I am getting the following error:

/usr/bin/semodule_expand tmp/test.lnk tmp/policy.bin
libsepol.sepol_module_package_read: invalid module in module package (at
section 0)
/usr/bin/semodule_expand: Error in reading package from tmp/test.lnk
make: *** [validate] Error 1
error: Bad exit status from /var/tmp/rpm-tmp.3z0Tfc (%install)

I am using the latest policy for FC15. Any ideas what could be the cause
for this?
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 06-25-2011, 08:16 PM
Dominick Grift
 
Default strange semodule_expand error during linking

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/25/2011 09:57 PM, Mr Dash Four wrote:

>
> I am using the latest policy for FC15. Any ideas what could be the cause
> for this?

Not sure but instead of using "off" you may want to just comment out or
remove the modules you dont want built instead.

That might be the issue or might not

> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk4GQhcACgkQMlxVo39jgT/f3wCffusSjZBmgkI9h5KHIZxlnjsZ
1oIAoIXkIpmC9ozfZRBKNjBT4QQmQ8Se
=9ufi
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 06-25-2011, 08:20 PM
Mr Dash Four
 
Default strange semodule_expand error during linking

> Not sure but instead of using "off" you may want to just comment out or
> remove the modules you dont want built instead.
>
> That might be the issue or might not
>
I am strictly following what is written at the top of that file: To
prevent a module from being used in policy creation, set the module name
to "off". I'll try what you've suggested though and see if that helps.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 06-25-2011, 09:24 PM
Mr Dash Four
 
Default strange semodule_expand error during linking

I am strictly following what is written at the top of that file: To
prevent a module from being used in policy creation, set the module
name to "off". I'll try what you've suggested though and see if that
helps.
Nope, same error! If you are willing to see if you get the same error as
me, I have attached 3 patches (I hope the mailing list daemon won't moan
too much!), which I use to compile the standard FC15 policy with.


The first one is applied against the .spec file and the other two need
to be placed in the SOURCES directory as they are applied against the
policy sources at various stages during the actual build. The
compilation passes OK, so does the linking, but I get an error with
semodule_expand. The problem is, I have no idea what this error means!
--- selinux-policy-org.spec 2011-06-14 10:00:30.000000000 +0100
+++ selinux-policy.spec 2011-06-25 22:11:21.436775993 +0100
@@ -25,7 +25,9 @@
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
-patch: policy-F15.patch
+Patch1: policy-F15.patch
+Patch2: policy-%{version}-1z.patch
+Patch3: policy-%{version}-2z.patch
Source1: modules-targeted.conf
Source2: booleans-targeted.conf
Source3: Makefile.devel
@@ -201,13 +203,18 @@

%prep
%setup -n serefpolicy-%{version} -q
-%patch -p1
+%patch1 -p1
+/usr/bin/patch -p1 --no-backup-if-mismatch --reject-file=- --fuzz=0 -i %{PATCH2}

%install
mkdir selinux_config
for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE9} %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{SOURCE16} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE23} %{SOURCE24} %{SOURCE25} %{SOURCE26};do
cp $i selinux_config
done
+
+#very ugly hack
+/usr/bin/patch -p1 --no-backup-if-mismatch --reject-file=- --fuzz=0 -i %{PATCH3}
+
tar zxvf selinux_config/config.tgz
# Build targeted policy
%{__rm} -fR %{buildroot}
diff --exclude=selinux_config -NurBb serefpolicy-3.9.16/policy/modules/kernel/corenetwork.te.in serefpolicy-3.9.16.new/policy/modules/kernel/corenetwork.te.in
--- serefpolicy-3.9.16/policy/modules/kernel/corenetwork.te.in 2011-06-25 18:44:40.052773881 +0100
+++ serefpolicy-3.9.16.new/policy/modules/kernel/corenetwork.te.in 2011-06-25 17:21:42.544773039 +0100
@@ -78,196 +87,58 @@
#
type server_packet_t, packet_type, server_packet_type;

-network_port(afs_bos, udp,7007,s0)
-network_port(afs_client, udp,7001,s0)
-network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
-network_port(afs_ka, udp,7004,s0)
-network_port(afs_pt, udp,7002,s0)
-network_port(afs_vl, udp,7003,s0)
+network_port(agent_dash_four, tcp,12370-12385,s0, udp,12370-12385,s0)
network_port(agentx, udp,705,s0, tcp,705,s0)
-network_port(ajaxterm, tcp,8022,s0)
-network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
-network_port(amavisd_recv, tcp,10024,s0)
-network_port(amavisd_send, tcp,10025,s0)
-network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
-network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
-network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
-network_port(apertus_ldp, tcp,539,s0, udp,539,s0)
-network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
network_port(audit, tcp,60,s0)
network_port(auth, tcp,113,s0)
-network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
-network_port(boinc, tcp,31416,s0)
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
-network_port(certmaster, tcp,51235,s0)
-network_port(chronyd, udp,323,s0)
-network_port(clamd, tcp,3310,s0)
-network_port(clockspeed, udp,4041,s0)
-network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0)
-network_port(cobbler, tcp,25151,s0)
-network_port(commplex, tcp,5000,s0, udp,5000,s0, tcp,5001,s0, udp,5001,s0)
-network_port(comsat, udp,512,s0)
-network_port(cvs, tcp,2401,s0, udp,2401,s0)
-network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
-network_port(daap, tcp,3689,s0, udp,3689,s0)
-network_port(dbskkd, tcp,1178,s0)
-network_port(dcc, udp,6276,s0, udp,6277,s0)
-network_port(dccm, tcp,5679,s0, udp,5679,s0)
-network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
-network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
-network_port(dict, tcp,2628,s0)
-network_port(distccd, tcp,3632,s0)
-network_port(dogtag, tcp,7390,s0)
network_port(dns, udp,53,s0, tcp,53,s0)
-network_port(epmap, tcp,135,s0, udp,135,s0)
-network_port(festival, tcp,1314,s0)
-network_port(fingerd, tcp,79,s0)
-network_port(firebird, tcp,3050,s0, udp,3050,s0)
-network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0)
network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
network_port(ftp_data, tcp,20,s0)
-network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-network_port(giftd, tcp,1213,s0)
-network_port(git, tcp,9418,s0, udp,9418,s0)
-network_port(gopher, tcp,70,s0, udp,70,s0)
-network_port(gpsd, tcp,2947,s0)
-network_port(hadoop_datanode, tcp,50010,s0)
-network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
-network_port(howl, tcp,5335,s0, udp,5353,s0)
-network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
-network_port(i18n_input, tcp,9010,s0)
-network_port(imaze, tcp,5323,s0, udp,5323,s0)
-network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
-network_port(innd, tcp,119,s0)
-network_port(ipmi, udp,623,s0, udp,664,s0)
-network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
-network_port(ircd, tcp,6667,s0)
network_port(isakmp, udp,500,s0)
-network_port(iscsi, tcp,3260,s0)
-network_port(isns, tcp,3205,s0, udp,3205,s0)
-network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
-network_port(jabber_interserver, tcp,5269,s0)
-network_port(jabber_router, tcp,5347,s0)
-network_port(jboss_management, tcp,4712,s0, udp,4712,s0)
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0)
network_port(kerberos_admin, tcp,749,s0)
network_port(kerberos_password, tcp,464,s0, udp,464,s0)
-network_port(kismet, tcp,2501,s0)
network_port(kprop, tcp,754,s0)
-network_port(ktalkd, udp,517,s0, udp,518,s0)
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
-network_port(lirc, tcp,8765,s0)
-network_port(luci, tcp,8084,s0)
-network_port(lmtp, tcp,24,s0, udp,24,s0)
-type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
-network_port(mail, tcp,2000,s0, tcp,3905,s0)
-network_port(matahari, tcp,49000,s0, udp,49000,s0)
-network_port(memcache, tcp,11211,s0, udp,11211,s0)
-network_port(mmcc, tcp,5050,s0, udp,5050,s0)
-network_port(monopd, tcp,1234,s0)
-network_port(movaz_ssc, tcp,5252,s0)
-network_port(mpd, tcp,6600,s0)
-network_port(msnp, tcp,1863,s0, udp,1863,s0)
-network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
-network_port(munin, tcp,4949,s0, udp,4949,s0)
-network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
+network_port(mysqld, tcp,1186,s0, tcp,17406,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
-network_port(nessus, tcp,1241,s0)
-network_port(netport, tcp,3129,s0, udp,3129,s0)
-network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
-network_port(nmbd, udp,137,s0, udp,138,s0)
-network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0)
network_port(ntp, udp,123,s0)
-network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
network_port(ocsp, tcp,9080,s0)
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
-network_port(pktcable, tcp,2126,s0, udp,2126,s0, tcp,3198,s0, udp,3198,s0)
-network_port(pegasus_http, tcp,5988,s0)
-network_port(pegasus_https, tcp,5989,s0)
-network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
-network_port(pingd, tcp,9125,s0)
-network_port(piranha, tcp,3636,s0)
-network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443, s0, tcp, 9444, s0, tcp, 9445, s0)
-network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443, s0, tcp, 10444, s0, tcp, 10445, s0)
-network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443, s0, tcp, 11444, s0, tcp, 11445, s0)
-network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443, s0, tcp, 13444, s0, tcp, 13445, s0)
-network_port(pki_ra, tcp,12888-12889,s0)
-network_port(pki_tps, tcp,7888-7889,s0)
-network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
+network_port(pop, tcp,110,s0, tcp,143,s0, tcp,993,s0, tcp,995,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
-network_port(postfix_policyd, tcp,10031,s0)
-network_port(postgresql, tcp,5432,s0)
-network_port(postgrey, tcp,60000,s0)
-network_port(prelude, tcp,4690,s0, udp,4690,s0)
-network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
-network_port(printer, tcp,515,s0)
-network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-network_port(puppet, tcp, 8140, s0)
-network_port(pxe, udp,4011,s0)
-network_port(pyzor, udp,24441,s0)
-network_port(radacct, udp,1646,s0, udp,1813,s0)
-network_port(radius, udp,1645,s0, udp,1812,s0)
-network_port(radsec, tcp,2083,s0)
-network_port(razor, tcp,2703,s0)
-network_port(ricci, tcp,11111,s0, udp,11111,s0)
-network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
-network_port(rndc, tcp,953,s0)
network_port(router, udp,520-521,s0, tcp,521,s0)
network_port(rsh, tcp,514,s0)
network_port(rsync, tcp,873,s0, udp,873,s0)
network_port(rwho, udp,513,s0)
-network_port(sap, tcp,9875,s0, udp,9875,s0)
-network_port(sametime, tcp,1533,s0, udp,1533,s0)
-network_port(sieve, tcp,4190,s0)
-network_port(sip, tcp,5060-5061,s0, udp,5060-5061,s0)
-network_port(sixxsconfig, tcp,3874,s0, udp,3874,s0)
-network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
-network_port(snmp, tcp,161-162,s0, udp,161-162,s0, tcp,199,s0, tcp, 1161, s0)
+network_port(sip, udp,5060-5065,s0)
+network_port(sip_stun, udp,3478-3479,s0)
+network_port(sip_data, udp,15666-15690,s0)
+network_port(sip_debug, tcp,15691,s0)
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
-network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
-network_port(spamd, tcp,783,s0)
-network_port(speech, tcp,8036,s0)
-network_port(squid, tcp,3128,s0, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
-network_port(ssdp, tcp,1900,s0, udp, 1900, s0)
-network_port(ssh, tcp,22,s0)
-network_port(streaming, tcp, 554, s0, udp, 554, s0, tcp, 1755, s0, udp, 1755, s0)
-type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
-network_port(swat, tcp,901,s0)
-network_port(sype, tcp,9911,s0, udp,9911,s0)
+network_port(ssh, tcp,822,s0)
network_port(syslogd, udp,514,s0)
-network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
-network_port(tftp, udp,69,s0)
-network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
+network_port(tor_client, tcp,9001,s0, tcp,9030,s0, tcp,9040,s0)
+network_port(tor_dir, tcp,9090,s0, tcp,9091,s0)
+network_port(tor_proxy, tcp,9250,s0)
+network_port(tor_ctl, tcp,9251,s0)
network_port(traceroute, udp,64000-64010,s0)
+network_port(trans_server, tcp,22067,s0)
+network_port(trans_server_ctl, tcp,22060,s0)
network_port(transproxy, tcp,8081,s0)
-network_port(ups, tcp,3493,s0)
-type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
-network_port(uucpd, tcp,540,s0)
-network_port(varnishd, tcp,6081-6082,s0)
-network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
-network_port(virt_migration, tcp,49152-49216,s0)
-network_port(vnc, tcp,5900-5999,s0)
-network_port(wccp, udp,2048,s0)
+network_port(upnp, udp,1900,s0)
network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
-network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
-network_port(xfs, tcp,7100,s0)
-network_port(xserver, tcp,6000-6150,s0)
-network_port(zarafa, tcp,236,s0)
-network_port(zookeeper_client, tcp,2181,s0)
-network_port(zookeeper_election, tcp,3888,s0)
-network_port(zookeeper_leader, tcp,2888,s0)
-network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
-network_port(zented, tcp,1229,s0, udp,1229,s0)
-network_port(zope, tcp,8021,s0)
+network_port(xs_dash_four, tcp,22604,s0)

# Defaults for reserved ports. Earlier portcon entries take precedence;
# these entries just cover any remaining reserved ports not otherwise declared.
diff --exclude=selinux_config -NurBb serefpolicy-3.9.16/policy/modules/roles/dbadm.te serefpolicy-3.9.16.new/policy/modules/roles/dbadm.te
--- serefpolicy-3.9.16/policy/modules/roles/dbadm.te 2011-06-25 18:44:40.080773880 +0100
+++ serefpolicy-3.9.16.new/policy/modules/roles/dbadm.te 2011-06-25 16:49:32.972772697 +0100
@@ -57,9 +57,5 @@
')

optional_policy(`
- postgresql_admin(dbadm_t, dbadm_r)
-')
-
-optional_policy(`
sudo_role_template(dbadm, dbadm_r, dbadm_t)
')
diff --exclude=selinux_config -NurBb serefpolicy-3.9.16/policy/modules/services/privoxy.te serefpolicy-3.9.16.new/policy/modules/services/privoxy.te
--- serefpolicy-3.9.16/policy/modules/services/privoxy.te 2011-06-25 18:44:40.256773880 +0100
+++ serefpolicy-3.9.16.new/policy/modules/services/privoxy.te 2011-06-25 14:49:23.654771477 +0100
@@ -61,13 +61,13 @@
corenet_tcp_connect_squid_port(privoxy_t)
corenet_tcp_connect_ftp_port(privoxy_t)
corenet_tcp_connect_pgpkeyserver_port(privoxy_t)
-corenet_tcp_connect_tor_port(privoxy_t)
+corenet_tcp_connect_tor_proxy_port(privoxy_t)
corenet_sendrecv_http_cache_client_packets(privoxy _t)
corenet_sendrecv_squid_client_packets(privoxy_t)
corenet_sendrecv_http_cache_server_packets(privoxy _t)
corenet_sendrecv_http_client_packets(privoxy_t)
corenet_sendrecv_ftp_client_packets(privoxy_t)
-corenet_sendrecv_tor_client_packets(privoxy_t)
+corenet_sendrecv_tor_proxy_client_packets(privoxy _t)

dev_read_sysfs(privoxy_t)

diff --exclude=selinux_config -NurBb serefpolicy-3.9.16/policy/modules/services/ssh.te serefpolicy-3.9.16.new/policy/modules/services/ssh.te
--- serefpolicy-3.9.16/policy/modules/services/ssh.te 2011-06-25 18:44:40.304773880 +0100
+++ serefpolicy-3.9.16.new/policy/modules/services/ssh.te 2011-06-25 14:52:06.534771505 +0100
@@ -265,10 +251,6 @@
term_relabelto_all_ptys(sshd_t)
term_use_ptmx(sshd_t)

-# for X forwarding
-corenet_tcp_bind_xserver_port(sshd_t)
-corenet_sendrecv_xserver_server_packets(sshd_t)
-
userdom_read_user_home_content_files(sshd_t)
userdom_read_user_home_content_symlinks(sshd_t)
userdom_manage_tmp_role(system_r, sshd_t)
diff --exclude=selinux_config -NurBb serefpolicy-3.9.16/policy/modules/services/tor.te serefpolicy-3.9.16.new/policy/modules/services/tor.te
--- serefpolicy-3.9.16/policy/modules/services/tor.te 2011-06-25 21:59:46.114775874 +0100
+++ serefpolicy-3.9.16.new/policy/modules/services/tor.te 2011-06-25 15:20:01.604771792 +0100
@@ -75,27 +76,7 @@

kernel_read_system_state(tor_t)

-# networking basics
-corenet_all_recvfrom_unlabeled(tor_t)
-corenet_all_recvfrom_netlabel(tor_t)
-corenet_tcp_sendrecv_generic_if(tor_t)
-corenet_udp_sendrecv_generic_if(tor_t)
-corenet_tcp_sendrecv_generic_node(tor_t)
-corenet_udp_sendrecv_generic_node(tor_t)
-corenet_tcp_sendrecv_all_ports(tor_t)
corenet_udp_sendrecv_dns_port(tor_t)
-corenet_tcp_sendrecv_all_reserved_ports(tor_t)
-corenet_tcp_bind_generic_node(tor_t)
-corenet_udp_bind_generic_node(tor_t)
-corenet_tcp_bind_tor_port(tor_t)
-corenet_udp_bind_dns_port(tor_t)
-corenet_sendrecv_tor_server_packets(tor_t)
-corenet_sendrecv_dns_server_packets(tor_t)
-# TOR will need to connect to various ports
-corenet_tcp_connect_all_ports(tor_t)
-corenet_sendrecv_all_client_packets(tor_t)
-# ... especially including port 80 and other privileged ports
-corenet_tcp_connect_all_reserved_ports(tor_t)
corenet_udp_bind_dns_port(tor_t)

# tor uses crypto and needs random
diff --exclude=selinux_config -NurBb serefpolicy-3.9.16/policy/modules/system/logging.te serefpolicy-3.9.16.new/policy/modules/system/logging.te
--- serefpolicy-3.9.16/policy/modules/system/logging.te 2011-06-25 18:44:40.361773880 +0100
+++ serefpolicy-3.9.16.new/policy/modules/system/logging.te 2011-06-25 17:27:02.747773088 +0100
@@ -444,13 +444,11 @@
# Allow users to define additional syslog ports to connect to
corenet_tcp_bind_syslogd_port(syslogd_t)
corenet_tcp_connect_syslogd_port(syslogd_t)
-corenet_tcp_connect_postgresql_port(syslogd_t)
corenet_tcp_connect_mysqld_port(syslogd_t)

# syslog-ng can send or receive logs
corenet_sendrecv_syslogd_client_packets(syslogd_t)
corenet_sendrecv_syslogd_server_packets(syslogd_t)
-corenet_sendrecv_postgresql_client_packets(syslogd _t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)

dev_filetrans(syslogd_t, devlog_t, sock_file)
diff --exclude=selinux_config -NurBb serefpolicy-3.9.16/policy/modules/system/sysnetwork.te serefpolicy-3.9.16.new/policy/modules/system/sysnetwork.te
--- serefpolicy-3.9.16/policy/modules/system/sysnetwork.te 2011-06-25 18:44:40.377773880 +0100
+++ serefpolicy-3.9.16.new/policy/modules/system/sysnetwork.te 2011-06-25 17:57:46.950773402 +0100
@@ -116,10 +116,7 @@
corenet_udp_sendrecv_all_ports(dhcpc_t)
corenet_tcp_bind_generic_node(dhcpc_t)
corenet_udp_bind_generic_node(dhcpc_t)
-corenet_udp_bind_dhcpc_port(dhcpc_t)
corenet_tcp_connect_all_ports(dhcpc_t)
-corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
-corenet_sendrecv_dhcpc_server_packets(dhcpc_t)
corenet_dontaudit_udp_bind_all_reserved_ports(dhcp c_t)
corenet_udp_bind_all_unreserved_ports(dhcpc_t)

diff --exclude=selinux_config -NurBb serefpolicy-3.9.16/policy/modules/system/userdomain.if serefpolicy-3.9.16.new/policy/modules/system/userdomain.if
--- serefpolicy-3.9.16/policy/modules/system/userdomain.if 2011-06-25 18:44:40.387773880 +0100
+++ serefpolicy-3.9.16.new/policy/modules/system/userdomain.if 2011-06-25 18:25:15.017773683 +0100
@@ -794,13 +794,6 @@
')

optional_policy(`
- tunable_policy(`allow_user_postgresql_connect',`
- postgresql_stream_connect($1_usertype)
- postgresql_tcp_connect($1_usertype)
- ')
- ')
-
- optional_policy(`
resmgr_stream_connect($1_usertype)
')

@@ -1186,8 +1179,6 @@

# port access is audited even if dac would not have allowed it, so dontaudit it here
# corenet_dontaudit_tcp_bind_all_reserved_ports($1_t )
- # Need the following rule to allow users to run vpnc
- corenet_tcp_bind_xserver_port($1_t)
corenet_tcp_bind_generic_node($1_usertype)

storage_rw_fuse($1_t)
diff --exclude='*.tgz' -NurBb serefpolicy-3.9.16/selinux_config/modules-targeted.conf serefpolicy-3.9.16.new/selinux_config/modules-targeted.conf
--- serefpolicy-3.9.16/selinux_config/modules-targeted.conf 2011-06-25 19:17:09.909774213 +0100
+++ serefpolicy-3.9.16.new/selinux_config/modules-targeted.conf 2011-06-25 19:28:46.486774332 +0100
@@ -16,21 +16,21 @@
#
# An application to view and modify user accounts information
#
-accountsd = module
+accountsd = off

# Layer: admin
# Module: acct
#
# Berkeley process accounting
#
-acct = module
+acct = off

# Layer: services
# Module: ajaxterm
#
# Web Based Terminal
#
-ajaxterm = module
+ajaxterm = off

# Layer: admin
# Module: alsa
@@ -44,21 +44,21 @@
#
# ada executable
#
-ada = module
+ada = off

# Layer: services
# Module: cachefilesd
#
# CacheFiles userspace management daemon
#
-cachefilesd = module
+cachefilesd = off

# Layer: services
# Module: colord
#
# color device daemon
#
-colord = module
+colord = off

# Layer: apps
# Module: cpufreqselector
@@ -72,14 +72,14 @@
#
# chrome sandbox
#
-chrome = module
+chrome = off

# Layer: module
# Module: awstats
#
# awstats executable
#
-awstats = module
+awstats = off

# Layer: services
# Module: abrt
@@ -93,28 +93,28 @@
#
# SixXS Automatic IPv6 Connectivity Client Utility
#
-aiccu = module
+aiccu = off

# Layer: admin
# Module: amanda
#
# Automated backup program.
#
-amanda = module
+amanda = off

# Layer: services
# Module: afs
#
# Andrew Filesystem server
#
-afs = module
+afs = off

# Layer: services
# Module: amavis
#
# Anti-virus
#
-amavis = module
+amavis = off

# Layer: admin
# Module: anaconda
@@ -128,7 +128,7 @@
#
# Apache web server
#
-apache = module
+apache = off

# Layer: services
# Module: apm
@@ -150,7 +150,7 @@
#
# Ethernet activity monitor.
#
-arpwatch = module
+arpwatch = off

# Layer: services
# Module: audioentropy
@@ -171,7 +171,7 @@
#
# Asterisk IP telephony server
#
-asterisk = module
+asterisk = off

# Layer: services
# Module: automount
@@ -185,56 +185,56 @@
#
# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture
#
-avahi = module
+avahi = off

# Layer: services
# Module: boinc
#
# Berkeley Open Infrastructure for Network Computing
#
-boinc = module
+boinc = off

# Layer: services
# Module: bind
#
# Berkeley internet name domain DNS server.
#
-bind = module
+bind = off

# Layer: services
# Module: bugzilla
#
# Bugzilla server
#
-bugzilla = module
+bugzilla = off

# Layer: services
# Module: dirsrv
#
# An 309 directory server
#
-dirsrv = module
+dirsrv = off

# Layer: services
# Module: dirsrv-admin
#
# An 309 directory admin server
#
-dirsrv-admin = module
+dirsrv-admin = off

# Layer: services
# Module: dnsmasq
#
# A lightweight DHCP and caching DNS server.
#
-dnsmasq = module
+dnsmasq = off

# Layer: services
# Module: bluetooth
#
# Bluetooth tools and system services.
#
-bluetooth = module
+bluetooth = off

# Layer: kernel
# Module: ubac
@@ -256,14 +256,14 @@
#
# Canna - kana-kanji conversion server
#
-canna = module
+canna = off

# Layer: services
# Module: ccs
#
# policy for ccs
#
-ccs = module
+ccs = off

# Layer: apps
# Module: calamaris
@@ -271,77 +271,77 @@
#
# Squid log analysis
#
-calamaris = module
+calamaris = off

# Layer: apps
# Module: cdrecord
#
# Policy for cdrecord
#
-cdrecord = module
+cdrecord = off

# Layer: admin
# Module: certwatch
#
# Digital Certificate Tracking
#
-certwatch = module
+certwatch = off

# Layer: admin
# Module: certmaster
#
# Digital Certificate master
#
-certmaster = module
+certmaster = off

# Layer: services
# Module: certmonger
#
# Certificate status monitor and PKI enrollment client
#
-certmonger = module
+certmonger = off

# Layer: services
# Module: cipe
#
# Encrypted tunnel daemon
#
-cipe = module
+cipe = off

# Layer: services
# Module: chronyd
#
# Daemon for maintaining clock time
#
-chronyd = module
+chronyd = off

# Layer: services
# Module: cobbler
#
# cobbler
#
-cobbler = module
+cobbler = off

# Layer: services
# Module: comsat
#
# Comsat, a biff server.
#
-comsat = module
+comsat = off

# Layer: services
# Module: corosync
#
# Corosync Cluster Engine Executive
#
-corosync = module
+corosync = off

# Layer: services
# Module: clamav
#
# ClamAV Virus Scanner
#
-clamav = module
+clamav = off

# Layer: system
# Module: clock
@@ -355,7 +355,7 @@
#
# ConsoleKit is a system daemon for tracking what users are logged
#
-consolekit = module
+consolekit = off

# Layer: admin
# Module: consoletype
@@ -400,28 +400,28 @@
#
# Common UNIX printing system
#
-cups = module
+cups = off

# Layer: services
# Module: cvs
#
# Concurrent versions system
#
-cvs = module
+cvs = off

# Layer: services
# Module: cyphesis
#
# cyphesis game server
#
-cyphesis = module
+cyphesis = off

# Layer: services
# Module: cyrus
#
# Cyrus is an IMAP service intended to be run on sealed servers
#
-cyrus = module
+cyrus = off

# Layer: system
# Module: daemontools
@@ -435,7 +435,7 @@
#
# Dictionary server for the SKK Japanese input method system.
#
-dbskk = module
+dbskk = off

# Layer: services
# Module: dbus
@@ -449,7 +449,7 @@
#
# A distributed, collaborative, spam detection and filtering network.
#
-dcc = module
+dcc = off

# Layer: admin
# Module: ddcprobe
@@ -478,14 +478,14 @@
#
# Dynamic host configuration protocol (DHCP) server
#
-dhcp = module
+dhcp = off

# Layer: services
# Module: dictd
#
# Dictionary daemon
#
-dictd = module
+dictd = off

# Layer: services
# Module: distcc
@@ -521,35 +521,35 @@
#
# DRBD mirrors a block device over the network to another machine.
#
-drbd = module
+drbd = off

# Layer: services
# Module: ddclient
#
# Update dynamic IP address at DynDNS.org
#
-ddclient = module
+ddclient = off

# Layer: services
# Module: dovecot
#
# Dovecot POP and IMAP mail server
#
-dovecot = module
+dovecot = off

# Layer: apps
# Module: gitosis
#
# Policy for gitosis
#
-gitosis = module
+gitosis = off

# Layer: apps
# Module: gpg
#
# Policy for GNU Privacy Guard and related programs.
#
-gpg = module
+gpg = off

# Layer: services
# Module: gpsd
@@ -557,35 +557,35 @@
# gpsd monitor daemon
#
#
-gpsd = module
+gpsd = off

# Layer: services
# Module: git
#
# Policy for the stupid content tracker
#
-git = module
+git = off

# Layer: services
# Module: gpm
#
# General Purpose Mouse driver
#
-gpm = module
+gpm = off

# Layer: services
# Module: fail2ban
#
# daiemon that bans IP that makes too many password failures
#
-fail2ban = module
+fail2ban = off

# Layer: services
# Module: fetchmail
#
# Remote-mail retrieval and forwarding utility
#
-fetchmail = module
+fetchmail = off

# Layer: kernel
# Module: files
@@ -608,7 +608,7 @@
#
# Finger user information service.
#
-finger = module
+finger = off

# Layer: admin
# Module: firstboot
@@ -630,7 +630,7 @@
#
# finger print server
#
-fprintd = module
+fprintd = off

# Layer: system
# Module: fstools
@@ -644,14 +644,14 @@
#
# File transfer protocol service
#
-ftp = module
+ftp = off

# Layer: apps
# Module: games
#
# The Open Group Pegasus CIM/WBEM Server.
#
-games = module
+games = off

# Layer: system
# Module: getty
@@ -665,21 +665,21 @@
#
# gnome session and gconf
#
-gnome = module
+gnome = off

# Layer: services
# Module: gnomeclock
#
# gnomeclock used by dbus/polkit to set time
#
-gnomeclock = module
+gnomeclock = off

# Layer: services
# Module: hal
#
# Hardware abstraction layer
#
-hal = module
+hal = off

# Layer: services
# Module: hddtemp
@@ -693,7 +693,7 @@
#
# Passenger
#
-passenger = module
+passenger = off

# Layer: services
# Module: policykit
@@ -707,21 +707,21 @@
#
# A network tool for managing many disparate systems
#
-puppet = module
+puppet = off

# Layer: apps
# Module: ptchown
#
# helper function for grantpt(3), changes ownship and permissions of pseudotty
#
-ptchown = module
+ptchown = off

# Layer: services
# Module: psad
#
# Analyze iptables log for hostile traffic
#
-psad = module
+psad = off

# Layer: system
# Module: hostname
@@ -743,14 +743,14 @@
#
# Port of Apple Rendezvous multicast DNS
#
-howl = module
+howl = off

# Layer: services
# Module: inetd
#
# Internet services daemon.
#
-inetd = module
+inetd = off

# Layer: system
# Module: init
@@ -764,7 +764,7 @@
#
# Internet News NNTP server
#
-inn = module
+inn = off

# Layer: system
# Module: iptables
@@ -785,7 +785,7 @@
#
# IRC client policy
#
-irc = module
+irc = off

# Layer: services
# Module: irqbalance
@@ -799,14 +799,14 @@
#
# Open-iSCSI daemon
#
-iscsi = module
+iscsi = off

# Layer: services
# Module: icecast
#
# ShoutCast compatible streaming media server
#
-icecast = module
+icecast = off

# Layer: services
# Module: i18n_input
@@ -821,14 +821,14 @@
#
# Jabber instant messaging server
#
-jabber = module
+jabber = off

# Layer: apps
# Module: java
#
# java executable
#
-java = module
+java = off

# Layer: apps
# Module: execmem
@@ -878,7 +878,7 @@
#
# KDE Talk daemon
#
-ktalk = module
+ktalk = off

# Layer: admin
# Module: kudzu
@@ -892,14 +892,14 @@
#
# OpenLDAP directory server
#
-ldap = module
+ldap = off

# Layer: services
# Module: likewise
#
# Likewise Active Directory support for UNIX
#
-likewise = module
+likewise = off

# Layer: system
# Module: libraries
@@ -955,14 +955,14 @@
#
# Line printer daemon
#
-lpd = module
+lpd = off

# Layer: services
# Module: lircd
#
# LIRC daemon - decodes infrared signals and provides them on a Unix domain socket.
#
-lircd = module
+lircd = off

# Layer: system
# Module: lvm
@@ -976,14 +976,14 @@
#
# Mailman is for managing electronic mail discussion and e-newsletter lists
#
-mailman = module
+mailman = off

# Layer: services
# Module: matahari
#
# Matahari system maangement tools
#
-matahari = module
+matahari = off

# Layer: admin
# Module: mcelog
@@ -1005,7 +1005,7 @@
#
# mediawiki
#
-mediawiki = module
+mediawiki = off

# Layer: system
# Module: miscfiles
@@ -1027,14 +1027,14 @@
#
# Policy for mock rpm builder
#
-mock = module
+mock = off

# Layer: services
# Module: mojomojo
#
# Wiki server
#
-mojomojo = module
+mojomojo = off

# Layer: system
# Module: modutils
@@ -1048,7 +1048,7 @@
#
# mono executable
#
-mono = module
+mono = off

# Layer: system
# Module: mount
@@ -1062,56 +1062,56 @@
#
# Policy for Mozilla and related web browsers
#
-mozilla = module
+mozilla = off

# Layer: services
# Module: ntop
#
# Policy for ntop
#
-ntop = module
+ntop = off

# Layer: services
# Module: nslcd
#
# Policy for nslcd
#
-nslcd = module
+nslcd = off

# Layer: apps
# Module: nsplugin
#
# Policy for nspluginwrapper
#
-nsplugin = module
+nsplugin = off

# Layer: services
# Module: modemmanager
#
# Manager for dynamically switching between modems.
#
-modemmanager = module
+modemmanager = off

# Layer: services
# Module: mpd
#
# mpd - daemon for playing music
#
-mpd = module
+mpd = off

# Layer: apps
# Module: mplayer
#
# Policy for Mozilla and related web browsers
#
-mplayer = module
+mplayer = off

# Layer: apps
# Module: gpg
#
# Policy for Mozilla and related web browsers
#
-gpg = module
+gpg = off

# Layer: admin
# Module: mrtg
@@ -1139,7 +1139,7 @@
#
# policy for nagios Host/service/network monitoring program
#
-nagios = module
+nagios = off

# Layer: admin
# Module: ncftool
@@ -1167,14 +1167,14 @@
#
# Manager for dynamically switching between networks.
#
-networkmanager = module
+networkmanager = off

# Layer: services
# Module: nis
#
# Policy for NIS (YP) servers and clients
#
-nis = module
+nis = off


# Layer: services
@@ -1197,14 +1197,14 @@
#
# nut - Network UPS Tools
#
-nut = module
+nut = off

# Layer: services
# Module: nx
#
# NX Remote Desktop
#
-nx = module
+nx = off


# Layer: services
@@ -1212,14 +1212,14 @@
#
# policy for oddjob
#
-oddjob = module
+oddjob = off

# Layer: services
# Module: openct
#
# Service for handling smart card readers.
#
-openct = off
+openct = module

# Layer: services
# Module: openvpn
@@ -1255,21 +1255,21 @@
#
# The Open Group Pegasus CIM/WBEM Server.
#
-pegasus = module
+pegasus = off

# Layer: services
# Module: piranha
#
# piranha - various tools to administer and configure the Linux Virtual Server
#
-piranha = module
+piranha = off

# Layer: services
# Module: postgresql
#
# PostgreSQL relational database
#
-postgresql = module
+postgresql = off

# Layer: services
# Module: portmap
@@ -1283,21 +1283,21 @@
#
# Postfix email server
#
-postfix = module
+postfix = off

# Layer: services
# Module: postgrey
#
# email scanner
#
-postgrey = module
+postgrey = off

# Layer: services
# Module: ppp
#
# Point to Point Protocol daemon creates links in ppp networks
#
-ppp = module
+ppp = off

# Layer: admin
# Module: prelink
@@ -1311,49 +1311,49 @@
#
# Procmail mail delivery agent
#
-procmail = module
+procmail = off

# Layer: services
# Module: privoxy
#
# Privacy enhancing web proxy.
#
-privoxy = module
+privoxy = off

# Layer: services
# Module: publicfile
#
# publicfile supplies files to the public through HTTP and FTP
#
-publicfile = module
+publicfile = off

# Layer: apps
# Module: pulseaudio
#
# The PulseAudio Sound System
#
-pulseaudio = module
+pulseaudio = off

# Layer: services
# Module: pyzor
#
# Spam Blocker
#
-pyzor = module
+pyzor = off

# Layer: services
# Module: qmail
#
# Policy for qmail
#
-qmail = module
+qmail = off

# Layer: services
# Module: qpidd
#
# Policy for qpidd
#
-qpidd = module
+qpidd = off

# Layer: admin
# Module: quota
@@ -1374,21 +1374,21 @@
#
# RADIUS authentication and accounting server.
#
-radius = module
+radius = off

# Layer: services
# Module: radvd
#
# IPv6 router advertisement daemon
#
-radvd = module
+radvd = off

# Layer: services
# Module: razor
#
# A distributed, collaborative, spam detection and filtering network.
#
-razor = module
+razor = off

# Layer: admin
# Module: readahead
@@ -1409,42 +1409,42 @@
#
# RHCS - Red Hat Cluster Suite
#
-rhcs = module
+rhcs = off

# Layer: services
# Module: aisexec
#
# RHCS - Red Hat Cluster Suite
#
-aisexec = module
+aisexec = off

# Layer: services
# Module: rgmanager
#
# rgmanager
#
-rgmanager = module
+rgmanager = off

# Layer: services
# Module: clogd
#
# clogd - clustered mirror log server
#
-clogd = module
+clogd = off

# Layer: services
# Module: cmirrord
#
# cmirrord - daemon providing device-mapper-base mirrors in a shared-storege cluster
#
-cmirrord = module
+cmirrord = off

# Layer: services
# Module: rhgb
#
# X windows login display manager
#
-rhgb = module
+rhgb = off

# Layer: services
# Module: rdisc
@@ -1465,21 +1465,21 @@
#
# policy for ricci
#
-ricci = module
+ricci = off

# Layer: services
# Module: rlogin
#
# Remote login daemon
#
-rlogin = module
+rlogin = off

# Layer: services
# Module: roundup
#
# Roundup Issue Tracking System policy
#
-roundup = module
+roundup = off

# Layer: services
# Module: rpc
@@ -1501,21 +1501,21 @@
#
# Remote shell service.
#
-rshd = module
+rshd = off

# Layer: services
# Module: rsync
#
# Fast incremental file transfer for synchronization
#
-rsync = module
+rsync = off

# Layer: services
# Module: rtkit
#
# Real Time Kit Daemon
#
-rtkit = module
+rtkit = off

# Layer: services
# Module: rwho
@@ -1531,21 +1531,21 @@
# name Service Switch daemon for resolving names
# from Windows NT servers.
#
-samba = module
+samba = off

# Layer: apps
# Module: sandbox
#
# Experimental policy for running apps within a sandbox
#
-sandbox = module
+sandbox = off

# Layer: apps
# Module: sambagui
#
# policy for system-config-samba
#
-sambagui = module
+sambagui = off

# Layer: services
# Module: sasl
@@ -1638,7 +1638,7 @@
#
# Update database for mlocate
#
-slocate = module
+slocate = off

# Layer: services
# Module: smartmon
@@ -1652,7 +1652,7 @@
#
# Latency Logging and Graphing System
#
-smokeping = module
+smokeping = off

# Layer: admin
# Module: smoltclient
@@ -1666,21 +1666,21 @@
#
# Simple network management protocol services
#
-snmp = module
+snmp = off

# Layer: services
# Module: spamassassin
#
# Filter used for removing unsolicited email.
#
-spamassassin = module
+spamassassin = off

# Layer: services
# Module: squid
#
# Squid caching http proxy server
#
-squid = module
+squid = off

# Layer: services
# Module: ssh
@@ -1708,7 +1708,7 @@
#
# SSL Tunneling Proxy
#
-stunnel = module
+stunnel = off

# Layer: admin
# Module: su
@@ -1744,28 +1744,28 @@
#
# Policy for sysstat. Reports on various system states
#
-sysstat = module
+sysstat = off

# Layer: services
# Module: tcpd
#
# Policy for TCP daemon.
#
-tcpd = module
+tcpd = off

# Layer: services
# Module: tcsd
#
# tcsd - daemon that manages Trusted Computing resources
#
-tcsd = module
+tcsd = off

# Layer: services
# Module: tgtd
#
# Linux Target Framework Daemon.
#
-tgtd = module
+tgtd = off

# Layer: system
# Module: udev
@@ -1779,7 +1779,7 @@
#
# Daemon for communicating with Apple's iPod Touch and iPhone
#
-usbmuxd = module
+usbmuxd = off

# Layer: system
# Module: userdomain
@@ -1808,49 +1808,49 @@
#
# netfilter/iptables ULOG daemon
#
-ulogd = module
+ulogd = off

# Layer: services
# Module: vdagent
#
# vdagent
#
-vdagent = module
+vdagent = off

# Layer: services
# Module: vhostmd
#
# vhostmd - spice guest agent daemon.
#
-vhostmd = module
+vhostmd = off

# Layer: apps
# Module: vhostmd
#
# vlock - Virtual Console lock program
#
-vlock = module
+vlock = off

# Layer: apps
# Module: wine
#
# wine executable
#
-wine = module
+wine = off

# Layer: apps
# Module: wireshark
#
# wireshark executable
#
-wireshark = module
+wireshark = off

# Layer: apps
# Module: telepathy
#
# telepathy - Policy for Telepathy framework
#
-telepathy = module
+telepathy = off

# Layer: admin
# Module: tzdata
@@ -1878,14 +1878,14 @@
#
# tvtime - a high quality television application
#
-tvtime = module
+tvtime = off

# Layer: apps
# Module: uml
#
# Policy for UML
#
-uml = module
+uml = off

# Layer: admin
# Module: usbmodules
@@ -1899,42 +1899,42 @@
#
# User network interface configuration helper
#
-usernetctl = module
+usernetctl = off

# Layer: system
# Module: xen
#
# virtualization software
#
-xen = module
+xen = off

# Layer: services
# Module: varnishd
#
# Varnishd http accelerator daemon
#
-varnishd = module
+varnishd = off

# Layer: services
# Module: virt
#
# Virtualization libraries
#
-virt = module
+virt = off

# Layer: services
# Module: vnstatd
#
# Network traffic Monitor
#
-vnstatd = module
+vnstatd = off

# Layer: apps
# Module: qemu
#
# Virtualization emulator
#
-qemu = module
+qemu = off

# Layer: system
# Module: brctl
@@ -1948,7 +1948,7 @@
#
# Telnet daemon
#
-telnet = module
+telnet = off

# Layer: services
# Module: timidity
@@ -1962,21 +1962,21 @@
#
# Trivial file transfer protocol daemon
#
-tftp = module
+tftp = off

# Layer: services
# Module: tuned
#
# Dynamic adaptive system tuning daemon
#
-tuned = module
+tuned = off

# Layer: services
# Module: uucp
#
# Unix to Unix Copy
#
-uucp = module
+uucp = off

# Layer: services
# Module: vbetool
@@ -1990,35 +1990,35 @@
#
# Web server log analysis
#
-webalizer = module
+webalizer = off

# Layer: services
# Module: xfs
#
# X Windows Font Server
#
-xfs = module
+xfs = off

# Layer: services
# Module: xserver
#
# X windows login display manager
#
-xserver = module
+xserver = off

# Layer: services
# Module: zarafa
#
# Zarafa Collaboration Platform
#
-zarafa = module
+zarafa = off

# Layer: services
# Module: zebra
#
# Zebra border gateway protocol network routing service
#
-zebra = module
+zebra = off

# Layer: admin
# Module: usermanage
@@ -2075,28 +2075,28 @@
#
# Open-source monitoring solution for your IT infrastructure
#
-zabbix = module
+zabbix = off

# Layer: services
# Module: apcupsd
#
# daemon for most APCâ??s UPS for Linux
#
-apcupsd = module
+apcupsd = off

# Layer: services
# Module: aide
#
# Policy for aide
#
-aide = module
+aide = off

# Layer: services
# Module: w3c
#
# w3c
#
-w3c = module
+w3c = off

# Layer: services
# Module: plymouthd
@@ -2110,7 +2110,7 @@
#
# reserve ports to prevent portmap mapping them
#
-portreserve = module
+portreserve = off

# Layer: services
# Module: rpcbind
@@ -2131,14 +2131,14 @@
#
# VMWare Workstation virtual machines
#
-vmware = module
+vmware = off

# Layer: role
# Module: dbadm
#
# Minimally prived root role for managing databases
#
-dbadm = module
+dbadm = off

# Layer: role
# Module: logadm
@@ -2152,7 +2152,7 @@
#
# Minimally prived root role for managing apache
#
-webadm = module
+webadm = off

#
# Layer: services
@@ -2160,7 +2160,7 @@
#
# exim mail server
#
-exim = module
+exim = off


# Layer: services
@@ -2168,35 +2168,35 @@
#
# Wireless sniffing and monitoring
#
-kismet = module
+kismet = off

# Layer: services
# Module: munin
#
# Munin
#
-munin = module
+munin = off

# Layer: services
# Module: bitlbee
#
# An IRC to other chat networks gateway
#
-bitlbee = module
+bitlbee = off

# Layer: admin
# Module: sosreport
#
# sosreport debuggin information generator
#
-sosreport = module
+sosreport = off

# Layer: services
# Module: soundserver
#
# sound server for network audio server programs, nasd, yiff, etc</summary>
#
-soundserver = module
+soundserver = off

# Layer: role
# Module: unconfineduser
@@ -2210,7 +2210,7 @@
#
# admin account
#
-staff = module
+staff = off

# Layer:role
# Module: sysadm
@@ -2224,17 +2224,17 @@
#
# Minimally privs guest account on tty logins
#
-unprivuser = module
+unprivuser = off

# Layer: services
# Module: prelude
#
-prelude = module
+prelude = off

# Layer: services
# Module: pads
#
-pads = module
+pads = off

# Layer: services
# Module: kerneloops
@@ -2248,28 +2248,28 @@
#
# openoffice executable
#
-openoffice = module
+openoffice = off

# Layer: apps
# Module: podsleuth
#
# Podsleuth probes, identifies, and exposes properties and metadata bound to iPods.
#
-podsleuth = module
+podsleuth = off

# Layer: role
# Module: guest
#
# Minimally privs guest account on tty logins
#
-guest = module
+guest = off

# Layer: role
# Module: xguest
#
# Minimally privs guest account on X Windows logins
#
-xguest = module
+xguest = off

# Layer: services
# Module: cgroup
@@ -2283,14 +2283,14 @@
#
# IMAP and POP3 email servers
#
-courier = module
+courier = off

# Layer: services
# Module: denyhosts
#
# script to help thwart ssh server attacks
#
-denyhosts = module
+denyhosts = off

# Layer: apps
# Module: livecd
@@ -2304,14 +2304,14 @@
#
# Snort network intrusion detection system
#
-snort = module
+snort = off

# Layer: services
# Module: memcached
#
# high-performance memory object caching system
#
-memcached = module
+memcached = off

# Layer: system
# Module: netlabel
@@ -2325,20 +2325,20 @@
#
# policy for z/OS Remote-services Audit dispatcher plugin</summary>
#
-zosremote = module
+zosremote = off

# Layer: services
# Module: pingd
#
#
-pingd = module
+pingd = off

# Layer: services
# Module: milter
#
#
#
-milter = module
+milter = off

# Layer: services
# Module: keyboardd
@@ -2346,14 +2346,14 @@
# system-setup-keyboard is a keyboard layout daemon that monitors
# /etc/sysconfig/keyboard and writes out an xorg.conf.d snippet
#
-keyboardd = module
+keyboardd = off

# Layer: services
# Module: firewalld
#
# firewalld is firewall service daemon that provides dynamic customizable
#
-firewalld = module
+firewalld = off

# Layer: apps
# Module: namespace
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 06-25-2011, 09:37 PM
Dominick Grift
 
Default strange semodule_expand error during linking

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/25/2011 11:24 PM, Mr Dash Four wrote:
>
>> I am strictly following what is written at the top of that file: To
>> prevent a module from being used in policy creation, set the module
>> name to "off". I'll try what you've suggested though and see if that
>> helps.
> Nope, same error! If you are willing to see if you get the same error as
> me, I have attached 3 patches (I hope the mailing list daemon won't moan
> too much!), which I use to compile the standard FC15 policy with.
>
> The first one is applied against the .spec file and the other two need
> to be placed in the SOURCES directory as they are applied against the
> policy sources at various stages during the actual build. The
> compilation passes OK, so does the linking, but I get an error with
> semodule_expand. The problem is, I have no idea what this error means!

I am not sure either. Might have to do with you patch for
modules-targeted.conf. Are you sure that by the time you patch that
file, that you actually patch Fedoras modules-targeted.conf.

Why are you making it so hard?

you could just use the fedora 15 branch from git edit that and create an
archive and then use the other Fedora files from the source rpm and
replace that modules-targeted.

I have no patches in my forks at all.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk4GVQ0ACgkQMlxVo39jgT8VEwCcCMlzFiSWwg sUYteQoDYFhp1J
epoAoJR3Nnw0v6sfd4doSYgal/D9VsoF
=HAsG
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 06-25-2011, 09:44 PM
Mr Dash Four
 
Default strange semodule_expand error during linking

> I am not sure either. Might have to do with you patch for
> modules-targeted.conf. Are you sure that by the time you patch that
> file, that you actually patch Fedoras modules-targeted.conf.
>
100% If you look at the actual patch, it references
selinux_config/modules-targeted.conf which happens after the various
.conf files are copied from SOURCES to BUILD/<ref-policy>/selinux_config
by the actions preceding the application of that patch.

> Why are you making it so hard?
>
> you could just use the fedora 15 branch from git edit that and create an
> archive and then use the other Fedora files from the source rpm and
> replace that modules-targeted.
>
Because I am not sure I am going to only pick what I need (git is
something I am still not very comfortable with, I have to admit).

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 06-25-2011, 09:48 PM
Dominick Grift
 
Default strange semodule_expand error during linking

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/25/2011 11:44 PM, Mr Dash Four wrote:
>
>> I am not sure either. Might have to do with you patch for
>> modules-targeted.conf. Are you sure that by the time you patch that
>> file, that you actually patch Fedoras modules-targeted.conf.
>>
> 100% If you look at the actual patch, it references
> selinux_config/modules-targeted.conf which happens after the various
> .conf files are copied from SOURCES to BUILD/<ref-policy>/selinux_config
> by the actions preceding the application of that patch.
>
>> Why are you making it so hard?
>>
>> you could just use the fedora 15 branch from git edit that and create an
>> archive and then use the other Fedora files from the source rpm and
>> replace that modules-targeted.
>>
> Because I am not sure I am going to only pick what I need (git is
> something I am still not very comfortable with, I have to admit).
>

Ok well there is not much you have changed so i guess you should try
some things.

My bet is that it is related to how you apply your patches. Also i
would, like i said before, just remove any reference to modules that you
do not want installed from modules-targeted.conf.

The Error message does not ring any bells for me either.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk4GV5gACgkQMlxVo39jgT950wCguP6OdTR4ht Ht+5rNW+EknSjw
OXUAniIn4L/9s7FcqgA5s3DCbii15J0C
=wkox
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 06-25-2011, 10:00 PM
Mr Dash Four
 
Default strange semodule_expand error during linking

> My bet is that it is related to how you apply your patches.
This can't be the cause in itself. When I build exactly the same policy,
but "activated" these modules (i.e. instead of "off" place " module"
instead - i.e. no real change made) everything passes with no errors.

This is also how I used to build my previous versions of the same policy
(FC13) - no problems there either.

> Also i
> would, like i said before, just remove any reference to modules that you
> do not want installed from modules-targeted.conf.
>
It makes no difference - I already tried that.

> The Error message does not ring any bells for me either.
>
Ah, well. I'll dig in to see if I can find what is causing this.

I suspect it may be something to do with the user role "modules" I
switched off - dbadm, webadm, staff, unprivuser, guest and xguest.
Although I do not need any of these (and neither do any of the modules I
compiled - as far as I know), there are quite a few other *-targeted.*
files in the source directory I haven't looked at. There might be
something in them, which causes this, so I'll probably check that.

This is the only potential reason for this error. I am speculating here,
because I truly don't know what on Earth does "invalid module in module
package (at section 0)" mean? Do you get the same error when you try to
build the policy with "rpmbuild -bb" after applying my patches?

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 07:49 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org