FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 11-18-2011, 12:05 AM
Brian Ginn
 
Default SELinux policy for both Enterprise Linux 5 and 6

I have SELinux policy that is compiled on Red Hat Enterprise Linux 5.

This policy fails to install on Red Hat Enterprise Linux 6 with the following message:

libsepol.print_missing_requirements: pbrun's global requirements were not met: type/attribute system_chkpwd_t (No such file or directory).

*

Is there a way to write SELinux policy so that It can be compiled on v 5.x and will run on 6.x ?

*

*

*

Thanks,

Brian




--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 11-18-2011, 01:20 PM
Daniel J Walsh
 
Default SELinux policy for both Enterprise Linux 5 and 6

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/17/2011 08:05 PM, Brian Ginn wrote:
> I have SELinux policy that is compiled on Red Hat Enterprise Linux
> 5.
>
> This policy fails to install on Red Hat Enterprise Linux 6 with
> the following message:
>
> libsepol.print_missing_requirements: pbrun's global requirements
> were not met: type/attribute system_chkpwd_t (No such file or
> directory).
>
>
>
> Is there a way to write SELinux policy so that It can be compiled
> on v 5.x and will run on 6.x ?
>
>
>
>
>
>
>
> Thanks,
>
> Brian
>

That looks like a bug in RHEL6 policy then. Could you attach the
policy? You are supposed to be able to do this. We might need to add
a typealias to RHEL6.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7GabQACgkQrlYvE4MpobOr8QCgtdcKwq2t0X yU3lR1vtxIe/aW
vZ8AoLEecEB6YMhcVWZBz8kFHXcqQftR
=Brii
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 12-01-2011, 10:03 AM
Miroslav Grepl
 
Default SELinux policy for both Enterprise Linux 5 and 6

On 11/18/2011 02:05 AM, Brian Ginn wrote:





I have SELinux policy that is compiled on
Red Hat Enterprise Linux 5.

This policy fails to install on Red Hat
Enterprise Linux 6 with the following message:

libsepol.print_missing_requirements:
pbrun's global requirements were not met: type/attribute
system_chkpwd_t (No such file or directory).



This type does not exist on RHEL6. This is a problem why you can not
load your local policy. You probably just need to recompile your
policy on RHEL6. Another option would be to use "optional_policy"
block for interface calling.



For example



optional_policy(`

*auth_domtrans_chk_passwd(test_t)

')



If something is wrong with this interface then it won't be used. But
of course, then you will lost a part of functionality.





*

Is there a way to write SELinux policy so
that It can be compiled on v 5.x and will run on 6.x ?









*

*

*

Thanks,

Brian



Regards,

Miroslav








--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux





--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 12-01-2011, 01:15 PM
Daniel J Walsh
 
Default SELinux policy for both Enterprise Linux 5 and 6

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/01/2011 06:03 AM, Miroslav Grepl wrote:
> On 11/18/2011 02:05 AM, Brian Ginn wrote:
>>
>> I have SELinux policy that is compiled on Red Hat Enterprise
>> Linux 5.
>>
>> This policy fails to install on Red Hat Enterprise Linux 6 with
>> the following message:
>>
>> libsepol.print_missing_requirements: pbrun's global requirements
>> were not met: type/attribute system_chkpwd_t (No such file or
>> directory).
>>
> This type does not exist on RHEL6. This is a problem why you can
> not load your local policy. You probably just need to recompile
> your policy on RHEL6. Another option would be to use
> "optional_policy" block for interface calling.
>
> For example
>
> optional_policy(` auth_domtrans_chk_passwd(test_t) ')
>
> If something is wrong with this interface then it won't be used.
> But of course, then you will lost a part of functionality.
>>
>>
>>
>> Is there a way to write SELinux policy so that It can be compiled
>> on v 5.x and will run on 6.x ?
>>
>
>>
>>
>>
>>
>>
>>
>> Thanks,
>>
>> Brian
>>
> Regards, Miroslav
>>
>>
>> -- selinux mailing list selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


Miroslav we need to add the type alias for this situation, though.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7XjAUACgkQrlYvE4MpobPjCwCgl5KGLHffns cGuAbg8r8ud/td
xXsAni/3l1Qy/ud5MtZj7tEKQEWfJSuV
=Trss
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 12-01-2011, 04:08 PM
Daniel J Walsh
 
Default SELinux policy for both Enterprise Linux 5 and 6

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/01/2011 01:58 PM, Miroslav Grepl wrote:
> On 12/01/2011 03:15 PM, Daniel J Walsh wrote: On 12/01/2011 06:03
> AM, Miroslav Grepl wrote:
>>>> On 11/18/2011 02:05 AM, Brian Ginn wrote:
>>>>> I have SELinux policy that is compiled on Red Hat
>>>>> Enterprise Linux 5.
>>>>>
>>>>> This policy fails to install on Red Hat Enterprise Linux 6
>>>>> with the following message:
>>>>>
>>>>> libsepol.print_missing_requirements: pbrun's global
>>>>> requirements were not met: type/attribute system_chkpwd_t
>>>>> (No such file or directory).
>>>>>
>>>> This type does not exist on RHEL6. This is a problem why you
>>>> can not load your local policy. You probably just need to
>>>> recompile your policy on RHEL6. Another option would be to
>>>> use "optional_policy" block for interface calling.
>>>>
>>>> For example
>>>>
>>>> optional_policy(` auth_domtrans_chk_passwd(test_t) ')
>>>>
>>>> If something is wrong with this interface then it won't be
>>>> used. But of course, then you will lost a part of
>>>> functionality.
>>>>>
>>>>>
>>>>> Is there a way to write SELinux policy so that It can be
>>>>> compiled on v 5.x and will run on 6.x ?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Brian
>>>>>
>>>> Regards, Miroslav
>>>>>
>>>>> -- selinux mailing list selinux@lists.fedoraproject.org
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>
>>>>
>>>> -- selinux mailing list selinux@lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> Miroslav we need to add the type alias for this situation, though.
>> I was thinking about that, but this is between major release. Is
>> this possible?
>


Well I guess we could hope that it works. I think where it will fall
apart is on things like the open access. So a policy build for RHEL5
might not work on RHEL6, if a confined domain needs to open anything...

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7XtKYACgkQrlYvE4MpobMjVwCgoQVyMFdrQW 88/CC8ALH8o/vk
w3EAoIxsD0xgCyr+t9uXHUDKPfgCXaIk
=W8gW
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 12-01-2011, 05:58 PM
Miroslav Grepl
 
Default SELinux policy for both Enterprise Linux 5 and 6

On 12/01/2011 03:15 PM, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 12/01/2011 06:03 AM, Miroslav Grepl wrote:
>> On 11/18/2011 02:05 AM, Brian Ginn wrote:
>>> I have SELinux policy that is compiled on Red Hat Enterprise
>>> Linux 5.
>>>
>>> This policy fails to install on Red Hat Enterprise Linux 6 with
>>> the following message:
>>>
>>> libsepol.print_missing_requirements: pbrun's global requirements
>>> were not met: type/attribute system_chkpwd_t (No such file or
>>> directory).
>>>
>> This type does not exist on RHEL6. This is a problem why you can
>> not load your local policy. You probably just need to recompile
>> your policy on RHEL6. Another option would be to use
>> "optional_policy" block for interface calling.
>>
>> For example
>>
>> optional_policy(` auth_domtrans_chk_passwd(test_t) ')
>>
>> If something is wrong with this interface then it won't be used.
>> But of course, then you will lost a part of functionality.
>>>
>>>
>>> Is there a way to write SELinux policy so that It can be compiled
>>> on v 5.x and will run on 6.x ?
>>>
>>>
>>>
>>>
>>>
>>>
>>> Thanks,
>>>
>>> Brian
>>>
>> Regards, Miroslav
>>>
>>> -- selinux mailing list selinux@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>> -- selinux mailing list selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> Miroslav we need to add the type alias for this situation, though.
I was thinking about that, but this is between major release. Is this
possible?
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk7XjAUACgkQrlYvE4MpobPjCwCgl5KGLHffns cGuAbg8r8ud/td
> xXsAni/3l1Qy/ud5MtZj7tEKQEWfJSuV
> =Trss
> -----END PGP SIGNATURE-----

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 04:32 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org