Pages

Sunday, February 16, 2020

Fedora 31 : Can be better? part 006.

I try to use the Selinux MLS with Fedora 31 and I wrote on my last article about Fedora 31 : Can be better? part 005.
After relabeling the files and start the environment I get multiple errors and I ask an answer at fedoraproject lists:
This is an example of the problem of implementing MLS in Fedora and can be remedied because MLS Selinux is old in implementing Selinux.

SELinux is preventing su from open access on the file /var/log/lastlog.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that su should be allowed open access on the lastlog file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'su' --raw | audit2allow -M my-su
# semodule -X 300 -i my-su.pp
I try to fix it but I got this error: 
[root@desk mythcat]# ausearch -c 'su' --raw | audit2allow -M my-su
compilation failed:
my-su.te:36:ERROR 'syntax error' at token 'mlsconstrain' on line 36:
mlsconstrain file { write create setattr relabelfrom append unlink link rename mounton } ((l1 eq l2 -Fail-)  
or (t1 == mlsfilewritetoclr -Fail-)  and (h1 dom l2 -Fail-)  and (l1 domby l2)  or (t2 == 
mlsfilewriteinrange -Fail-)  
and (l1 dom l2 -Fail-)  an
# mlsconstrain file { read getattr execute } ((l1 dom l2 -Fail-)  or (t1 == 
mlsfilereadtoclr -Fail-)  
and (h1 dom l2 -Fail-)  or (t1 == mlsfileread -Fail-)  or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
[root@desk mythcat]# ausearch -c 'su' --raw | audit2allow -M my-su
compilation failed:
my-su.te:36:ERROR 'syntax error' at token 'mlsconstrain' on line 36:
mlsconstrain file { write create setattr relabelfrom append unlink link rename mounton } ((l1 eq l2 -Fail-)  
or (t1 == mlsfilewritetoclr -Fail-)  and (h1 dom l2 -Fail-)  and (l1 domby l2)  or (t2 == 
mlsfilewriteinrange -Fail-)  
and (l1 dom l2 -Fail-)  an
# mlsconstrain file { read getattr execute } ((l1 dom l2 -Fail-)  or (t1 == 
mlsfilereadtoclr -Fail-)  
and (h1 dom l2 -Fail-)  or (t1 == mlsfileread -Fail-)  or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED
/usr/bin/checkmodule:  error(s) encountered while parsing configuration...
Posted by Labels: , , , , , , , , , ,
Subscribe to: Posts (Atom)