Actually what you have there is a mislabeled file.  Here's the relevant
poop:

# cd /etc/selinux/strict/contexts/files

# grep ld.so.cache file_contexts
/etc/ld\.so\.cache      --      system_u:object_r:ld_so_cache_t
/etc/ld\.so\.preload    --      system_u:object_r:ld_so_cache_t

# ls -Z /etc/ld.so.cache
-rw-r--r--  root root root:object_r:ld_so_cache_t      /etc/ld.so.cache

See if this does the trick:

# restorecon -v /etc/ld.so.cache

If that doesn't change it, your system is not firing the rule properly
or else it is missing from the file_contexts file for some reason.  I've
had some rules fail to fire on an x86_64 box because there were issues
matching the /lib symlink to the /lib64 target and so forth.Also, have
you done an rlpkg to relabel your filesystem lately?

Dominik J. Fischer wrote:
> Dear list,
>
> I am running a freshly intalled SELinux system with
> sec-policy/selinux-base-policy 20070329 in strict/permissive mode.
>
> When I try to write a TE module for my avc denials the compiler doesn't
> resolve the necesary types. For example, considerung the following avc
> entry for type consoletype:
>
> vmdefault # dmesg | grep avc
> audit(1190988750.096:3): avc:  denied  { read } for  pid=26115
> comm="consoletype" name="ld.so.cache" dev=sda1 ino=336323476
> scontext=system_u:system_r:consoletype_t tcontext=root:object_r:etc_t
> tclass=file
> audit(1190988750.096:4): avc:  denied  { getattr } for  pid=26115
> comm="consoletype" name="ld.so.cache" dev=sda1 ino=336323476
> scontext=system_u:system_r:consoletype_t tcontext=root:object_r:etc_t
> tclass=file
>
> My policy module looks like this:
>
> policy_module(local,1.0.0) 
> type local_t;
> files_read_etc_files(consoletype_t)
>
> When I try to compile, the compiler gives me an unknown type error:
>
> vmdefault include # make -f /usr/share/selinux/strict/include/Makefile 
> Compiling strict local module
> /usr/bin/checkmodule:  loading policy configuration from tmp/local.tmp
> local.te:11:ERROR 'unknown type consoletype_t' at token ';' on line
> 78133:
>         allow consoletype_t etc_t:dir { getattr search read lock
> ioctl };
> #line 11
> /usr/bin/checkmodule:  error(s) encountered while parsing configuration
> make: *** [tmp/local.mod] Error 1
>
> Seems to me that the compiler does not resolve the types against the
> base policy.
>
> Any ideas? Comments are highly appreciated.
>
> Dominik
>
>   

-- 
[EMAIL PROTECTED] mailing list

Reply via email to