From erdesc at free.fr Wed Oct 2 14:50:56 2013 From: erdesc at free.fr (=?ISO-8859-1?Q?=C9ric_Deschamps?=) Date: Wed, 02 Oct 2013 16:50:56 +0200 Subject: [DSE-User] audit2allow could not open interface info [/var/lib/sepolgen/interface_info] Message-ID: <524C32D0.9020106@free.fr> Hello, Just a note to help anyone getting this error with audit2allow: could not open interface info [/var/lib/sepolgen/interface_info] I needed to relaunch: # sepolgen-ifgen Source of the similar problem at RedHat: Regards, ?ric From erdesc at free.fr Wed Oct 2 14:53:25 2013 From: erdesc at free.fr (=?ISO-8859-1?Q?=C9ric_Deschamps?=) Date: Wed, 02 Oct 2013 16:53:25 +0200 Subject: [DSE-User] semodule missing permissions to /etc/selinux/default/modules/active Message-ID: <524C3365.1010108@free.fr> Hello, Trying to load a new policy with semodule, i get this error: # semodule -i /usr/share/selinux/shorewall-plus.pp libsemanage.semanage_commit_sandbox: Error while renaming /etc/selinux/default/modules/active to /etc/selinux/default/modules/previous. (Permission denied). semodule: Failed! Here is an excerpt of audit2why explanation: # grep semodule /var/log/audit/audit.log | audit2why type=AVC msg=audit(1380724705.027:9561): avc: denied { getattr } for pid=6007 comm="semodule" name="/" dev="sysfs" ino=1 scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1380724710.867:9562): avc: denied { rename } for pid=6007 comm="semodule" name="active" dev="sda1" ino=134215 scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:selinux_config_t:s0 tclass=dir Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. Does this problem look normal to you? Is it a bug in basic policies or did i miss something? Regards, ?ric