Bug 832828 - recommended action display warnings
recommended action display warnings
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
17
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-17 13:46 EDT by Michael S. Tsirkin
Modified: 2012-06-17 17:15 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-17 17:15:59 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michael S. Tsirkin 2012-06-17 13:46:35 EDT
Description of problem:
I am running vpnc with a custom scripts. This results
in selinux warnings.
setroubleshoot also says:

If you believe that vpnc should be allowed getattr access on the vpnc-fifo.conf fifo_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep vpnc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

If I execute these command I get a warning:
WARNING: Policy would be downgraded from version 27 to 26.
******************** IMPORTANT ***********************


Version-Release number of selected component (if applicable):
selinux-policy-3.10.0-130.fc17.noarch

How reproducible:
always

Steps to Reproduce:
1. do something to trigger a warning. For example:
vpnc ./vpnc.conf
where vpnc.conf is in user home directory
2. click setroubleshoot, click details.
copy these lines, and execute:
3. grep vpnc /var/log/audit/audit.log | audit2allow -M mypol
4 semodule -i mypol.pp

  
Actual results:
warning is displayed:
WARNING: Policy would be downgraded from version 27 to 26.
******************** IMPORTANT ***********************

Expected results:
no warning should occur

note that selinux itself recommends this course of action,
and user is not given any hint whether it's good or bad
to downgrade a policy

Additional info:
Comment 1 Miroslav Grepl 2012-06-17 17:15:59 EDT
I believe you see different AVC msgs and this is a reason why you get a new AVC.

if you swith to permissive mode or execute

# semanage permissive -a vpnc_t

then you can collect all AVC msgs

# grep vpnc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Note You need to log in before you can comment on or make changes to this bug.