| 1 |
Hi listmembers, |
| 2 |
|
| 3 |
I've needed a little longer as suggested, I am sorry for that. |
| 4 |
|
| 5 |
Markus Dittrich wrote: |
| 6 |
|
| 7 |
>On Fri, 24 Sep 2004 23:44:15 +0200, Victor Banatean <pie_oh_pah@×××.net> wrote: |
| 8 |
> |
| 9 |
> |
| 10 |
> |
| 11 |
>>Nevertheless I found a solution, but I do not prefer it, so I'll will |
| 12 |
>>try it again |
| 13 |
>>tomorrow. If anyone have a good idea or hint,please tell it. |
| 14 |
>> |
| 15 |
>> |
| 16 |
> |
| 17 |
>Try running "strace Eterm" as your user. If you're lucky that'll show |
| 18 |
>you what device/file Eterm needs to open, but doesn't have permission |
| 19 |
>to. |
| 20 |
> |
| 21 |
> |
| 22 |
> |
| 23 |
I'd tried it and the result is that Eterm need permission on /dev/pty*. |
| 24 |
|
| 25 |
So I'd done the following: |
| 26 |
|
| 27 |
1. chmod 666 /dev/pty* => not sufficient |
| 28 |
|
| 29 |
2. ls -Z /dev => "Segmentation fault" |
| 30 |
How could I determine the context? |
| 31 |
|
| 32 |
3. cd /etc/security/selinux/src/policy |
| 33 |
make clean |
| 34 |
make load |
| 35 |
make relabel |
| 36 |
=> no success |
| 37 |
|
| 38 |
4. I looked, if my init could load the policy: |
| 39 |
# ldd /sbin/init |
| 40 |
linux-gate.so.1 => (0xffffe000) |
| 41 |
libselinux.so.1 => /lib/libselinux.so.1 (0x40025000) |
| 42 |
libc.so.6 => /lib/libc.so.6 (0x40035000) |
| 43 |
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) |
| 44 |
|
| 45 |
=> seems OK |
| 46 |
|
| 47 |
5. Next I checked the following contexts, whilst run "sestatus -v": |
| 48 |
|
| 49 |
SELinux status: enabled |
| 50 |
SELinuxfs mount: /selinux |
| 51 |
Current mode: permissive |
| 52 |
Policy version: 17 |
| 53 |
|
| 54 |
Policy booleans: |
| 55 |
user_ping inactive |
| 56 |
|
| 57 |
Process contexts: |
| 58 |
Current context: root:staff_r:staff_t |
| 59 |
Init context: system_u:system_r:init_t |
| 60 |
|
| 61 |
File contexts: |
| 62 |
Controlling term: unknown (Operation not supported) |
| 63 |
/etc/passwd system_u:object_r:etc_t |
| 64 |
/etc/shadow system_u:object_r:shadow_t |
| 65 |
/bin/bash system_u:object_r:shell_exec_t |
| 66 |
/bin/login system_u:object_r:login_exec_t |
| 67 |
/bin/sh system_u:object_r:bin_t -> |
| 68 |
system_u:object_r:shell_exec_t |
| 69 |
/sbin/agetty system_u:object_r:getty_exec_t |
| 70 |
/sbin/init system_u:object_r:init_exec_t |
| 71 |
/usr/sbin/sshd system_u:object_r:sshd_exec_t |
| 72 |
/usr/X11R6/bin/xdm system_u:object_r:bin_t |
| 73 |
/lib/libc.so.6 system_u:object_r:lib_t -> |
| 74 |
system_u:object_r:shlib_t |
| 75 |
/lib/ld-linux.so.2 system_u:object_r:lib_t -> |
| 76 |
system_u:object_r:ld_so_t |
| 77 |
|
| 78 |
Seems OK! |
| 79 |
However I didn't have the next one mentioned at |
| 80 |
|
| 81 |
"http://www.gentoo.org/proj/en/hardened/selinux/selinux-x86-handbook.xml?part=5&chap=2#doc_chap1": |
| 82 |
|
| 83 |
/sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t |
| 84 |
|
| 85 |
Nevertheless I did not relabel the files /etc/passwd and /etc/shadow, as |
| 86 |
they are fine. |
| 87 |
|
| 88 |
|
| 89 |
6. ACCEPT_KEYWORDS="~x86" emerge --pretend --verbose udev |
| 90 |
=> no success |
| 91 |
|
| 92 |
7. After login, no matter what user, I everytime get the message: |
| 93 |
"Warning! Could not get current context for /dev/vc1, /dev/vcs1, |
| 94 |
/dev/vcsa1, |
| 95 |
not relabeling." |
| 96 |
Have I to solve this to solve my other problem, what are then the |
| 97 |
dependencies? |
| 98 |
|
| 99 |
|
| 100 |
I think it has to do something with the wrong, not sufficient, context, |
| 101 |
moreover I don't have any other ideas at the moment. |
| 102 |
|
| 103 |
Any help/hint would be great! |
| 104 |
|
| 105 |
Yours, |
| 106 |
Victor |
| 107 |
|
| 108 |
-- |
| 109 |
gentoo-hardened@g.o mailing list |
Archives