1 |
[snip] |
2 |
> messages. But some of the rules it recommends just look wrong to me. |
3 |
> Things like this: |
4 |
> |
5 |
> allow consoletype_t file_t:chr_file { getattr ioctl read write }; |
6 |
> allow consoletype_t file_t:dir search; |
7 |
> allow dmesg_t file_t:chr_file { read write }; |
8 |
The original avc message would be helpful here. |
9 |
Bear in mind that audit2allow just generates an allow rule, which may or |
10 |
may not be what you need. In a lot of cases a dontaudit rule will do. |
11 |
|
12 |
> I was under the impression that nothing should ever be permitted to |
13 |
> transition to file_t, and that errors referencing the file_t domain mean |
14 |
> there's something mis-labelled. |
15 |
Indeed, which is why the original avc message would be helpful (as it |
16 |
would allow you to figure out which file was being accessed). |
17 |
|
18 |
> In this case, it looks like |
19 |
> /dev/console is the biggest culprit, but I've also 20 or so errors from |
20 |
> initrc, a few from ifconfig, a half-dozen from udev. If I install, say, |
21 |
> sshd or sudo, I get more, even after merging and reloading their policy |
22 |
> files. |
23 |
Do you have udev mounted under /dev? devpts mounted under /dev/pts? |
24 |
I prefer to use a static /dev or tmpfs (which supports security labels) |
25 |
|
26 |
Antoine |
27 |
-- |
28 |
gentoo-hardened@g.o mailing list |