1 |
Hi, |
2 |
|
3 |
I followed the steps on |
4 |
http://www.gentoo.org/proj/en/hardened/selinux/selinux-x86-handbook.xml?part=2 |
5 |
|
6 |
to convert an existing system to SELinux and also have gone through the |
7 |
"Troubleshooting SELinux" section of the handbook but with no success. |
8 |
|
9 |
I use the "selinux/2005.1/x86" profile, kernel "2.6.14-hardened-r5", |
10 |
policy version 20, XFS as root filesystem, udev. |
11 |
|
12 |
I re-emerged all packages of the whole system, relabeled the whole |
13 |
filesystem, restorecon /dev, did a "rlpkg" of sysvinit, bash, glibc, |
14 |
pam, openssh, coreutils and many others, but nothing helps. |
15 |
|
16 |
According to the troubleshooting section in the handbook everything |
17 |
looks fine, all the suggested commands work without warnings or errors, |
18 |
all security labels are set like shown, but things still do not work. |
19 |
|
20 |
For example I can do the following: |
21 |
|
22 |
cd /etc/security/selinux/src/policy |
23 |
make clean |
24 |
make install |
25 |
make load |
26 |
ls |
27 |
|
28 |
and as result I get the following syslog message; |
29 |
==> /var/log/kern.log <== |
30 |
Mar 18 12:36:47 server audit(1142681807.921:440): avc: denied { |
31 |
getattr } for pid=24263 comm="ls" name="COPYING" dev=sda2 ino=234881155 |
32 |
scontext=root:staff_r:staff_t tcontext=system_u:object_r:named_zone_t |
33 |
tclass=dir |
34 |
[...] |
35 |
|
36 |
And of course hundreds more, once from every command I call, even init |
37 |
and bash are denied - so I can only boot up the machine in permissive mode. |
38 |
|
39 |
Here what "sestatus" shows: |
40 |
---------------------------------- |
41 |
SELinux status: enabled |
42 |
SELinuxfs mount: /selinux |
43 |
Current mode: permissive |
44 |
Policy version: 20 |
45 |
|
46 |
Policy booleans: |
47 |
secure_mode inactive |
48 |
ssh_sysadm_login inactive |
49 |
user_ping inactive |
50 |
---------------------------------- |
51 |
|
52 |
Any ideas what goes wrong ? |
53 |
Did I miss something ? |
54 |
|
55 |
thanks, |
56 |
Thomas |
57 |
|
58 |
-- |
59 |
gentoo-hardened@g.o mailing list |