I've got time to be back to looking at things again, but I seem to
recall finding a boolean or two related to browser domains while
researching that urandom thing. Thanks for bringing that up btw, I have
a new box I've been doing at work and forgot totally about that. I
still think a gentoo ebuild should be patching the reference policy to
turn it on by default for gentoo folk.
I've still got some race condition denials coming from bash and
/dev/null and a few other things. I may end up doing a hack or two to
baselayout scripts to make sure that the udev created /dev nodes have
been properly labeled before they get used.
guo walter wrote:
>
> According the follow, I set "setsebool -P global_ssp 1" reboot, but
> there are still a few avc left while "dmesg" such as:
>
> audit(1190258497.269:262): avc: denied { read write } for pid=27657
> comm="firefox-bin" name="tty1" dev=tmpfs ino=1197
> scontext=user_u:user_r:user_mozilla_t
> tcontext=user_u:object_r:user_tty_device_t tclass=chr_file
> audit(1190258497.269:263): avc: denied { execstack } for pid=27657
> comm="firefox-bin" scontext=user_u:user_r:user_mozilla_t
> tcontext=user_u:user_r:user_mozilla_t tclass=process
> audit(1190258497.269:264): avc: denied { execmod } for pid=27657
> comm="firefox-bin" name=" libGL.so.1.2" dev=sda5 ino=189890
> scontext=user_u:user_r:user_mozilla_t
> tcontext=system_u:object_r:shlib_t tclass=file
> audit(1190258497.769:265): avc: denied { setattr } for pid=27657
> comm="firefox-bin" name=".gnome2_private" dev=sda5 ino=791500
> scontext=user_u:user_r:user_mozilla_t
> tcontext=user_u:object_r:user_home_dir_t tclass=dir
> audit(1190258497.769:266): avc: denied { getattr } for pid=27657
> comm="firefox-bin" name="Fonts" dev=sda2 ino=47
> scontext=user_u:user_r:user_mozilla_t
> tcontext=system_u:object_r:unlabeled_t tclass=dir
>
>
>
> From: Chris PeBenito < pebenito@...
> <http://gmane.org/get-address.php?address=pebenito%2daBrp7R%2bbbdUdnm%2byROfE0A%40public.gmane.org>>
> Subject: Re: global_ssp boolean
> <http://news.gmane.org/find-root.php?message_id=%3c1182876092.5131.20.camel%40defiant.pebenito.net%3e>
> Newsgroups: gmane.linux.gentoo.hardened
> <http://news.gmane.org/gmane.linux.gentoo.hardened>
> Date: 2007-06-26 16:41:32 GMT (12 weeks, 1 day, 11 hours and 41
> minutes ago)
> On Sun, 2007-06-24 at 20:41 -0400, Bill Sharer wrote:
> > Chris P and company
> >
> > While rummaging through my dmesg's I found a lot of denials related to
> > the urandom device and then found the global_ssp boolean when looking at
>
>
> > stuff through apol. (20070329 ref policy btw). Anyway I also saw this
> >
> >
> http://www.nsa.gov/selinux/list-archive/0603/thread_body35.cfm
> <http://www.nsa.gov/selinux/list-archive/0603/thread_body35.cfm>
> >
> > documenting this gentoo-only flag. The only trouble is that the
> > booleans.conf that unpacks with the reference policy has this set to
>
> > false. Is this worth a trip to bugzilla to write it up?
>
>
> setsebool -P global_ssp 1
>
> That will enable it and make it so it is set on boot. The purpose of
> booleans is to provide options to the users.
>
>
> --
> Chris PeBenito
> <
>
> pebenito@... <http://gmane.org/get-address.php?address=pebenito%2daBrp7R%2bbbdUdnm%2byROfE0A%40public.gmane.org>>
> Developer,
> Hardened Gentoo Linux
>
>
>
> On 9/13/07, *guo walter* < walter.d.guo.newsgroup@...
> <mailto:walter.d.guo.newsgroup@...>> wrote:
>
> According to the thread, I did the followings, now, when running "
> dmesg" the avc lines deducted to 200 lines from more than 700
> lines initially, a little progress :)
> Here is what I did.
>
> (1)#cp -a /dev /mnt/usb
> (2)cd /mnt/usb/
> #setfilecon system_u:object_r:console_device_t console
> #setfilecon system_u:object_r:security_t selinux
> (3)boot from 2005.1 selinux livecd, copy /mnt/usb/dev back
> (4)reboot
>
>
>
> On 9/13/07, *guo walter* <walter.d.guo.newsgroup@...
> <mailto:walter.d.guo.newsgroup@...>> wrote:
>
> Or just a specific directory ( dont know whhic directory )
> instead of
>
>
> On 9/13/07, *guo walter* < walter.d.guo.newsgroup@...
> <mailto:walter.d.guo.newsgroup@...>> wrote:
>
> Thanks for your answer, now it seems more clear. I
> downloaded hardened-livecd-2005.1.iso , but I can not use
> rlpkg to re-label directly from the livedcd system.
>
> How about this idea:
> (1) cp -a / to a USB Storage disk with jfs file system
> (2) mount the USB Storage jfs file system
> (3) rlpkg -a -r
> (4) boot from the hardened-livecd-2005.1.iso, cp -a the
> new labled system back.
> Can these steps solved the problem?
>
>
> Walter
>
>
>
>
> On 9/11/07, *Remy Bosch* <remybosch@...
> <mailto:remybosch@...>> wrote:
>
> guo walter wrote:
> > Yep, my question should be the same thing with
> thread, and it seems
> > there no clear solution by now, doesn't it?
>
> Alas, no. Not as simple as in the past without selinux ;)
> The thing here, is that at some point have a running
> system, but there
> are a few directories/files that need labeling, which
> cannot be done
> straight forward, because they're used. You need the
> bare filesystem
> as-is, so mount your root somewhere else and label
> them as wanted. It
> takes care of the first warnings. After that, you'll
> have to ask/read
> around as information is a bit fragmented. There isn't
> a full easy howto
> yet, though there are some very good starter point's -
> sorry, I don't
> have the adresses at hand here.
>
> Good luck,
>
>
> Remy
>
> --
> gentoo-hardened@g.o
> <mailto:gentoo-hardened@g.o> mailing list
>
>
>
>
>
--
gentoo-hardened@g.o mailing list
|
