| 1 |
On Sun, 18 Nov 2007 16:56:55 -0500 |
| 2 |
Bill Sharer <bsharer@××××××××××.com> wrote: |
| 3 |
|
| 4 |
> You can run the log through audit2why and audit2allow to get a feel |
| 5 |
> for what's going on in policy. Don't directly rely on audit2allow |
| 6 |
> since I think it still orients itself to the old modular example |
| 7 |
> policy and not refpolicy. |
| 8 |
> |
| 9 |
> Check your booleans. I spotted one thing right off the bat (urandom) |
| 10 |
> which is probably due to the boolean global_ssp not being true. This |
| 11 |
> should be true for gentoo systems, but for some reason, the ebuild |
| 12 |
> defaults it to false. |
| 13 |
> |
| 14 |
> Will Keaney wrote: |
| 15 |
> > I've just finished updating my SELinux VM, but still get a lot of |
| 16 |
> > avc denials in /var/log/syslog. |
| 17 |
> > What is the recommended method of changing |
| 18 |
> > the SELinux policy? I seem to remember PeBenito saying in IRC that |
| 19 |
> > editing the policy files directly is not recommended. |
| 20 |
> > |
| 21 |
> > On the off chance that someone has some insight into what might be |
| 22 |
> > causing these errors, I'm attaching the output of |
| 23 |
> > grep "Nov 18 16:2" /var/log/syslog | cut -d " " -f 7- | grep avc |
| 24 |
> > |
| 25 |
> > |
| 26 |
> > Thanks, |
| 27 |
> > |
| 28 |
> > Will Keaney |
| 29 |
> > uberpinguin |
| 30 |
> > |
| 31 |
> |
| 32 |
Thanks very much for the quick reply, it is very informative. |
| 33 |
I don't seem to have any booleans loaded, according to sestatus -v: |
| 34 |
SELinux status: enabled |
| 35 |
SELinuxfs mount: /selinux |
| 36 |
Current mode: permissive |
| 37 |
Mode from config file: permissive |
| 38 |
Policy version: 21 |
| 39 |
Policy from config file: strict |
| 40 |
|
| 41 |
Process contexts: |
| 42 |
Current context: root:sysadm_r:sysadm_t |
| 43 |
Init context: system_u:system_r:init_t |
| 44 |
/sbin/agetty system_u:system_r:getty_t |
| 45 |
/usr/sbin/sshd system_u:system_r:sshd_t |
| 46 |
|
| 47 |
File contexts: |
| 48 |
Controlling term: root:object_r:sysadm_tty_device_t |
| 49 |
/sbin/init system_u:object_r:init_exec_t |
| 50 |
/sbin/agetty system_u:object_r:getty_exec_t |
| 51 |
/bin/login system_u:object_r:login_exec_t |
| 52 |
/sbin/rc system_u:object_r:initrc_exec_t |
| 53 |
/sbin/runscript.sh system_u:object_r:initrc_exec_t |
| 54 |
/usr/sbin/sshd system_u:object_r:sshd_exec_t |
| 55 |
/sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t |
| 56 |
/etc/passwd system_u:object_r:etc_t |
| 57 |
/etc/shadow system_u:object_r:shadow_t |
| 58 |
/bin/sh system_u:object_r:bin_t -> |
| 59 |
system_u:object_r:shell_exec_t /bin/bash |
| 60 |
system_u:object_r:shell_exec_t /usr/bin/newrole |
| 61 |
system_u:object_r:newrole_exec_t /lib/libc.so.6 |
| 62 |
system_u:object_r:lib_t -> |
| 63 |
system_u:object_r:shlib_t /lib/ld-linux.so.2 |
| 64 |
system_u:object_r:lib_t -> system_u:object_r:ld_so_t |
| 65 |
|
| 66 |
I don't see a command to load/change booleans though? |
| 67 |
|
| 68 |
Will |
Archives