1 |
On Sat, Jul 21, 2012 at 03:51:52PM +0200, Ivan Gooten wrote: |
2 |
> I have just installed selinux on my gentoo box, and getting difficulties in |
3 |
> permissive mode. If someone can have a look at this and point me |
4 |
> somewhere... |
5 |
> |
6 |
> Emerge doesn't work If i run it from terminal in X11 - it call traces, |
7 |
> cant merge anything. In dmesg I can find: |
8 |
> |
9 |
> ---------------- |
10 |
> type=1400 audit(1342877962.365:424): avc: denied { read write } for |
11 |
> pid=15719 comm="sh" name="1" dev="devpts" ino=4 |
12 |
> scontext=system_u:system_r:portage_fetch_t |
13 |
> tcontext=system_u:object_r:devpts_t tclass=chr_file |
14 |
|
15 |
Looking at this first message already shows something weird: it sais that |
16 |
the source context is "system_u:system_r:portage_fetch_t", whereas this |
17 |
should be either "staff_u:sysadm_r:portage_fetch_t" or |
18 |
"root:sysadm_r:portage_fetch_t". |
19 |
|
20 |
[...] |
21 |
> I switch to root and then do newrole -t sysadm_t - after that I'm trying to |
22 |
> emerge something. |
23 |
> Ofcourse from raw console a.k.a. non X env, emerging works. |
24 |
[...] |
25 |
> # id -Z // after switching to root and changing newrole |
26 |
> system_u:system_r:sysadm_t |
27 |
|
28 |
It looks like there is no proper transitioning after logon. |
29 |
|
30 |
First, make sure you ran "dispatch-conf" or "etc-update" to make sure |
31 |
changes are made to your PAM configuration files. |
32 |
|
33 |
Next, for the graphical logon (including GDM), you might need to manually |
34 |
update to add in pam_selinux.so (see |
35 |
http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=2#doc_chap5_sect3) |
36 |
|
37 |
Make sure that, when logged on, your "id -Z" shows you as being staff_u (or |
38 |
user_u, but then you won't be able to adminster the system), or if you log |
39 |
on as root, probably the "root" SELinux user. |
40 |
|
41 |
Only then can we go further. And as already mentioned, it's "newrole -r |
42 |
sysadm_r" as we need to change our (operational) role towards the system |
43 |
administration role. |
44 |
|
45 |
Wkr, |
46 |
Sven Vermeulen |