Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: Sven Vermeulen <swift@g.o>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] selinux novice
Date: Sat, 21 Jul 2012 20:01:58
Message-Id: 20120721171444.GA12900@gentoo.org
In Reply to: [gentoo-hardened] selinux novice by Ivan Gooten
1 On Sat, Jul 21, 2012 at 03:51:52PM +0200, Ivan Gooten wrote:
2 > I have just installed selinux on my gentoo box, and getting difficulties in
3 > permissive mode. If someone can have a look at this and point me
4 > somewhere...
5 >
6 > Emerge doesn't work If i run it from terminal in X11 - it call traces,
7 > cant merge anything. In dmesg I can find:
8 >
9 > ----------------
10 > type=1400 audit(1342877962.365:424): avc: denied { read write } for
11 > pid=15719 comm="sh" name="1" dev="devpts" ino=4
12 > scontext=system_u:system_r:portage_fetch_t
13 > tcontext=system_u:object_r:devpts_t tclass=chr_file
14
15 Looking at this first message already shows something weird: it sais that
16 the source context is "system_u:system_r:portage_fetch_t", whereas this
17 should be either "staff_u:sysadm_r:portage_fetch_t" or
18 "root:sysadm_r:portage_fetch_t".
19
20 [...]
21 > I switch to root and then do newrole -t sysadm_t - after that I'm trying to
22 > emerge something.
23 > Ofcourse from raw console a.k.a. non X env, emerging works.
24 [...]
25 > # id -Z // after switching to root and changing newrole
26 > system_u:system_r:sysadm_t
27
28 It looks like there is no proper transitioning after logon.
29
30 First, make sure you ran "dispatch-conf" or "etc-update" to make sure
31 changes are made to your PAM configuration files.
32
33 Next, for the graphical logon (including GDM), you might need to manually
34 update to add in pam_selinux.so (see
35 http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=2#doc_chap5_sect3)
36
37 Make sure that, when logged on, your "id -Z" shows you as being staff_u (or
38 user_u, but then you won't be able to adminster the system), or if you log
39 on as root, probably the "root" SELinux user.
40
41 Only then can we go further. And as already mentioned, it's "newrole -r
42 sysadm_r" as we need to change our (operational) role towards the system
43 administration role.
44
45 Wkr,
46 Sven Vermeulen

Replies

Subject Author
Re: [gentoo-hardened] selinux novice Ivan Gooten <ivanogot@×××××.com>
Report Message
Find on MARC Find on Google Groups