| 1 |
ok so now I get it a bit, anyway selinux is still misconfigured here. |
| 2 |
I've created a pastebin with my current denials, if could you look at it: |
| 3 |
http://pastebin.com/uNRcaeUT |
| 4 |
|
| 5 |
and semodule -l prints out: |
| 6 |
------ |
| 7 |
alsa 1.11.0 |
| 8 |
application 1.2.0 |
| 9 |
arpwatch 1.10.0 |
| 10 |
authlogin 2.3.0 |
| 11 |
automount 1.13.0 |
| 12 |
bootloader 1.13.0 |
| 13 |
cgroup 1.1.0 |
| 14 |
clock 1.6.0 |
| 15 |
consolekit 1.8.0 |
| 16 |
consoletype 1.10.0 |
| 17 |
courier 1.12.0 |
| 18 |
cpufreqselector 1.3.0 |
| 19 |
cron 2.4.0 |
| 20 |
daemontools 1.2.0 |
| 21 |
dbus 1.16.0 |
| 22 |
dhcp 1.9.0 |
| 23 |
dmesg 1.3.0 |
| 24 |
dnsmasq 1.9.0 |
| 25 |
fstools 1.15.0 |
| 26 |
getty 1.9.0 |
| 27 |
gnome 2.2.0 |
| 28 |
gpg 2.5.0 |
| 29 |
gpm 1.8.0 |
| 30 |
hostname 1.7.0 |
| 31 |
hotplug 1.15.0 |
| 32 |
init 1.18.0 |
| 33 |
iptables 1.13.0 |
| 34 |
java 2.5.0 |
| 35 |
libraries 2.8.0 |
| 36 |
locallogin 1.11.0 |
| 37 |
logging 1.18.0 |
| 38 |
logrotate 1.14.0 |
| 39 |
lvm 1.13.0 |
| 40 |
miscfiles 1.9.0 |
| 41 |
modutils 1.12.0 |
| 42 |
mono 1.8.0 |
| 43 |
mount 1.14.0 |
| 44 |
mozilla 2.5.0 |
| 45 |
mplayer 2.4.0 |
| 46 |
mta 2.4.0 |
| 47 |
netutils 1.11.0 |
| 48 |
networkmanager 1.14.0 |
| 49 |
nscd 1.10.0 |
| 50 |
openvpn 1.11.0 |
| 51 |
policykit 1.2.0 |
| 52 |
portage 1.12.0 |
| 53 |
privoxy 1.11.0 |
| 54 |
psad 1.0.0 |
| 55 |
qemu 1.6.0 |
| 56 |
qmail 1.5.0 |
| 57 |
raid 1.11.0 |
| 58 |
rsync 1.11.0 |
| 59 |
samba 1.14.0 |
| 60 |
screen 2.5.0 |
| 61 |
selinuxutil 1.16.0 |
| 62 |
ssh 2.3.0 |
| 63 |
staff 2.3.0 |
| 64 |
storage 1.10.0 |
| 65 |
su 1.12.0 |
| 66 |
sudo 1.9.0 |
| 67 |
sysadm 2.4.0 |
| 68 |
sysnetwork 1.13.0 |
| 69 |
thunderbird 2.3.0 |
| 70 |
tor 1.8.0 |
| 71 |
ucspitcp 1.3.0 |
| 72 |
udev 1.14.0 |
| 73 |
ulogd 1.2.0 |
| 74 |
unconfined 3.4.0 |
| 75 |
unprivuser 2.3.0 |
| 76 |
userdomain 4.7.0 |
| 77 |
usermanage 1.17.0 |
| 78 |
virt 1.4.0 |
| 79 |
wine 1.10.0 |
| 80 |
wireshark 2.3.0 |
| 81 |
xdg 1.0.0 |
| 82 |
xfs 1.6.0 |
| 83 |
xscreensaver 1.1.0 |
| 84 |
xserver 3.7.0 |
| 85 |
------ |
| 86 |
|
| 87 |
thanks |
| 88 |
|
| 89 |
Ivan |
| 90 |
|
| 91 |
On Sun, Jul 22, 2012 at 6:07 PM, Sven Vermeulen <swift@g.o> wrote: |
| 92 |
|
| 93 |
> On Sun, Jul 22, 2012 at 01:55:08PM +0200, Ivan Gooten wrote: |
| 94 |
> [...] |
| 95 |
> > which results in console for user root context like |
| 96 |
> > "root:sysadm_r:sysadm_t", |
| 97 |
> |
| 98 |
> That's good. |
| 99 |
> |
| 100 |
> > whereas in X11 terminal, (after switching from ivan user to root by su -) |
| 101 |
> > -> "staff_u:staff_r:staff_t". |
| 102 |
> |
| 103 |
> That's almost good ;-) |
| 104 |
> |
| 105 |
> > I understand that in X11 term I'll have to "newrole -r sysadm_r" for root |
| 106 |
> > everytime, when I will want to administrate the system? |
| 107 |
> |
| 108 |
> Yes, you need to switch roles (first switch roles, then use su(do)) every |
| 109 |
> time you need to do administrative changes (or queries) on the system. The |
| 110 |
> staff_r role is for regular operations (user) whereas sysadm_r is for |
| 111 |
> system |
| 112 |
> administration. |
| 113 |
> |
| 114 |
> > And what about the context's difference between root (root:...) logged |
| 115 |
> from |
| 116 |
> > console and root (staff_u:...) logged via x11 terminal - is that wrong? |
| 117 |
> |
| 118 |
> No, that's not wrong. If you log on directly as root, then your SELinux |
| 119 |
> user |
| 120 |
> (the first part in the context) is "root". If you log on as someone else, |
| 121 |
> you get that SELinux user (such as "staff_u") which remains throughout your |
| 122 |
> session (SELinux users don't change, even when you do "su"). |
| 123 |
> |
| 124 |
> Wkr, |
| 125 |
> Sven Vermeulen |
| 126 |
> |
| 127 |
> |
Archives