| 1 |
Chris PeBenito wrote: |
| 2 |
|
| 3 |
> On Tue, 2007-03-06 at 15:33 -0500, Mike Edenfield wrote: |
| 4 |
|
| 5 |
> Sorry for the slow response. These messages are likely due to the |
| 6 |
> static device nodes under a udev /dev. There isn't a good way to |
| 7 |
> automatically relabel these device nodes. The best way would be to |
| 8 |
> reboot with udev temporarily disabled, then do `restorecon -R /dev`, |
| 9 |
> then boot up with udev reenabled. I believe gentoo=noudev on the kernel |
| 10 |
> command line will still disable udev during booting. Alternatively you |
| 11 |
> can use the RC_DEVICES setting in /etc/conf.d/rc to enable or disable |
| 12 |
> udev on boot. |
| 13 |
|
| 14 |
Thanks for this, and also to the person who wrote the |
| 15 |
previous reply recommending a static /dev. (I meant to |
| 16 |
reply sooner but have been on vacation). This actually |
| 17 |
eliminated a big chunk of my problems. |
| 18 |
|
| 19 |
I'm still hoping someone can point me to a more general |
| 20 |
tutorial on troubleshooting these types of errors. Now that |
| 21 |
I'm trying to get actual services running on the system, I'm |
| 22 |
obviously having more of them, and I don't want to waste |
| 23 |
this list's time trying to explain every one of them to me |
| 24 |
:x Things like this (two of which I assume are being |
| 25 |
generated because I'm running dhcpcd on this machine at boot): |
| 26 |
|
| 27 |
Mar 13 06:39:09 [kernel] audit(1173782339.840:57): avc: |
| 28 |
denied { write } for pid=2775 comm="runscript.sh" |
| 29 |
name="resolv.conf" dev=hda3 ino=1556987 |
| 30 |
scontext=system_u:system_r:initrc_t |
| 31 |
tcontext=system_u:object_r:net_conf_t tclass=file |
| 32 |
|
| 33 |
Mar 13 06:39:09 [kernel] audit(1173782339.850:58): avc: |
| 34 |
denied { setattr } for pid=2989 comm="chmod" |
| 35 |
name="resolv.conf" dev=hda3 ino=1556987 |
| 36 |
scontext=system_u:system_r:initrc_t |
| 37 |
tcontext=system_u:object_r:net_conf_t tclass=file |
| 38 |
|
| 39 |
Mar 13 06:39:09 [kernel] audit(1173782348.950:59): avc: |
| 40 |
denied { ptrace } for pid=4000 comm="pidof" |
| 41 |
scontext=system_u:system_r:initrc_t |
| 42 |
tcontext=system_u:system_r:init_t tclass=process |
| 43 |
|
| 44 |
Mar 13 06:39:09 [kernel] audit(1173782348.950:60): avc: |
| 45 |
denied { ptrace } for pid=4000 comm="pidof" |
| 46 |
scontext=system_u:system_r:initrc_t |
| 47 |
tcontext=system_u:system_r:kernel_t tclass=process |
| 48 |
|
| 49 |
Obviously, I can get rid of these by adding rules like this: |
| 50 |
|
| 51 |
allow initrc_t init_t:process ptrace; |
| 52 |
allow initrc_t kernel_t:process ptrace; |
| 53 |
allow initrc_t net_conf_t:file { setattr write }; |
| 54 |
|
| 55 |
My question is more theoretical, that is, is there a reason |
| 56 |
why those rules aren't *already* there? Is it normal to |
| 57 |
have to tweak the policy files right out of the box, or |
| 58 |
after installing a new ebuild, and I should feel "ok" with |
| 59 |
doing it? Or does it point to a bigger problem with my |
| 60 |
install that I messed up and need to fix? |
| 61 |
|
| 62 |
Thanks for being patient with me :) |
| 63 |
|
| 64 |
-- |
| 65 |
-- Mike |
| 66 |
|
| 67 |
Still using IE? Get Firefox! |
| 68 |
http://www.spreadfirefox.com/?q=affiliates&id=6492&t=1 |
| 69 |
-- |
| 70 |
gentoo-hardened@g.o mailing list |
Archives