1 |
Chris PeBenito wrote: |
2 |
|
3 |
> On Tue, 2007-03-06 at 15:33 -0500, Mike Edenfield wrote: |
4 |
|
5 |
> Sorry for the slow response. These messages are likely due to the |
6 |
> static device nodes under a udev /dev. There isn't a good way to |
7 |
> automatically relabel these device nodes. The best way would be to |
8 |
> reboot with udev temporarily disabled, then do `restorecon -R /dev`, |
9 |
> then boot up with udev reenabled. I believe gentoo=noudev on the kernel |
10 |
> command line will still disable udev during booting. Alternatively you |
11 |
> can use the RC_DEVICES setting in /etc/conf.d/rc to enable or disable |
12 |
> udev on boot. |
13 |
|
14 |
Thanks for this, and also to the person who wrote the |
15 |
previous reply recommending a static /dev. (I meant to |
16 |
reply sooner but have been on vacation). This actually |
17 |
eliminated a big chunk of my problems. |
18 |
|
19 |
I'm still hoping someone can point me to a more general |
20 |
tutorial on troubleshooting these types of errors. Now that |
21 |
I'm trying to get actual services running on the system, I'm |
22 |
obviously having more of them, and I don't want to waste |
23 |
this list's time trying to explain every one of them to me |
24 |
:x Things like this (two of which I assume are being |
25 |
generated because I'm running dhcpcd on this machine at boot): |
26 |
|
27 |
Mar 13 06:39:09 [kernel] audit(1173782339.840:57): avc: |
28 |
denied { write } for pid=2775 comm="runscript.sh" |
29 |
name="resolv.conf" dev=hda3 ino=1556987 |
30 |
scontext=system_u:system_r:initrc_t |
31 |
tcontext=system_u:object_r:net_conf_t tclass=file |
32 |
|
33 |
Mar 13 06:39:09 [kernel] audit(1173782339.850:58): avc: |
34 |
denied { setattr } for pid=2989 comm="chmod" |
35 |
name="resolv.conf" dev=hda3 ino=1556987 |
36 |
scontext=system_u:system_r:initrc_t |
37 |
tcontext=system_u:object_r:net_conf_t tclass=file |
38 |
|
39 |
Mar 13 06:39:09 [kernel] audit(1173782348.950:59): avc: |
40 |
denied { ptrace } for pid=4000 comm="pidof" |
41 |
scontext=system_u:system_r:initrc_t |
42 |
tcontext=system_u:system_r:init_t tclass=process |
43 |
|
44 |
Mar 13 06:39:09 [kernel] audit(1173782348.950:60): avc: |
45 |
denied { ptrace } for pid=4000 comm="pidof" |
46 |
scontext=system_u:system_r:initrc_t |
47 |
tcontext=system_u:system_r:kernel_t tclass=process |
48 |
|
49 |
Obviously, I can get rid of these by adding rules like this: |
50 |
|
51 |
allow initrc_t init_t:process ptrace; |
52 |
allow initrc_t kernel_t:process ptrace; |
53 |
allow initrc_t net_conf_t:file { setattr write }; |
54 |
|
55 |
My question is more theoretical, that is, is there a reason |
56 |
why those rules aren't *already* there? Is it normal to |
57 |
have to tweak the policy files right out of the box, or |
58 |
after installing a new ebuild, and I should feel "ok" with |
59 |
doing it? Or does it point to a bigger problem with my |
60 |
install that I messed up and need to fix? |
61 |
|
62 |
Thanks for being patient with me :) |
63 |
|
64 |
-- |
65 |
-- Mike |
66 |
|
67 |
Still using IE? Get Firefox! |
68 |
http://www.spreadfirefox.com/?q=affiliates&id=6492&t=1 |
69 |
-- |
70 |
gentoo-hardened@g.o mailing list |