| 1 |
From what I've seen, current Selinux policy has a number of 'issues', |
| 2 |
mainly because it is based on a reference policy that is now almost 2 |
| 3 |
years old. If you are willing to wait a bit, I would recommend running |
| 4 |
with Selinux in 'Permissive' mode for the time being. I am doing a lot |
| 5 |
of testing and working with PeBenito to get the current v2ref policy |
| 6 |
whipped into shape so that we can deploy it on Gentoo. It will |
| 7 |
necessitate an upgrade process and recompiling some stuff, but in my |
| 8 |
testing so far it seems to be working fairly nicely. |
| 9 |
|
| 10 |
I don't know when PeBenito plans to release the v2ref policy on Gentoo, |
| 11 |
but I've gotten the impression from talking to him that he'd rather it |
| 12 |
be sooner than later, if at all possible (that's just my impression, |
| 13 |
though; I wouldn't presume to speak for him). |
| 14 |
|
| 15 |
Later, |
| 16 |
Chris |
| 17 |
|
| 18 |
On 02/03/2010 11:05 PM, Jonathan wrote: |
| 19 |
> I'm trying to get Selinux to work on my desktop system, but I can not passed Udev in enforcing mode. |
| 20 |
> I have removed the date, time and type=1400 from all the log lines. |
| 21 |
> |
| 22 |
> audit(1264997163.292:3): avc: denied { execute_no_trans } for pid=1010 comm="udevd" path="/lib64/udev/input_id" dev=sda6 ino=2395672 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file |
| 23 |
> audit(1264997163.317:4): avc: denied { signal } for pid=1004 comm="udevd" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:initrc_t tclass=process |
| 24 |
> audit(1264997163.929:5): avc: denied { read } for pid=1004 comm="udevd" path="anon_inode:[signalfd]" dev=anon_inodefs ino=373 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:anon_inodefs_t tclass=file |
| 25 |
> audit(1264997164.072:6): avc: denied { search } for pid=1184 comm="lvm" name="950" dev=proc ino=1979 scontext=system_u:system_r:lvm_t tcontext=system_u:system_r:initrc_t tclass=dir |
| 26 |
> audit(1264997164.072:7): avc: denied { read } for pid=1184 comm="lvm" name="cmdline" dev=proc ino=3832 scontext=system_u:system_r:lvm_t tcontext=system_u:system_r:initrc_t tclass=file |
| 27 |
> audit(1264997164.165:8): avc: denied { getattr } for pid=1184 comm="lvm" path="/dev/shm" dev=tmpfs ino=1907 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:home_root_t tclass=dir |
| 28 |
> audit(1264997164.165:9): avc: denied { read } for pid=1184 comm="lvm" name="shm" dev=tmpfs ino=1907 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:home_root_t tclass=dir |
| 29 |
> audit(1264997164.319:10): avc: denied { read write } for pid=1212 comm="fsck" name="tty1" dev=tmpfs ino=1887 scontext=system_u:system_r:fsadm_t tcontext=system_u:object_r:tty_device_t tclass=chr_file |
| 30 |
> audit(1264997168.627:22): avc: denied { read write } for pid=1365 comm="dmesg" name="tty1" dev=tmpfs ino=1887 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:tty_device_t tclass=chr_file |
| 31 |
> |
| 32 |
> As you can see it's all down hill from the first error. Is this because I'm over riding a profile mask on the multilib use flag? |
| 33 |
> |
| 34 |
> I'm running a AMD64 two core system using Gnome and the Slim login manager. |
| 35 |
> My Udev version is 151-r1. I was using the stable version and I was getting the same errors. |
| 36 |
> The profile I am using is Selinux/2007.0/Amd64. |
| 37 |
> My kernel is 2.6.31-gentoo-r10. |
| 38 |
> I used the Gentoo Selinux handbook[1] to setup well... Selinux, some parts of the hand book are years out of date. |
| 39 |
> |
| 40 |
> |
| 41 |
> [1] http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml |
| 42 |
> |
| 43 |
> |
| 44 |
> |
Archives