1 |
From what I've seen, current Selinux policy has a number of 'issues', |
2 |
mainly because it is based on a reference policy that is now almost 2 |
3 |
years old. If you are willing to wait a bit, I would recommend running |
4 |
with Selinux in 'Permissive' mode for the time being. I am doing a lot |
5 |
of testing and working with PeBenito to get the current v2ref policy |
6 |
whipped into shape so that we can deploy it on Gentoo. It will |
7 |
necessitate an upgrade process and recompiling some stuff, but in my |
8 |
testing so far it seems to be working fairly nicely. |
9 |
|
10 |
I don't know when PeBenito plans to release the v2ref policy on Gentoo, |
11 |
but I've gotten the impression from talking to him that he'd rather it |
12 |
be sooner than later, if at all possible (that's just my impression, |
13 |
though; I wouldn't presume to speak for him). |
14 |
|
15 |
Later, |
16 |
Chris |
17 |
|
18 |
On 02/03/2010 11:05 PM, Jonathan wrote: |
19 |
> I'm trying to get Selinux to work on my desktop system, but I can not passed Udev in enforcing mode. |
20 |
> I have removed the date, time and type=1400 from all the log lines. |
21 |
> |
22 |
> audit(1264997163.292:3): avc: denied { execute_no_trans } for pid=1010 comm="udevd" path="/lib64/udev/input_id" dev=sda6 ino=2395672 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file |
23 |
> audit(1264997163.317:4): avc: denied { signal } for pid=1004 comm="udevd" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:initrc_t tclass=process |
24 |
> audit(1264997163.929:5): avc: denied { read } for pid=1004 comm="udevd" path="anon_inode:[signalfd]" dev=anon_inodefs ino=373 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:anon_inodefs_t tclass=file |
25 |
> audit(1264997164.072:6): avc: denied { search } for pid=1184 comm="lvm" name="950" dev=proc ino=1979 scontext=system_u:system_r:lvm_t tcontext=system_u:system_r:initrc_t tclass=dir |
26 |
> audit(1264997164.072:7): avc: denied { read } for pid=1184 comm="lvm" name="cmdline" dev=proc ino=3832 scontext=system_u:system_r:lvm_t tcontext=system_u:system_r:initrc_t tclass=file |
27 |
> audit(1264997164.165:8): avc: denied { getattr } for pid=1184 comm="lvm" path="/dev/shm" dev=tmpfs ino=1907 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:home_root_t tclass=dir |
28 |
> audit(1264997164.165:9): avc: denied { read } for pid=1184 comm="lvm" name="shm" dev=tmpfs ino=1907 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:home_root_t tclass=dir |
29 |
> audit(1264997164.319:10): avc: denied { read write } for pid=1212 comm="fsck" name="tty1" dev=tmpfs ino=1887 scontext=system_u:system_r:fsadm_t tcontext=system_u:object_r:tty_device_t tclass=chr_file |
30 |
> audit(1264997168.627:22): avc: denied { read write } for pid=1365 comm="dmesg" name="tty1" dev=tmpfs ino=1887 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:tty_device_t tclass=chr_file |
31 |
> |
32 |
> As you can see it's all down hill from the first error. Is this because I'm over riding a profile mask on the multilib use flag? |
33 |
> |
34 |
> I'm running a AMD64 two core system using Gnome and the Slim login manager. |
35 |
> My Udev version is 151-r1. I was using the stable version and I was getting the same errors. |
36 |
> The profile I am using is Selinux/2007.0/Amd64. |
37 |
> My kernel is 2.6.31-gentoo-r10. |
38 |
> I used the Gentoo Selinux handbook[1] to setup well... Selinux, some parts of the hand book are years out of date. |
39 |
> |
40 |
> |
41 |
> [1] http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml |
42 |
> |
43 |
> |
44 |
> |