| 1 |
Philipp Riegger a écrit : |
| 2 |
> |
| 3 |
> On 16.03.2007, at 17:40, Stephen Fromm wrote: |
| 4 |
> |
| 5 |
>> Aside from disabling selinux entirely with the kernel paramater |
| 6 |
>> selinux=0 (as previously described), you can also run selinux in |
| 7 |
>> permissive mode. In this case, it will allow anything and log what |
| 8 |
>> would have been denied in enforcing mode. |
| 9 |
> |
| 10 |
> I wanted to try out SELinux but not lock me out of my system. |
| 11 |
> Therefore i used permissive mode. Now the 100s of error messages in dmesg |
| 12 |
> |
| 13 |
> " |
| 14 |
> audit(1175815400.344:300): avc: denied { read write } for pid=7223 |
| 15 |
> comm="su" name="access" dev=selinuxfs ino=6 ipaddr=*censored* |
| 16 |
> scontext=user_u:user_r:user_t tcontext=system_u:object_r:security_t |
| 17 |
> tclass=file |
| 18 |
This looks wrong, maybe you filesystem needs relabelling? |
| 19 |
> " |
| 20 |
> |
| 21 |
> got on my nerves, so i decided to disable SELinux until i find more |
| 22 |
> time to read all the docs and solve theese issues: |
| 23 |
> |
| 24 |
> " |
| 25 |
> chris ~ # cat /proc/cmdline |
| 26 |
> root=/dev/hda3 noexec=on selinux=0 |
| 27 |
> chris ~ # selinuxenabled && echo 1 |
| 28 |
selinux=0 is a kernel boot option which is normally always allowed |
| 29 |
unless you tweaked the selinux options when compiling your kernel. It |
| 30 |
does what it says on the tin, selinux would not be enabled and /selinux |
| 31 |
could not be mounted if set to 0. |
| 32 |
Are you sure selinux is still enabled? |
| 33 |
ls /selinux |
| 34 |
> 1 |
| 35 |
> " |
| 36 |
> |
| 37 |
> Well... looks like it did not work. Any idea what i could do? |
| 38 |
> |
| 39 |
> Philipp |
| 40 |
> --gentoo-hardened@g.o mailing list |
| 41 |
> |
| 42 |
> |
| 43 |
|
| 44 |
-- |
| 45 |
gentoo-hardened@g.o mailing list |
Archives