1 |
Philipp Riegger a écrit : |
2 |
> |
3 |
> On 16.03.2007, at 17:40, Stephen Fromm wrote: |
4 |
> |
5 |
>> Aside from disabling selinux entirely with the kernel paramater |
6 |
>> selinux=0 (as previously described), you can also run selinux in |
7 |
>> permissive mode. In this case, it will allow anything and log what |
8 |
>> would have been denied in enforcing mode. |
9 |
> |
10 |
> I wanted to try out SELinux but not lock me out of my system. |
11 |
> Therefore i used permissive mode. Now the 100s of error messages in dmesg |
12 |
> |
13 |
> " |
14 |
> audit(1175815400.344:300): avc: denied { read write } for pid=7223 |
15 |
> comm="su" name="access" dev=selinuxfs ino=6 ipaddr=*censored* |
16 |
> scontext=user_u:user_r:user_t tcontext=system_u:object_r:security_t |
17 |
> tclass=file |
18 |
This looks wrong, maybe you filesystem needs relabelling? |
19 |
> " |
20 |
> |
21 |
> got on my nerves, so i decided to disable SELinux until i find more |
22 |
> time to read all the docs and solve theese issues: |
23 |
> |
24 |
> " |
25 |
> chris ~ # cat /proc/cmdline |
26 |
> root=/dev/hda3 noexec=on selinux=0 |
27 |
> chris ~ # selinuxenabled && echo 1 |
28 |
selinux=0 is a kernel boot option which is normally always allowed |
29 |
unless you tweaked the selinux options when compiling your kernel. It |
30 |
does what it says on the tin, selinux would not be enabled and /selinux |
31 |
could not be mounted if set to 0. |
32 |
Are you sure selinux is still enabled? |
33 |
ls /selinux |
34 |
> 1 |
35 |
> " |
36 |
> |
37 |
> Well... looks like it did not work. Any idea what i could do? |
38 |
> |
39 |
> Philipp |
40 |
> --gentoo-hardened@g.o mailing list |
41 |
> |
42 |
> |
43 |
|
44 |
-- |
45 |
gentoo-hardened@g.o mailing list |