1 |
|
2 |
|
3 |
|
4 |
|
5 |
|
6 |
|
7 |
Matt Harrison schrieb: |
8 |
|
9 |
Matt Harrison wrote: |
10 |
|
11 |
|
12 |
max wrote: |
13 |
|
14 |
|
15 |
Matt Harrison wrote: |
16 |
|
17 |
|
18 |
max wrote: |
19 |
|
20 |
|
21 |
Matt Harrison wrote: |
22 |
|
23 |
|
24 |
Matt Harrison wrote: |
25 |
|
26 |
|
27 |
I previously installed a virtual machine with selinux etc to see if I |
28 |
could get my head round it and it all worked fine. |
29 |
|
30 |
|
31 |
Actually this isn't true, when enabling enforce on my test machine it |
32 |
locks me out of everything as well. |
33 |
|
34 |
This is a complete mystery to me and quite disappointing. |
35 |
|
36 |
|
37 |
|
38 |
set selinux to permissive and check the logs when the box comes up |
39 |
|
40 |
|
41 |
|
42 |
Thanks for the reply, |
43 |
|
44 |
Ok, firstly if I boot up in enforcing mode it halts saying something |
45 |
like access to /sbin/init was denied. |
46 |
|
47 |
If I boot up permissive I get tonnes of denied messages in dmesg. |
48 |
There's far too many to list so I've attached a trimmed dmesg output, |
49 |
starting from the first related message. |
50 |
|
51 |
From my untrained eye looking over these messages it seems that a lot of |
52 |
core system stuff is being denied access, why I have no clue, everything |
53 |
should be labelled and setup according to the gentoo selinux howto. |
54 |
|
55 |
Grateful for any input. |
56 |
|
57 |
Thanks |
58 |
|
59 |
Matt |
60 |
|
61 |
|
62 |
Do you happen to have the build.conf file for your policy? I am still |
63 |
working on building my gentoo box, i mainly run fedora but I notice |
64 |
that, at least on Fedora, the following is set to allow(From your dmesg): |
65 |
|
66 |
security: class peer not defined in policy |
67 |
security: class capability2 not defined in policy |
68 |
security: permission recvfrom in class node not defined in policy |
69 |
security: permission sendto in class node not defined in policy |
70 |
security: permission ingress in class netif not defined in policy |
71 |
security: permission egress in class netif not defined in policy |
72 |
security: permission setfcap in class capability not defined in policy |
73 |
security: permission flow_in in class packet not defined in policy |
74 |
security: permission flow_out in class packet not defined in policy |
75 |
security: permission forward_in in class packet not defined in policy |
76 |
security: permission forward_out in class packet not defined in policy |
77 |
SELinux: Completing initialization. |
78 |
SELinux: Setting up existing superblocks. |
79 |
|
80 |
SELinux: policy loaded with handle_unknown=deny |
81 |
|
82 |
If i compile a policy on Fedora this is always set to allow, if not I |
83 |
usually run into problems like your having, I don't know enough about |
84 |
gentoo to know if this is supposed to be this way here or not, perhaps |
85 |
someone else can supply the answer. The description in the build.conf file: |
86 |
|
87 |
|
88 |
# Unknown Permissions Handling |
89 |
# The behavior for handling permissions defined in the |
90 |
# kernel but missing from the policy. The permissions |
91 |
# can either be allowed, denied, or the policy loading |
92 |
# can be rejected. |
93 |
# allow, deny, and reject are current options. |
94 |
|
95 |
|
96 |
You could try recompiling the policy with this set to allow, that, i |
97 |
think, should resolve the issue for you but I don't really know how |
98 |
different the default fedora and gentoo policies are so take it with a |
99 |
grain of salt. Aside from that I could only suggest running the denials |
100 |
through audit to allow2allow but I think changing that option there is |
101 |
your best bet. Your showing quite a few things not defined in policy and |
102 |
they are getting denied. |
103 |
|
104 |
UNK_PERMS=allow |
105 |
|
106 |
|
107 |
-Max |
108 |
|
109 |
|
110 |
|
111 |
This is a totally standard policy, I haven't modified anything since the |
112 |
emerges. Since I haven't modified anything I'm not sure where to find |
113 |
the build.conf. Where might I be able to find it? |
114 |
|
115 |
Thanks |
116 |
|
117 |
Matt |
118 |
|
119 |
|
120 |
|
121 |
|
122 |
Scratch that I've found it at |
123 |
/usr/share/selinux/strict/include/build.conf. See attached |
124 |
|
125 |
thanks |
126 |
|
127 |
Matt |
128 |
|
129 |
|
130 |
I know this wont help, but i got exactly the same |
131 |
issue.
|
132 |
If i try to boot in enforcing mode, init is blocked and the boot |
133 |
sequence stops.
|
134 |
My build.conf looks exactly the same as Matts.
|
135 |
Any ideas would be really welcome. I really want to give SELinux a |
136 |
chance, but things get lost in the basics :-(
|
137 |
|
138 |
Regards,
|
139 |
Markus
|
140 |
|
141 |
|
142 |
|
143 |
|
144 |
|
145 |
|