1 |
Hi, I installed selinux to try it out, and I have several problems. Since I am |
2 |
running it on a workstation -- I know, workstations are not supported yet-- |
3 |
therefore I am using permissive mode: |
4 |
|
5 |
SELinux status: enabled |
6 |
SELinuxfs mount: /selinux |
7 |
Current mode: permissive |
8 |
Policy version: 17 |
9 |
|
10 |
Policy booleans: |
11 |
user_ping inactive |
12 |
|
13 |
1. After I su to root and try /etc/init.d/xxx restart, I get: |
14 |
|
15 |
cannot find your entry in the passwd file. |
16 |
authentication failed. |
17 |
|
18 |
But if I login from console, then it works ok. I made sure I installed selinux |
19 |
version of required packages. Su doesn't seem to change the roles/types.. |
20 |
I tried newrole, but same error. What am I missing? |
21 |
|
22 |
2. I had moved several portage directories to some other partitions. Because |
23 |
of that this happens: |
24 |
|
25 |
euse -i selinux |
26 |
EUSE exiting with following errors: |
27 |
requires read permissions for /etc/make.profile/../use.desc. |
28 |
requires read permissions for /etc/make.profile/../use.local.desc. |
29 |
|
30 |
This may be related to symlink following security restriction in the kernel. |
31 |
Is there a workaround to this problem? I started grepping use.desc manually. |
32 |
|
33 |
3. Several times I had to go and modify /etc/make.profile/virtuals. Default |
34 |
virtuals only has: |
35 |
|
36 |
virtual/bootloader sys-boot/grub |
37 |
virtual/linux-sources sys-kernel/selinux-sources |
38 |
virtual/ruby dev-lang/ruby |
39 |
|
40 |
I can't emerge update system! e.g. I had to add "virtual/glibc |
41 |
sys-libs/glibc" by hand as fourth entry, and even more is required. I |
42 |
considered copying some other virtuals over this one, but it will go away |
43 |
after next emerge sync. I have the latest portage 2.0.50-r6. |
44 |
|
45 |
4. Is there a graphical tool to create custom .fc, .te? Any pointer to sample |
46 |
policy creation? I will go ahead try to vi some, but it would be nice to have |
47 |
one guide. Any directions to posting new custom security policies, or |
48 |
obtaining test-versions from a pool would also help. |
49 |
|
50 |
5. How much overhead labeling create on a filesystem with millions of files ? |
51 |
If I ever want to remove those xattrs from a filesystem, how can I unlabel |
52 |
those millions of files, if there is any way to reclaim space those extended |
53 |
atrributes sits on? |
54 |
|
55 |
Best, |
56 |
Emre |
57 |
|
58 |
|
59 |
|
60 |
|
61 |
-- |
62 |
gentoo-hardened@g.o mailing list |