| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
Mike Edenfield schrieb: |
| 9 |
Markus |
| 10 |
Bartl wrote: |
| 11 |
|
| 12 |
|
| 13 |
Ok thats one thing. |
| 14 |
|
| 15 |
But the real nasty thing is the denial of write access to resolv.conf |
| 16 |
which leads to an improper network configuration. |
| 17 |
|
| 18 |
I would really be happy about any suggestions. |
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
What kind of network setup do you have in your conf.d/net file? It's |
| 23 |
not your dhcp client that is being denied access -- it's runscript.sh |
| 24 |
itself. Your dhcp client should be running it its own context |
| 25 |
(dhcpc_t) which has the proper access. |
| 26 |
|
| 27 |
|
| 28 |
And, as always, if the policy on your system is missing something you |
| 29 |
need to boot, it's fairly straightforward to make a local policy |
| 30 |
module. You can then use audit2allow and pipe those avc messages |
| 31 |
through it. A good tutorial can be found here: |
| 32 |
|
| 33 |
|
| 34 |
http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=3&chap=5 |
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
Ok. I wrote the following policy:
|
| 39 |
|
| 40 |
policy_module(boot,1.0)
|
| 41 |
|
| 42 |
require {
|
| 43 |
type initrc_t, net_conf_t;
|
| 44 |
}
|
| 45 |
|
| 46 |
allow initrc_t net_conf_t:file { setattr write };
|
| 47 |
|
| 48 |
I compiled it and added it to the existing policy using semodule -i |
| 49 |
boot.pp
|
| 50 |
That did what it should :-)
|
| 51 |
Maybe this should be included in the base-policy shipped with gentoo.
|
| 52 |
|
| 53 |
My next step is setting up a dhcp- and a nameserver on this machine.
|
| 54 |
|
| 55 |
Regards,
|
| 56 |
Markus
|
| 57 |
|
| 58 |
|
| 59 |
|
| 60 |
|
| 61 |
|
| 62 |
|
| 63 |
|
Archives