1 |
|
2 |
|
3 |
|
4 |
|
5 |
|
6 |
|
7 |
|
8 |
Mike Edenfield schrieb: |
9 |
Markus |
10 |
Bartl wrote: |
11 |
|
12 |
|
13 |
Ok thats one thing. |
14 |
|
15 |
But the real nasty thing is the denial of write access to resolv.conf |
16 |
which leads to an improper network configuration. |
17 |
|
18 |
I would really be happy about any suggestions. |
19 |
|
20 |
|
21 |
|
22 |
What kind of network setup do you have in your conf.d/net file? It's |
23 |
not your dhcp client that is being denied access -- it's runscript.sh |
24 |
itself. Your dhcp client should be running it its own context |
25 |
(dhcpc_t) which has the proper access. |
26 |
|
27 |
|
28 |
And, as always, if the policy on your system is missing something you |
29 |
need to boot, it's fairly straightforward to make a local policy |
30 |
module. You can then use audit2allow and pipe those avc messages |
31 |
through it. A good tutorial can be found here: |
32 |
|
33 |
|
34 |
http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=3&chap=5 |
35 |
|
36 |
|
37 |
|
38 |
Ok. I wrote the following policy:
|
39 |
|
40 |
policy_module(boot,1.0)
|
41 |
|
42 |
require {
|
43 |
type initrc_t, net_conf_t;
|
44 |
}
|
45 |
|
46 |
allow initrc_t net_conf_t:file { setattr write };
|
47 |
|
48 |
I compiled it and added it to the existing policy using semodule -i |
49 |
boot.pp
|
50 |
That did what it should :-)
|
51 |
Maybe this should be included in the base-policy shipped with gentoo.
|
52 |
|
53 |
My next step is setting up a dhcp- and a nameserver on this machine.
|
54 |
|
55 |
Regards,
|
56 |
Markus
|
57 |
|
58 |
|
59 |
|
60 |
|
61 |
|
62 |
|
63 |
|