1 |
Hi. |
2 |
|
3 |
When I tried to analyze booleans, I used http://linux.die.net/man/8/ |
4 |
|
5 |
It does not described each boolean options,but if you take a look at a |
6 |
Linux option (see for instance nfs_selinux), you will find the |
7 |
associated booleans with their goals. |
8 |
|
9 |
According to me, you can also take a look at the SELinux sources, as |
10 |
most of the times : |
11 |
- boolean name are quite explicit |
12 |
- looking at the allowded rules by the boolean gives clues about the |
13 |
boolean goal. |
14 |
|
15 |
For courier-imap and sasl booleans, you can also take a look at the |
16 |
documentations I made about the policies (see my previous messages of |
17 |
the list, talking about policies upgrade proposals). |
18 |
|
19 |
Julien. |
20 |
|
21 |
|
22 |
Will Keaney a écrit : |
23 |
> On Sun, 18 Nov 2007 18:25:17 -0500 |
24 |
> Bill Sharer <bsharer@××××××××××.com> wrote: |
25 |
> |
26 |
>> The booleans are in /selinux/booleans |
27 |
>> |
28 |
>> Use setsebool to change their value and/or make it permanent. |
29 |
>> |
30 |
>> Will Keaney wrote: |
31 |
>>> On Sun, 18 Nov 2007 16:56:55 -0500 |
32 |
>>> Bill Sharer <bsharer@××××××××××.com> wrote: |
33 |
>>> |
34 |
>>> |
35 |
>>>> You can run the log through audit2why and audit2allow to get a feel |
36 |
>>>> for what's going on in policy. Don't directly rely on audit2allow |
37 |
>>>> since I think it still orients itself to the old modular example |
38 |
>>>> policy and not refpolicy. |
39 |
>>>> |
40 |
>>>> Check your booleans. I spotted one thing right off the bat |
41 |
>>>> (urandom) which is probably due to the boolean global_ssp not |
42 |
>>>> being true. This should be true for gentoo systems, but for some |
43 |
>>>> reason, the ebuild defaults it to false. |
44 |
>>>> |
45 |
>>>> Will Keaney wrote: |
46 |
>>>> |
47 |
>>>>> I've just finished updating my SELinux VM, but still get a lot of |
48 |
>>>>> avc denials in /var/log/syslog. |
49 |
>>>>> What is the recommended method of changing |
50 |
>>>>> the SELinux policy? I seem to remember PeBenito saying in IRC |
51 |
>>>>> that editing the policy files directly is not recommended. |
52 |
>>>>> |
53 |
>>>>> On the off chance that someone has some insight into what might be |
54 |
>>>>> causing these errors, I'm attaching the output of |
55 |
>>>>> grep "Nov 18 16:2" /var/log/syslog | cut -d " " -f 7- | grep avc |
56 |
>>>>> |
57 |
>>>>> |
58 |
>>>>> Thanks, |
59 |
>>>>> |
60 |
>>>>> Will Keaney |
61 |
>>>>> uberpinguin |
62 |
>>>>> |
63 |
>>>>> |
64 |
>>> Thanks very much for the quick reply, it is very informative. |
65 |
>>> I don't seem to have any booleans loaded, according to sestatus -v: |
66 |
>>> SELinux status: enabled |
67 |
>>> SELinuxfs mount: /selinux |
68 |
>>> Current mode: permissive |
69 |
>>> Mode from config file: permissive |
70 |
>>> Policy version: 21 |
71 |
>>> Policy from config file: strict |
72 |
>>> |
73 |
>>> Process contexts: |
74 |
>>> Current context: root:sysadm_r:sysadm_t |
75 |
>>> Init context: system_u:system_r:init_t |
76 |
>>> /sbin/agetty system_u:system_r:getty_t |
77 |
>>> /usr/sbin/sshd system_u:system_r:sshd_t |
78 |
>>> |
79 |
>>> File contexts: |
80 |
>>> Controlling term: root:object_r:sysadm_tty_device_t |
81 |
>>> /sbin/init system_u:object_r:init_exec_t |
82 |
>>> /sbin/agetty system_u:object_r:getty_exec_t |
83 |
>>> /bin/login system_u:object_r:login_exec_t |
84 |
>>> /sbin/rc system_u:object_r:initrc_exec_t |
85 |
>>> /sbin/runscript.sh system_u:object_r:initrc_exec_t |
86 |
>>> /usr/sbin/sshd system_u:object_r:sshd_exec_t |
87 |
>>> /sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t |
88 |
>>> /etc/passwd system_u:object_r:etc_t |
89 |
>>> /etc/shadow system_u:object_r:shadow_t |
90 |
>>> /bin/sh system_u:object_r:bin_t -> |
91 |
>>> system_u:object_r:shell_exec_t /bin/bash |
92 |
>>> system_u:object_r:shell_exec_t /usr/bin/newrole |
93 |
>>> system_u:object_r:newrole_exec_t /lib/libc.so.6 |
94 |
>>> system_u:object_r:lib_t -> |
95 |
>>> system_u:object_r:shlib_t /lib/ld-linux.so.2 |
96 |
>>> system_u:object_r:lib_t -> system_u:object_r:ld_so_t |
97 |
>>> |
98 |
>>> I don't see a command to load/change booleans though? |
99 |
>>> |
100 |
>>> Will |
101 |
>>> |
102 |
> Thanks very much. Is there some sort of documentation for what each of |
103 |
> these booleans does? Google is turning up a few mailing list threads, |
104 |
> but so far none have been very informative. |
105 |
> Once I've been through all of the booleans, what's the best way to |
106 |
> start adding allow rules? |
107 |
> |
108 |
> Thanks, |
109 |
> |
110 |
> Will |
111 |
|
112 |
|
113 |
-- |
114 |
My RSA public key for email authentication is avaiblable at |
115 |
http://www.rennes.enst-bretagne.fr/~jthomas2/ |