1 |
Matt Harrison wrote: |
2 |
> max wrote: |
3 |
>> Matt Harrison wrote: |
4 |
>>> max wrote: |
5 |
>>>> Matt Harrison wrote: |
6 |
>>>>> Matt Harrison wrote: |
7 |
>>>>>> I previously installed a virtual machine with selinux etc to see if I |
8 |
>>>>>> could get my head round it and it all worked fine. |
9 |
>>>>> Actually this isn't true, when enabling enforce on my test machine it |
10 |
>>>>> locks me out of everything as well. |
11 |
>>>>> |
12 |
>>>>> This is a complete mystery to me and quite disappointing. |
13 |
>>>>> |
14 |
>>>> set selinux to permissive and check the logs when the box comes up |
15 |
>>>> |
16 |
>>> Thanks for the reply, |
17 |
>>> |
18 |
>>> Ok, firstly if I boot up in enforcing mode it halts saying something |
19 |
>>> like access to /sbin/init was denied. |
20 |
>>> |
21 |
>>> If I boot up permissive I get tonnes of denied messages in dmesg. |
22 |
>>> There's far too many to list so I've attached a trimmed dmesg output, |
23 |
>>> starting from the first related message. |
24 |
>>> |
25 |
>>> From my untrained eye looking over these messages it seems that a lot of |
26 |
>>> core system stuff is being denied access, why I have no clue, everything |
27 |
>>> should be labelled and setup according to the gentoo selinux howto. |
28 |
>>> |
29 |
>>> Grateful for any input. |
30 |
>>> |
31 |
>>> Thanks |
32 |
>>> |
33 |
>>> Matt |
34 |
>> Do you happen to have the build.conf file for your policy? I am still |
35 |
>> working on building my gentoo box, i mainly run fedora but I notice |
36 |
>> that, at least on Fedora, the following is set to allow(From your dmesg): |
37 |
>> |
38 |
>> security: class peer not defined in policy |
39 |
>> security: class capability2 not defined in policy |
40 |
>> security: permission recvfrom in class node not defined in policy |
41 |
>> security: permission sendto in class node not defined in policy |
42 |
>> security: permission ingress in class netif not defined in policy |
43 |
>> security: permission egress in class netif not defined in policy |
44 |
>> security: permission setfcap in class capability not defined in policy |
45 |
>> security: permission flow_in in class packet not defined in policy |
46 |
>> security: permission flow_out in class packet not defined in policy |
47 |
>> security: permission forward_in in class packet not defined in policy |
48 |
>> security: permission forward_out in class packet not defined in policy |
49 |
>> SELinux: Completing initialization. |
50 |
>> SELinux: Setting up existing superblocks. |
51 |
>> |
52 |
>> SELinux: policy loaded with handle_unknown=deny |
53 |
>> |
54 |
>> If i compile a policy on Fedora this is always set to allow, if not I |
55 |
>> usually run into problems like your having, I don't know enough about |
56 |
>> gentoo to know if this is supposed to be this way here or not, perhaps |
57 |
>> someone else can supply the answer. The description in the build.conf file: |
58 |
>>> # Unknown Permissions Handling |
59 |
>>> # The behavior for handling permissions defined in the |
60 |
>>> # kernel but missing from the policy. The permissions |
61 |
>>> # can either be allowed, denied, or the policy loading |
62 |
>>> # can be rejected. |
63 |
>>> # allow, deny, and reject are current options. |
64 |
>> You could try recompiling the policy with this set to allow, that, i |
65 |
>> think, should resolve the issue for you but I don't really know how |
66 |
>> different the default fedora and gentoo policies are so take it with a |
67 |
>> grain of salt. Aside from that I could only suggest running the denials |
68 |
>> through audit to allow2allow but I think changing that option there is |
69 |
>> your best bet. Your showing quite a few things not defined in policy and |
70 |
>> they are getting denied. |
71 |
>> |
72 |
>> UNK_PERMS=allow |
73 |
>> |
74 |
>> |
75 |
>> -Max |
76 |
>> |
77 |
> |
78 |
> This is a totally standard policy, I haven't modified anything since the |
79 |
> emerges. Since I haven't modified anything I'm not sure where to find |
80 |
> the build.conf. Where might I be able to find it? |
81 |
> |
82 |
> Thanks |
83 |
> |
84 |
> Matt |
85 |
> |
86 |
|
87 |
Scratch that I've found it at |
88 |
/usr/share/selinux/strict/include/build.conf. See attached |
89 |
|
90 |
thanks |
91 |
|
92 |
Matt |