1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
On 21.07.2012 15:51, Ivan Gooten wrote: |
5 |
> hello, |
6 |
> |
7 |
> I have just installed selinux on my gentoo box, and getting |
8 |
> difficulties in permissive mode. If someone can have a look at this |
9 |
> and point me somewhere... |
10 |
> |
11 |
> Emerge doesn't work If i run it from terminal in X11 - it call |
12 |
> traces, cant merge anything. In dmesg I can find: |
13 |
> |
14 |
> ---------------- type=1400 audit(1342877962.365:424): avc: denied |
15 |
> { read write } for pid=15719 comm="sh" name="1" dev="devpts" ino=4 |
16 |
> scontext=system_u:system_r:portage_fetch_t |
17 |
> tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400 |
18 |
> audit(1342877962.367:425): avc: denied { search } for pid=15719 |
19 |
> comm="sh" name="ivan" dev="dm-3" ino=20709377 |
20 |
> scontext=system_u:system_r:portage_fetch_t |
21 |
> tcontext=staff_u:object_r:user_home_dir_t tclass=dir type=1400 |
22 |
> audit(1342877962.394:426): avc: denied { search } for pid=15720 |
23 |
> comm="id" name="/" dev="sysfs" ino=1 |
24 |
> scontext=system_u:system_r:portage_fetch_t |
25 |
> tcontext=system_u:object_r:sysfs_t tclass=dir type=1400 |
26 |
> audit(1342878036.496:428): avc: denied { read write } for |
27 |
> pid=15894 comm="emerge" name="1" dev="devpts" ino=4 |
28 |
> scontext=system_u:system_r:portage_t |
29 |
> tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400 |
30 |
> audit(1342878036.500:429): avc: denied { ioctl } for pid=15894 |
31 |
> comm="emerge" path="/dev/pts/1" dev="devpts" ino=4 |
32 |
> scontext=system_u:system_r:portage_t |
33 |
> tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400 |
34 |
> audit(1342878036.505:430): avc: denied { getattr } for pid=15894 |
35 |
> comm="emerge" path="/dev/pts/1" dev="devpts" ino=4 |
36 |
> scontext=system_u:system_r:portage_t |
37 |
> tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400 |
38 |
> audit(1342878083.667:431): avc: denied { read write } for |
39 |
> pid=16890 comm="sh" name="1" dev="devpts" ino=4 |
40 |
> scontext=system_u:system_r:portage_fetch_t |
41 |
> tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400 |
42 |
> audit(1342878083.671:432): avc: denied { search } for pid=16892 |
43 |
> comm="id" name="/" dev="sysfs" ino=1 |
44 |
> scontext=system_u:system_r:portage_fetch_t |
45 |
> tcontext=system_u:object_r:sysfs_t tclass=dir ---------------- I'm |
46 |
> running xdm - gdm3 to be more accurate - and as normal user in |
47 |
> terminal I switch to root and then do newrole -t sysadm_t - after |
48 |
> that I'm trying to emerge something. Ofcourse from raw console |
49 |
> a.k.a. non X env, emerging works. |
50 |
> |
51 |
> Additional info: ---------------- # sestatus SELinux status: |
52 |
> enabled SELinuxfs mount: /sys/fs/selinux SELinux |
53 |
> root directory: /etc/selinux Loaded policy name: |
54 |
> targeted Current mode: permissive Mode from |
55 |
> config file: permissive Policy MLS status: |
56 |
> disabled Policy deny_unknown status: denied Max kernel policy |
57 |
> version: 26 ---------------- # id -Z // after switching to |
58 |
> root and changing newrole system_u:system_r:sysadm_t |
59 |
> ---------------- all installed sec-policy packages are from |
60 |
> hardened-devel overlay = 2.20120215-r14 ---------------- I did |
61 |
> rlpkg -a -r so many times.. :-) |
62 |
> |
63 |
> thanks in advance |
64 |
> |
65 |
> Ivan Gooten |
66 |
> |
67 |
|
68 |
Hi, |
69 |
|
70 |
the first few things I notice are that it's "newrole -r sysadm_r" - |
71 |
"newrole -t" just switches the type. |
72 |
You shouldn't be in system_u, either, but in staff_u. |
73 |
Since you are using a targeted policy you acually would have more |
74 |
rights, if you remove the selinux usermapping for your user at all, |
75 |
because you would be in "unconfined_r:unconfined_t" which means that |
76 |
there aren't really any restrictions for you user except they're |
77 |
stated explicitly. |
78 |
|
79 |
WKR |
80 |
|
81 |
Hinnerk |
82 |
|
83 |
-----BEGIN PGP SIGNATURE----- |
84 |
Version: GnuPG v2.0.19 (GNU/Linux) |
85 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ |
86 |
|
87 |
iQEcBAEBAgAGBQJQCrYjAAoJEJwwOFaNFkYcbysH/37pEdkLN/kp8S+Hr9O7rrbI |
88 |
20cQI6IoDnWc4KtzBK9lhbI8RV3xSvsKSG2/nS8kY9CmMEwEdrXnnRrOtPDuxOez |
89 |
4KXCQH4CSVARmU3YW/HxPDfm5/PL2h4npOuPjGU2ZQ9oQNt89CKS6zPc/OmWhqJe |
90 |
PnTZwioVdRH5bHvcsjAsO2niSYCvoex7mjxTZB2RzniRHV0ZsGRzCHj6qiVwQeE4 |
91 |
xAP1Rk3Gzr9kwfIDOWDq47/mlhnUEIp3E6fNmsscta8FcZjh/kGxtOwNlfxwu1hg |
92 |
+zS/Q7iREffLAsBOGlICbMkm4859bW1dDi9IW+VT5CzTQkUygTbQ/t2dYQJ3NUU= |
93 |
=Lvu6 |
94 |
-----END PGP SIGNATURE----- |