1 |
On Sun, 18 Nov 2007 18:25:17 -0500 |
2 |
Bill Sharer <bsharer@××××××××××.com> wrote: |
3 |
|
4 |
> The booleans are in /selinux/booleans |
5 |
> |
6 |
> Use setsebool to change their value and/or make it permanent. |
7 |
> |
8 |
> Will Keaney wrote: |
9 |
> > On Sun, 18 Nov 2007 16:56:55 -0500 |
10 |
> > Bill Sharer <bsharer@××××××××××.com> wrote: |
11 |
> > |
12 |
> > |
13 |
> >> You can run the log through audit2why and audit2allow to get a feel |
14 |
> >> for what's going on in policy. Don't directly rely on audit2allow |
15 |
> >> since I think it still orients itself to the old modular example |
16 |
> >> policy and not refpolicy. |
17 |
> >> |
18 |
> >> Check your booleans. I spotted one thing right off the bat |
19 |
> >> (urandom) which is probably due to the boolean global_ssp not |
20 |
> >> being true. This should be true for gentoo systems, but for some |
21 |
> >> reason, the ebuild defaults it to false. |
22 |
> >> |
23 |
> >> Will Keaney wrote: |
24 |
> >> |
25 |
> >>> I've just finished updating my SELinux VM, but still get a lot of |
26 |
> >>> avc denials in /var/log/syslog. |
27 |
> >>> What is the recommended method of changing |
28 |
> >>> the SELinux policy? I seem to remember PeBenito saying in IRC |
29 |
> >>> that editing the policy files directly is not recommended. |
30 |
> >>> |
31 |
> >>> On the off chance that someone has some insight into what might be |
32 |
> >>> causing these errors, I'm attaching the output of |
33 |
> >>> grep "Nov 18 16:2" /var/log/syslog | cut -d " " -f 7- | grep avc |
34 |
> >>> |
35 |
> >>> |
36 |
> >>> Thanks, |
37 |
> >>> |
38 |
> >>> Will Keaney |
39 |
> >>> uberpinguin |
40 |
> >>> |
41 |
> >>> |
42 |
> > Thanks very much for the quick reply, it is very informative. |
43 |
> > I don't seem to have any booleans loaded, according to sestatus -v: |
44 |
> > SELinux status: enabled |
45 |
> > SELinuxfs mount: /selinux |
46 |
> > Current mode: permissive |
47 |
> > Mode from config file: permissive |
48 |
> > Policy version: 21 |
49 |
> > Policy from config file: strict |
50 |
> > |
51 |
> > Process contexts: |
52 |
> > Current context: root:sysadm_r:sysadm_t |
53 |
> > Init context: system_u:system_r:init_t |
54 |
> > /sbin/agetty system_u:system_r:getty_t |
55 |
> > /usr/sbin/sshd system_u:system_r:sshd_t |
56 |
> > |
57 |
> > File contexts: |
58 |
> > Controlling term: root:object_r:sysadm_tty_device_t |
59 |
> > /sbin/init system_u:object_r:init_exec_t |
60 |
> > /sbin/agetty system_u:object_r:getty_exec_t |
61 |
> > /bin/login system_u:object_r:login_exec_t |
62 |
> > /sbin/rc system_u:object_r:initrc_exec_t |
63 |
> > /sbin/runscript.sh system_u:object_r:initrc_exec_t |
64 |
> > /usr/sbin/sshd system_u:object_r:sshd_exec_t |
65 |
> > /sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t |
66 |
> > /etc/passwd system_u:object_r:etc_t |
67 |
> > /etc/shadow system_u:object_r:shadow_t |
68 |
> > /bin/sh system_u:object_r:bin_t -> |
69 |
> > system_u:object_r:shell_exec_t /bin/bash |
70 |
> > system_u:object_r:shell_exec_t /usr/bin/newrole |
71 |
> > system_u:object_r:newrole_exec_t /lib/libc.so.6 |
72 |
> > system_u:object_r:lib_t -> |
73 |
> > system_u:object_r:shlib_t /lib/ld-linux.so.2 |
74 |
> > system_u:object_r:lib_t -> system_u:object_r:ld_so_t |
75 |
> > |
76 |
> > I don't see a command to load/change booleans though? |
77 |
> > |
78 |
> > Will |
79 |
> > |
80 |
> |
81 |
Thanks very much. Is there some sort of documentation for what each of |
82 |
these booleans does? Google is turning up a few mailing list threads, |
83 |
but so far none have been very informative. |
84 |
Once I've been through all of the booleans, what's the best way to |
85 |
start adding allow rules? |
86 |
|
87 |
Thanks, |
88 |
|
89 |
Will |