1 |
On 27/08/2012 19:38, Sven Vermeulen wrote: |
2 |
> On Sun, Aug 26, 2012 at 11:57:46AM +0200, Paolo Barile wrote: |
3 |
>> Hello Sven, first of all, all the denials I wrote here are from |
4 |
>> enforcing mode. |
5 |
> Oh that's good then. Would you also happen to get any failures from the |
6 |
> applications themselves (or error messages you get)? |
7 |
> |
8 |
> Or, in other words, why shouldn't I just dontaudit everything ;) |
9 |
> |
10 |
> Getting the error messages is a very important and often misunderstood part. |
11 |
> It helps identify the reason why something needs to be allowed (since for |
12 |
> SELinux policies, we have several interfaces that allow something, but |
13 |
> depending on the reason why it needs to be allowed, we might need to use a |
14 |
> different interface) and also document the problem so the fix is easier to |
15 |
> submit upstream. |
16 |
Well I only had a policykit crash window. But It disappeared when, |
17 |
following your suggestion, I've made a rule with audit2allow only on |
18 |
the execute denials. But even with that rule the problems of audio card |
19 |
and powerdevil weren't solved. |
20 |
This is the rule: |
21 |
require { |
22 |
type policykit_exec_t; |
23 |
type bin_t; |
24 |
type crond_t; |
25 |
type system_dbusd_t; |
26 |
class file { execute execute_no_trans }; |
27 |
} |
28 |
|
29 |
#============= crond_t ============== |
30 |
allow crond_t bin_t:file { execute execute_no_trans }; |
31 |
|
32 |
#============= system_dbusd_t ============== |
33 |
allow system_dbusd_t policykit_exec_t:file execute; |
34 |
|
35 |
> |
36 |
>>>> Aug 25 18:06:05 dell-studio kernel: [ 8.028595] type=1400 |
37 |
>>>> audit(1345917944.027:3): avc: denied { search } for pid=1433 |
38 |
>>>> comm="alsactl" name="root" dev="sda5" ino=1308163 |
39 |
>>>> scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:default_t |
40 |
>>>> tclass=dir |
41 |
>>> This sais /root is default_t again. Mine sais: |
42 |
>>> |
43 |
>>> ~ # matchpathcon /root |
44 |
>>> /root root:object_r:user_home_dir_t |
45 |
>>> |
46 |
>>> ~ # grep '/root' /etc/selinux/strict/contexts/files/file_contexts* | grep user_home_dir_t |
47 |
>>> /etc/selinux/strict/contexts/files/file_contexts.homedirs:/root -d root:object_r:user_home_dir_t |
48 |
>> The same gives me nothing. |
49 |
> You'll need to change the directory from strict to targeted in your case. |
50 |
> |
51 |
> The root users' home directory should definitely be mentioned here (just |
52 |
> checked on a targeted system at work). Is the root user mapped to a |
53 |
> particular SELinux user? |
54 |
> |
55 |
> What does "semanage login -l" say? |
56 |
Semanage login -l outputs only: |
57 |
__default__ unconfined_u |
58 |
system_u system_u |
59 |
|
60 |
Anyway I think that I "solved" this problem (probably it's rather a |
61 |
workaround) using the context you wrote: "semanage fcontext -a -t |
62 |
user_home_dir_t /root". In fact the su delay disappeared. |
63 |
|
64 |
> |
65 |
> [... Allowing global_ssp to allow domains access to urandom ...] |
66 |
>> No, it isn't. I did not enabled it because I'm still not in hardened |
67 |
>> because I'd want let selinux comletely work before the conversion. |
68 |
> That's okay. At least we now know that the domain probably needs it. Do you |
69 |
> only get the denials or also an error? |
70 |
> |
71 |
> Wkr, |
72 |
> Sven Vermeulen |
73 |
> |
74 |
Well, no, all what is related to alsactl is (perhaps) the fact that kde |
75 |
can't see my audio card. |
76 |
|
77 |
There is one more problem. As I wrote in the previous mail two folders |
78 |
in /run are mislabeled: /run/ConsoleKit and /run/console. For the first, |
79 |
the mislabeling was solved by using the script for the initramfs users |
80 |
(of course addin restorecon -R /run). But I couldn't relabel permanently |
81 |
the second dir. I think it's because it belongs to pam, so perhaps it is |
82 |
created after a login, but the script runs before it. Am I right? |
83 |
So how can it be solved? Why every boot mislabels these two directories? |
84 |
I think that if we solve it then we can try to summarize the denials I |
85 |
have at this point. |
86 |
|
87 |
Paolo. |