| 1 |
max wrote: |
| 2 |
> Matt Harrison wrote: |
| 3 |
>> max wrote: |
| 4 |
>>> Matt Harrison wrote: |
| 5 |
>>>> Matt Harrison wrote: |
| 6 |
>>>>> I previously installed a virtual machine with selinux etc to see if I |
| 7 |
>>>>> could get my head round it and it all worked fine. |
| 8 |
>>>> Actually this isn't true, when enabling enforce on my test machine it |
| 9 |
>>>> locks me out of everything as well. |
| 10 |
>>>> |
| 11 |
>>>> This is a complete mystery to me and quite disappointing. |
| 12 |
>>>> |
| 13 |
>>> set selinux to permissive and check the logs when the box comes up |
| 14 |
>>> |
| 15 |
>> |
| 16 |
>> Thanks for the reply, |
| 17 |
>> |
| 18 |
>> Ok, firstly if I boot up in enforcing mode it halts saying something |
| 19 |
>> like access to /sbin/init was denied. |
| 20 |
>> |
| 21 |
>> If I boot up permissive I get tonnes of denied messages in dmesg. |
| 22 |
>> There's far too many to list so I've attached a trimmed dmesg output, |
| 23 |
>> starting from the first related message. |
| 24 |
>> |
| 25 |
>> From my untrained eye looking over these messages it seems that a lot of |
| 26 |
>> core system stuff is being denied access, why I have no clue, everything |
| 27 |
>> should be labelled and setup according to the gentoo selinux howto. |
| 28 |
>> |
| 29 |
>> Grateful for any input. |
| 30 |
>> |
| 31 |
>> Thanks |
| 32 |
>> |
| 33 |
>> Matt |
| 34 |
> Do you happen to have the build.conf file for your policy? I am still |
| 35 |
> working on building my gentoo box, i mainly run fedora but I notice |
| 36 |
> that, at least on Fedora, the following is set to allow(From your dmesg): |
| 37 |
> |
| 38 |
> security: class peer not defined in policy |
| 39 |
> security: class capability2 not defined in policy |
| 40 |
> security: permission recvfrom in class node not defined in policy |
| 41 |
> security: permission sendto in class node not defined in policy |
| 42 |
> security: permission ingress in class netif not defined in policy |
| 43 |
> security: permission egress in class netif not defined in policy |
| 44 |
> security: permission setfcap in class capability not defined in policy |
| 45 |
> security: permission flow_in in class packet not defined in policy |
| 46 |
> security: permission flow_out in class packet not defined in policy |
| 47 |
> security: permission forward_in in class packet not defined in policy |
| 48 |
> security: permission forward_out in class packet not defined in policy |
| 49 |
> SELinux: Completing initialization. |
| 50 |
> SELinux: Setting up existing superblocks. |
| 51 |
> |
| 52 |
> SELinux: policy loaded with handle_unknown=deny |
| 53 |
> |
| 54 |
> If i compile a policy on Fedora this is always set to allow, if not I |
| 55 |
> usually run into problems like your having, I don't know enough about |
| 56 |
> gentoo to know if this is supposed to be this way here or not, perhaps |
| 57 |
> someone else can supply the answer. The description in the build.conf file: |
| 58 |
>> # Unknown Permissions Handling |
| 59 |
>> # The behavior for handling permissions defined in the |
| 60 |
>> # kernel but missing from the policy. The permissions |
| 61 |
>> # can either be allowed, denied, or the policy loading |
| 62 |
>> # can be rejected. |
| 63 |
>> # allow, deny, and reject are current options. |
| 64 |
> |
| 65 |
> You could try recompiling the policy with this set to allow, that, i |
| 66 |
> think, should resolve the issue for you but I don't really know how |
| 67 |
> different the default fedora and gentoo policies are so take it with a |
| 68 |
> grain of salt. Aside from that I could only suggest running the denials |
| 69 |
> through audit to allow2allow but I think changing that option there is |
| 70 |
> your best bet. Your showing quite a few things not defined in policy and |
| 71 |
> they are getting denied. |
| 72 |
> |
| 73 |
> UNK_PERMS=allow |
| 74 |
> |
| 75 |
> |
| 76 |
> -Max |
| 77 |
> |
| 78 |
|
| 79 |
This is a totally standard policy, I haven't modified anything since the |
| 80 |
emerges. Since I haven't modified anything I'm not sure where to find |
| 81 |
the build.conf. Where might I be able to find it? |
| 82 |
|
| 83 |
Thanks |
| 84 |
|
| 85 |
Matt |
Archives