| 1 |
[snip] |
| 2 |
> messages. But some of the rules it recommends just look wrong to me. |
| 3 |
> Things like this: |
| 4 |
> |
| 5 |
> allow consoletype_t file_t:chr_file { getattr ioctl read write }; |
| 6 |
> allow consoletype_t file_t:dir search; |
| 7 |
> allow dmesg_t file_t:chr_file { read write }; |
| 8 |
The original avc message would be helpful here. |
| 9 |
Bear in mind that audit2allow just generates an allow rule, which may or |
| 10 |
may not be what you need. In a lot of cases a dontaudit rule will do. |
| 11 |
|
| 12 |
> I was under the impression that nothing should ever be permitted to |
| 13 |
> transition to file_t, and that errors referencing the file_t domain mean |
| 14 |
> there's something mis-labelled. |
| 15 |
Indeed, which is why the original avc message would be helpful (as it |
| 16 |
would allow you to figure out which file was being accessed). |
| 17 |
|
| 18 |
> In this case, it looks like |
| 19 |
> /dev/console is the biggest culprit, but I've also 20 or so errors from |
| 20 |
> initrc, a few from ifconfig, a half-dozen from udev. If I install, say, |
| 21 |
> sshd or sudo, I get more, even after merging and reloading their policy |
| 22 |
> files. |
| 23 |
Do you have udev mounted under /dev? devpts mounted under /dev/pts? |
| 24 |
I prefer to use a static /dev or tmpfs (which supports security labels) |
| 25 |
|
| 26 |
Antoine |
| 27 |
-- |
| 28 |
gentoo-hardened@g.o mailing list |
Archives