1 |
Hi, |
2 |
|
3 |
On Sun, Jun 10, 2007 at 05:13:29PM +0200, GNUtoo@××××××.org wrote: |
4 |
> hello i just installed selinux and read the manual...i have some questions |
5 |
> about selinux: |
6 |
> *is there any tools compatible with the 2006.1 profile in portage that can |
7 |
> make security policies for applications such as tremulous and nexuiz,i |
8 |
> searched a bit on the net and i found a solution: |
9 |
> http://www.nsa.gov/selinux/list-archive/0702/19543.cfm |
10 |
> using runcon to change the context in wich the games are run but it's |
11 |
> seems that it's not supported yet: |
12 |
> # runcon -c -u system_u -r object_r -t games_exec_t ./nexuiz |
13 |
> system_u:object_r:games_exec_t is not a valid context |
14 |
|
15 |
because selinux-games does not exist yet. see my other mail for details on how to fix this. |
16 |
|
17 |
> *how do i make boot possible with the enforcement mode on? i have some denys: |
18 |
> audit(1181367493.741:3): avc: denied { read write } for pid=1231 |
19 |
> comm="hotplug" name="tty" dev=md3 ino=20710227 |
20 |
> scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:file_t |
21 |
> tclass=chr_file |
22 |
> audit(1181367495.241:4): avc: denied { read write } for pid=1267 |
23 |
> comm="mount" name="console" dev=md3 ino=20709389 |
24 |
> scontext=system_u:system_r:mount_t tcontext=system_u:object_r:file_t |
25 |
> tclass=chr_file |
26 |
> audit(1181367495.241:5): avc: denied { read write } for pid=1286 |
27 |
> comm="restorecon" name="console" dev=md3 ino=20709389 |
28 |
> scontext=system_u:system_r:restorecon_t tcontext=system_u:object_r:file_t |
29 |
> tclass=chr_file |
30 |
> audit(1181367501.240:6): avc: denied { read write } for pid=3414 |
31 |
> comm="dmsetup" name="console" dev=md3 ino=20709389 |
32 |
> scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:file_t |
33 |
> tclass=chr_file |
34 |
|
35 |
your (underlying) /dev was not labeled. this has been covered not so long ago on this list. |
36 |
I recommend a static dev. |
37 |
|
38 |
|
39 |
> audit(1181367501.240:7): avc: denied { mounton } for pid=3428 |
40 |
> comm="mount" name="tmp" dev=md3 ino=6668330 |
41 |
> scontext=system_u:system_r:mount_t tcontext=system_u:object_r:lib_t |
42 |
> tclass=dir |
43 |
|
44 |
not sure what you try to mount here |
45 |
|
46 |
> audit(1181360304.943:8): avc: denied { getattr } for pid=3496 |
47 |
> comm="update-modules" name="rc" dev=md3 ino=19466647 |
48 |
> scontext=system_u:system_r:update_modules_t |
49 |
> tcontext=system_u:object_r:initrc_exec_t tclass=file |
50 |
> audit(1181360304.943:9): avc: denied { execute } for pid=3497 |
51 |
> comm="update-modules" name="rc" dev=md3 ino=19466647 |
52 |
> scontext=system_u:system_r:update_modules_t |
53 |
> tcontext=system_u:object_r:initrc_exec_t tclass=file |
54 |
> audit(1181360304.943:10): avc: denied { execute_no_trans } for pid=3497 |
55 |
> comm="update-modules" name="rc" dev=md3 ino=19466647 |
56 |
> scontext=system_u:system_r:update_modules_t |
57 |
> tcontext=system_u:object_r:initrc_exec_t tclass=file |
58 |
> audit(1181360304.943:11): avc: denied { read } for pid=3497 |
59 |
> comm="update-modules" name="rc" dev=md3 ino=19466647 |
60 |
> scontext=system_u:system_r:update_modules_t |
61 |
> tcontext=system_u:object_r:initrc_exec_t tclass=file |
62 |
> audit(1181360306.943:12): avc: denied { read } for pid=3495 |
63 |
> comm="update-modules" name="build" dev=md3 ino=7575114 |
64 |
> scontext=system_u:system_r:update_modules_t |
65 |
> tcontext=system_u:object_r:modules_object_t tclass=lnk_file |
66 |
> audit(1181360306.943:13): avc: denied { read } for pid=7144 |
67 |
> comm="update-modules" name="linux-2.6.21-rt2" dev=md3 ino=2539665 |
68 |
> scontext=system_u:system_r:update_modules_t |
69 |
> tcontext=system_u:object_r:src_t tclass=dir |
70 |
|
71 |
no servers here needing modules, sorry. |
72 |
|
73 |
|
74 |
bye, |
75 |
peter |
76 |
|
77 |
-- |
78 |
petre rodan |
79 |
<kaiowas@g.o> |
80 |
Developer, |
81 |
Hardened Gentoo Linux |