Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: Sven Vermeulen <swift@g.o>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] Can't get fully functional (kde) desktop with SELinux
Date: Mon, 27 Aug 2012 18:02:11
Message-Id: 20120827173852.GA11250@gentoo.org
In Reply to: Re: [gentoo-hardened] Can't get fully functional (kde) desktop with SELinux by Paolo Barile
1 On Sun, Aug 26, 2012 at 11:57:46AM +0200, Paolo Barile wrote:
2 > Hello Sven, first of all, all the denials I wrote here are from
3 > enforcing mode.
4
5 Oh that's good then. Would you also happen to get any failures from the
6 applications themselves (or error messages you get)?
7
8 Or, in other words, why shouldn't I just dontaudit everything ;)
9
10 Getting the error messages is a very important and often misunderstood part.
11 It helps identify the reason why something needs to be allowed (since for
12 SELinux policies, we have several interfaces that allow something, but
13 depending on the reason why it needs to be allowed, we might need to use a
14 different interface) and also document the problem so the fix is easier to
15 submit upstream.
16
17 > >> Aug 25 18:06:05 dell-studio kernel: [ 8.028595] type=1400
18 > >> audit(1345917944.027:3): avc: denied { search } for pid=1433
19 > >> comm="alsactl" name="root" dev="sda5" ino=1308163
20 > >> scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:default_t
21 > >> tclass=dir
22 > > This sais /root is default_t again. Mine sais:
23 > >
24 > > ~ # matchpathcon /root
25 > > /root root:object_r:user_home_dir_t
26 > >
27 > > ~ # grep '/root' /etc/selinux/strict/contexts/files/file_contexts* | grep user_home_dir_t
28 > > /etc/selinux/strict/contexts/files/file_contexts.homedirs:/root -d root:object_r:user_home_dir_t
29 >
30 > The same gives me nothing.
31
32 You'll need to change the directory from strict to targeted in your case.
33
34 The root users' home directory should definitely be mentioned here (just
35 checked on a targeted system at work). Is the root user mapped to a
36 particular SELinux user?
37
38 What does "semanage login -l" say?
39
40 [... Allowing global_ssp to allow domains access to urandom ...]
41 > No, it isn't. I did not enabled it because I'm still not in hardened
42 > because I'd want let selinux comletely work before the conversion.
43
44 That's okay. At least we now know that the domain probably needs it. Do you
45 only get the denials or also an error?
46
47 Wkr,
48 Sven Vermeulen

Replies

Subject Author
Re: [gentoo-hardened] Can't get fully functional (kde) desktop with SELinux Paolo Barile <f.p.barile@×××××.com>
Report Message
Find on MARC Find on Google Groups