1 |
On Sun, Aug 26, 2012 at 11:57:46AM +0200, Paolo Barile wrote: |
2 |
> Hello Sven, first of all, all the denials I wrote here are from |
3 |
> enforcing mode. |
4 |
|
5 |
Oh that's good then. Would you also happen to get any failures from the |
6 |
applications themselves (or error messages you get)? |
7 |
|
8 |
Or, in other words, why shouldn't I just dontaudit everything ;) |
9 |
|
10 |
Getting the error messages is a very important and often misunderstood part. |
11 |
It helps identify the reason why something needs to be allowed (since for |
12 |
SELinux policies, we have several interfaces that allow something, but |
13 |
depending on the reason why it needs to be allowed, we might need to use a |
14 |
different interface) and also document the problem so the fix is easier to |
15 |
submit upstream. |
16 |
|
17 |
> >> Aug 25 18:06:05 dell-studio kernel: [ 8.028595] type=1400 |
18 |
> >> audit(1345917944.027:3): avc: denied { search } for pid=1433 |
19 |
> >> comm="alsactl" name="root" dev="sda5" ino=1308163 |
20 |
> >> scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:default_t |
21 |
> >> tclass=dir |
22 |
> > This sais /root is default_t again. Mine sais: |
23 |
> > |
24 |
> > ~ # matchpathcon /root |
25 |
> > /root root:object_r:user_home_dir_t |
26 |
> > |
27 |
> > ~ # grep '/root' /etc/selinux/strict/contexts/files/file_contexts* | grep user_home_dir_t |
28 |
> > /etc/selinux/strict/contexts/files/file_contexts.homedirs:/root -d root:object_r:user_home_dir_t |
29 |
> |
30 |
> The same gives me nothing. |
31 |
|
32 |
You'll need to change the directory from strict to targeted in your case. |
33 |
|
34 |
The root users' home directory should definitely be mentioned here (just |
35 |
checked on a targeted system at work). Is the root user mapped to a |
36 |
particular SELinux user? |
37 |
|
38 |
What does "semanage login -l" say? |
39 |
|
40 |
[... Allowing global_ssp to allow domains access to urandom ...] |
41 |
> No, it isn't. I did not enabled it because I'm still not in hardened |
42 |
> because I'd want let selinux comletely work before the conversion. |
43 |
|
44 |
That's okay. At least we now know that the domain probably needs it. Do you |
45 |
only get the denials or also an error? |
46 |
|
47 |
Wkr, |
48 |
Sven Vermeulen |