| 1 |
Hi, |
| 2 |
|
| 3 |
I followed the steps on |
| 4 |
http://www.gentoo.org/proj/en/hardened/selinux/selinux-x86-handbook.xml?part=2 |
| 5 |
|
| 6 |
to convert an existing system to SELinux and also have gone through the |
| 7 |
"Troubleshooting SELinux" section of the handbook but with no success. |
| 8 |
|
| 9 |
I use the "selinux/2005.1/x86" profile, kernel "2.6.14-hardened-r5", |
| 10 |
policy version 20, XFS as root filesystem, udev. |
| 11 |
|
| 12 |
I re-emerged all packages of the whole system, relabeled the whole |
| 13 |
filesystem, restorecon /dev, did a "rlpkg" of sysvinit, bash, glibc, |
| 14 |
pam, openssh, coreutils and many others, but nothing helps. |
| 15 |
|
| 16 |
According to the troubleshooting section in the handbook everything |
| 17 |
looks fine, all the suggested commands work without warnings or errors, |
| 18 |
all security labels are set like shown, but things still do not work. |
| 19 |
|
| 20 |
For example I can do the following: |
| 21 |
|
| 22 |
cd /etc/security/selinux/src/policy |
| 23 |
make clean |
| 24 |
make install |
| 25 |
make load |
| 26 |
ls |
| 27 |
|
| 28 |
and as result I get the following syslog message; |
| 29 |
==> /var/log/kern.log <== |
| 30 |
Mar 18 12:36:47 server audit(1142681807.921:440): avc: denied { |
| 31 |
getattr } for pid=24263 comm="ls" name="COPYING" dev=sda2 ino=234881155 |
| 32 |
scontext=root:staff_r:staff_t tcontext=system_u:object_r:named_zone_t |
| 33 |
tclass=dir |
| 34 |
[...] |
| 35 |
|
| 36 |
And of course hundreds more, once from every command I call, even init |
| 37 |
and bash are denied - so I can only boot up the machine in permissive mode. |
| 38 |
|
| 39 |
Here what "sestatus" shows: |
| 40 |
---------------------------------- |
| 41 |
SELinux status: enabled |
| 42 |
SELinuxfs mount: /selinux |
| 43 |
Current mode: permissive |
| 44 |
Policy version: 20 |
| 45 |
|
| 46 |
Policy booleans: |
| 47 |
secure_mode inactive |
| 48 |
ssh_sysadm_login inactive |
| 49 |
user_ping inactive |
| 50 |
---------------------------------- |
| 51 |
|
| 52 |
Any ideas what goes wrong ? |
| 53 |
Did I miss something ? |
| 54 |
|
| 55 |
thanks, |
| 56 |
Thomas |
| 57 |
|
| 58 |
-- |
| 59 |
gentoo-hardened@g.o mailing list |
Archives