| 1 |
On Sat, Jul 21, 2012 at 7:14 PM, Sven Vermeulen <swift@g.o> wrote: |
| 2 |
|
| 3 |
> On Sat, Jul 21, 2012 at 03:51:52PM +0200, Ivan Gooten wrote: |
| 4 |
> > I have just installed selinux on my gentoo box, and getting difficulties |
| 5 |
> in |
| 6 |
> > permissive mode. If someone can have a look at this and point me |
| 7 |
> > somewhere... |
| 8 |
> > |
| 9 |
> > Emerge doesn't work If i run it from terminal in X11 - it call traces, |
| 10 |
> > cant merge anything. In dmesg I can find: |
| 11 |
> > |
| 12 |
> > ---------------- |
| 13 |
> > type=1400 audit(1342877962.365:424): avc: denied { read write } for |
| 14 |
> > pid=15719 comm="sh" name="1" dev="devpts" ino=4 |
| 15 |
> > scontext=system_u:system_r:portage_fetch_t |
| 16 |
> > tcontext=system_u:object_r:devpts_t tclass=chr_file |
| 17 |
> |
| 18 |
> Looking at this first message already shows something weird: it sais that |
| 19 |
> the source context is "system_u:system_r:portage_fetch_t", whereas this |
| 20 |
> should be either "staff_u:sysadm_r:portage_fetch_t" or |
| 21 |
> "root:sysadm_r:portage_fetch_t". |
| 22 |
> |
| 23 |
> [...] |
| 24 |
> > I switch to root and then do newrole -t sysadm_t - after that I'm trying |
| 25 |
> to |
| 26 |
> > emerge something. |
| 27 |
> > Ofcourse from raw console a.k.a. non X env, emerging works. |
| 28 |
> [...] |
| 29 |
> > # id -Z // after switching to root and changing newrole |
| 30 |
> > system_u:system_r:sysadm_t |
| 31 |
> |
| 32 |
> It looks like there is no proper transitioning after logon. |
| 33 |
> |
| 34 |
> First, make sure you ran "dispatch-conf" or "etc-update" to make sure |
| 35 |
> changes are made to your PAM configuration files. |
| 36 |
> |
| 37 |
> Next, for the graphical logon (including GDM), you might need to manually |
| 38 |
> update to add in pam_selinux.so (see |
| 39 |
> |
| 40 |
> http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=2#doc_chap5_sect3 |
| 41 |
> ) |
| 42 |
> |
| 43 |
> Make sure that, when logged on, your "id -Z" shows you as being staff_u (or |
| 44 |
> user_u, but then you won't be able to adminster the system), or if you log |
| 45 |
> on as root, probably the "root" SELinux user. |
| 46 |
> |
| 47 |
|
| 48 |
Thank all you for your replies :-) |
| 49 |
|
| 50 |
So after messing with semanage/pam I have: |
| 51 |
-------------------- |
| 52 |
#semanage login -l |
| 53 |
|
| 54 |
Login Name SELinux User |
| 55 |
|
| 56 |
__default__ user_u |
| 57 |
root root |
| 58 |
system_u system_u |
| 59 |
ivan staff_u |
| 60 |
-------------------- |
| 61 |
|
| 62 |
which results in console for user root context like |
| 63 |
"root:sysadm_r:sysadm_t", |
| 64 |
whereas in X11 terminal, (after switching from ivan user to root by su -) |
| 65 |
-> "staff_u:staff_r:staff_t". |
| 66 |
I understand that in X11 term I'll have to "newrole -r sysadm_r" for root |
| 67 |
everytime, when I will want to administrate the system? |
| 68 |
And what about the context's difference between root (root:...) logged from |
| 69 |
console and root (staff_u:...) logged via x11 terminal - is that wrong? |
| 70 |
|
| 71 |
Ivan |
| 72 |
|
| 73 |
|
| 74 |
> |
| 75 |
> Only then can we go further. And as already mentioned, it's "newrole -r |
| 76 |
> sysadm_r" as we need to change our (operational) role towards the system |
| 77 |
> administration role. |
| 78 |
> |
| 79 |
> Wkr, |
| 80 |
> Sven Vermeulen |
| 81 |
> |
| 82 |
> |
Archives