Hi,
On Sun, Jun 10, 2007 at 05:13:29PM +0200, GNUtoo no-log.org wrote:
> hello i just installed selinux and read the manual...i
have some questions
> about selinux:
> *is there any tools compatible with the 2006.1 profile
in portage that can
> make security policies for applications such as
tremulous and nexuiz,i
> searched a bit on the net and i found a solution:
> http://www.nsa.gov/selinux/list-archive/0702/19543.cfm
> using runcon to change the context in wich the games
are run but it's
> seems that it's not supported yet:
> # runcon -c -u system_u -r object_r -t games_exec_t
./nexuiz
> system_u:object_r:games_exec_t is not a valid context
because selinux-games does not exist yet. see my other mail
for details on how to fix this.
> *how do i make boot possible with the enforcement mode
on? i have some denys:
> audit(1181367493.741:3): avc: denied { read write }
for pid=1231
> comm="hotplug" name="tty" dev=md3
ino=20710227
> scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:file_t
> tclass=chr_file
> audit(1181367495.241:4): avc: denied { read write }
for pid=1267
> comm="mount" name="console" dev=md3
ino=20709389
> scontext=system_u:system_r:mount_t
tcontext=system_u:object_r:file_t
> tclass=chr_file
> audit(1181367495.241:5): avc: denied { read write }
for pid=1286
> comm="restorecon" name="console"
dev=md3 ino=20709389
> scontext=system_u:system_r:restorecon_t
tcontext=system_u:object_r:file_t
> tclass=chr_file
> audit(1181367501.240:6): avc: denied { read write }
for pid=3414
> comm="dmsetup" name="console"
dev=md3 ino=20709389
> scontext=system_u:system_r:lvm_t
tcontext=system_u:object_r:file_t
> tclass=chr_file
your (underlying) /dev was not labeled. this has been
covered not so long ago on this list.
I recommend a static dev.
> audit(1181367501.240:7): avc: denied for
pid=3428
> comm="mount" name="tmp" dev=md3
ino=6668330
> scontext=system_u:system_r:mount_t
tcontext=system_u:object_r:lib_t
> tclass=dir
not sure what you try to mount here
> audit(1181360304.943:8): avc: denied for
pid=3496
> comm="update-modules" name="rc"
dev=md3 ino=19466647
> scontext=system_u:system_r:update_modules_t
> tcontext=system_u:object_r:initrc_exec_t tclass=file
> audit(1181360304.943:9): avc: denied for
pid=3497
> comm="update-modules" name="rc"
dev=md3 ino=19466647
> scontext=system_u:system_r:update_modules_t
> tcontext=system_u:object_r:initrc_exec_t tclass=file
> audit(1181360304.943:10): avc: denied for pid=3497
> comm="update-modules" name="rc"
dev=md3 ino=19466647
> scontext=system_u:system_r:update_modules_t
> tcontext=system_u:object_r:initrc_exec_t tclass=file
> audit(1181360304.943:11): avc: denied for
pid=3497
> comm="update-modules" name="rc"
dev=md3 ino=19466647
> scontext=system_u:system_r:update_modules_t
> tcontext=system_u:object_r:initrc_exec_t tclass=file
> audit(1181360306.943:12): avc: denied for
pid=3495
> comm="update-modules" name="build"
dev=md3 ino=7575114
> scontext=system_u:system_r:update_modules_t
> tcontext=system_u:object_r:modules_object_t
tclass=lnk_file
> audit(1181360306.943:13): avc: denied for
pid=7144
> comm="update-modules"
name="linux-2.6.21-rt2" dev=md3 ino=2539665
> scontext=system_u:system_r:update_modules_t
> tcontext=system_u:object_r:src_t tclass=dir
no servers here needing modules, sorry.
bye,
peter
--
petre rodan
<kaiowasgentoo.org>
Developer,
Hardened Gentoo Linux
|
