From what I've seen, current Selinux policy has a number of 'issues',
mainly because it is based on a reference policy that is now almost 2
years old. If you are willing to wait a bit, I would recommend running
with Selinux in 'Permissive' mode for the time being. I am doing a lot
of testing and working with PeBenito to get the current v2ref policy
whipped into shape so that we can deploy it on Gentoo. It will
necessitate an upgrade process and recompiling some stuff, but in my
testing so far it seems to be working fairly nicely.
I don't know when PeBenito plans to release the v2ref policy on Gentoo,
but I've gotten the impression from talking to him that he'd rather it
be sooner than later, if at all possible (that's just my impression,
though; I wouldn't presume to speak for him).
Later,
Chris
On 02/03/2010 11:05 PM, Jonathan wrote:
I'm trying to get Selinux to work on my desktop system, but I can not passed Udev in enforcing mode.
I have removed the date, time and type=1400 from all the log lines.
audit(1264997163.292:3): avc: denied { execute_no_trans } for pid=1010 comm="udevd" path="/lib64/udev/input_id" dev=sda6 ino=2395672 scontext=system_u:system_r:udev_t tcontext=system_u
bject_r:lib_t tclass=file
audit(1264997163.317:4): avc: denied { signal } for pid=1004 comm="udevd" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:initrc_t tclass=process
audit(1264997163.929:5): avc: denied { read } for pid=1004 comm="udevd" path="anon_inode:[signalfd]" dev=anon_inodefs ino=373 scontext=system_u:system_r:udev_t tcontext=system_u
bject_r:anon_inodefs_t tclass=file
audit(1264997164.072:6): avc: denied { search } for pid=1184 comm="lvm" name="950" dev=proc ino=1979 scontext=system_u:system_r:lvm_t tcontext=system_u:system_r:initrc_t tclass=dir
audit(1264997164.072:7): avc: denied { read } for pid=1184 comm="lvm" name="cmdline" dev=proc ino=3832 scontext=system_u:system_r:lvm_t tcontext=system_u:system_r:initrc_t tclass=file
audit(1264997164.165:8): avc: denied { getattr } for pid=1184 comm="lvm" path="/dev/shm" dev=tmpfs ino=1907 scontext=system_u:system_r:lvm_t tcontext=system_u
bject_r:home_root_t tclass=dir
audit(1264997164.165:9): avc: denied { read } for pid=1184 comm="lvm" name="shm" dev=tmpfs ino=1907 scontext=system_u:system_r:lvm_t tcontext=system_u
bject_r:home_root_t tclass=dir
audit(1264997164.319:10): avc: denied { read write } for pid=1212 comm="fsck" name="tty1" dev=tmpfs ino=1887 scontext=system_u:system_r:fsadm_t tcontext=system_u
bject_r:tty_device_t tclass=chr_file
audit(1264997168.627:22): avc: denied { read write } for pid=1365 comm="dmesg" name="tty1" dev=tmpfs ino=1887 scontext=system_u:system_r:dmesg_t tcontext=system_u
bject_r:tty_device_t tclass=chr_file
As you can see it's all down hill from the first error. Is this because I'm over riding a profile mask on the multilib use flag?
I'm running a AMD64 two core system using Gnome and the Slim login manager.
My Udev version is 151-r1. I was using the stable version and I was getting the same errors.
The profile I am using is Selinux/2007.0/Amd64.
My kernel is 2.6.31-gentoo-r10.
I used the Gentoo Selinux handbook[1] to setup well... Selinux, some parts of the hand book are years out of date.
[1] http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml
Selinux on a desktop system (targeted mode)
