On Tue, 2008-09-16 at 13:05 -0500, Manoj Srivastava wrote: > On Tue, Sep 16 2008, Julien Cristau wrote: > > > I just tried booting with selinux=1 on my laptop. I see errors from mpd > > related to /usr/lib/libtheora.so.0.3.3, from xdm starting my X session, > > from sudo reading /etc/resolv.conf, from dmesg reading the system log, > > from ssh-add connecting to the ssh agent socket, from dhclient3 reading > > /proc/net, creating a socket and doing anything with it, then some more > > errors from bind startup, postfix startup, mutt, gpgkeys_hkp (apparently > > it's not allowed to connect to 11371/tcp, firefox, or gconfd-2. Uptime > > is about 20 minutes, and dmesg|grep -c 'avc: denied' returns 73. > > Looks like it's not ready for prime time to me. > > Hmm.
My own laptop, installed 2007-02. $dpkg -l | egrep '^ii' | wc -l 1964 $uptime 21:07:07 up 3 days, 9 min, 9 users, load average: 0.40, 0.19, 0.23 $cat /var/log/messages{,.0,.1} |audit2allow | egrep -v '(^$)|(^#)'|wc -l 46 Not so bad for an old laptop, with many non-standard settings, and probably some file that are improperly tagged. $cat /var/log/messages{,.0,.1} | audit2allow | egrep -v '(^$)|(^#)' allow avahi_t httpd_t:dbus send_msg; allow crond_t file_t:file { read getattr }; allow cupsd_t dhcpc_var_run_t:file { read getattr }; allow dhcpc_t avahi_var_run_t:dir { write remove_name search getattr add_name }; allow dhcpc_t avahi_var_run_t:file { write rename create unlink getattr }; allow dhcpc_t etc_t:file { execute execute_no_trans }; allow dhcpc_t lib_t:file execute_no_trans; allow gpm_t self:process signull; allow hald_t apm_bios_t:chr_file { read ioctl }; allow hald_t self:capability ipc_lock; allow hald_t self:dir mounton; allow hald_t self:process setrlimit; allow hald_t tmpfs_t:blk_file { read write create }; allow hald_t tmpfs_t:dir { write add_name }; allow hald_t tmpfs_t:filesystem { mount unmount }; allow hald_t xdm_t:dbus send_msg; allow httpd_t avahi_t:dbus send_msg; allow httpd_t dhcpc_var_run_t:file { read getattr }; allow httpd_t httpd_modules_t:lnk_file read; allow httpd_t system_dbusd_t:dbus send_msg; allow httpd_t system_dbusd_t:unix_stream_socket connectto; allow httpd_t system_dbusd_var_run_t:dir search; allow httpd_t system_dbusd_var_run_t:sock_file write; allow httpd_t usr_t:file { execute execute_no_trans }; allow httpd_t var_lib_t:dir { create rmdir }; allow httpd_t var_lib_t:file { write append setattr }; allow httpd_t var_t:dir read; allow httpd_t var_t:file { read getattr ioctl }; allow httpd_t var_t:lnk_file read; allow inetd_t var_lib_t:dir search; allow insmod_t device_t:dir { write add_name }; allow insmod_t lib_t:file execute_no_trans; allow insmod_t self:capability mknod; allow ldconfig_t usr_t:file read; allow logrotate_t unconfined_home_dir_t:dir search; allow mount_t dosfs_t:dir search; allow mount_t etc_t:file { write append }; allow rpcd_t proc_net_t:lnk_file read; allow system_dbusd_t inotifyfs_t:dir read; allow udev_t etc_runtime_t:file { unlink append }; allow udev_t usr_t:file execute; allow udev_t var_log_t:file read; allow unconfined_t lib_t:file execmod; allow unconfined_t self:process { execstack execmem }; allow vbetool_t console_device_t:chr_file { read write }; allow xdm_t hald_t:dbus send_msg; > I have not tried to boot into enforcing mode, but I am not sure > which of these are actually needed, and which can safely be denied > anyway. me neither. > So, 9 missing lines in policy, out of which 6 are about dbus. > Russell is probably way better than I to try to resolve these issues, > but I'll see what I can do to help. The entries related to apache are probably either related to my own specific settings, or related to libapache2-mod-dnssd. Most of the httpd entries are probably specific for my configuration. Franklin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]