According the follow, I set "setsebool -P global_ssp 1" reboot, but there
are still a few avc left while "dmesg" such as:
audit(1190258497.269:262): avc: denied { read write } for pid=27657
comm="firefox-bin" name="tty1" dev=tmpfs ino=1197
scontext=user_u:user_r:user_mozilla_t
tcontext=user_u:object_r:user_tty_device_t tclass=chr_file
audit(1190258497.269:263): avc: denied { execstack } for pid=27657
comm="firefox-bin" scontext=user_u:user_r:user_mozilla_t
tcontext=user_u:user_r:user_mozilla_t tclass=process
audit(1190258497.269:264): avc: denied { execmod } for pid=27657
comm="firefox-bin" name=" libGL.so.1.2" dev=sda5 ino=189890
scontext=user_u:user_r:user_mozilla_t tcontext=system_u:object_r:shlib_t
tclass=file
audit(1190258497.769:265): avc: denied { setattr } for pid=27657
comm="firefox-bin" name=".gnome2_private" dev=sda5 ino=791500
scontext=user_u:user_r:user_mozilla_t
tcontext=user_u:object_r:user_home_dir_t tclass=dir
audit(1190258497.769:266): avc: denied { getattr } for pid=27657
comm="firefox-bin" name="Fonts" dev=sda2 ino=47
scontext=user_u:user_r:user_mozilla_t tcontext=system_u:object_r:unlabeled_t
tclass=dir
From: Chris PeBenito
<[EMAIL
PROTECTED]<http://gmane.org/get-address.php?address=pebenito%2daBrp7R%2bbbdUdnm%2byROfE0A%40public.gmane.org>
>
Subject: Re: global_ssp
boolean<http://news.gmane.org/find-root.php?message_id=%3c1182876092.5131.20.camel%40defiant.pebenito.net%3e>
Newsgroups:
gmane.linux.gentoo.hardened<http://news.gmane.org/gmane.linux.gentoo.hardened>
Date: 2007-06-26 16:41:32 GMT (12 weeks, 1 day, 11 hours and 41 minutes ago)
On Sun, 2007-06-24 at 20:41 -0400, Bill Sharer wrote:
> Chris P and company
>
> While rummaging through my dmesg's I found a lot of denials related to
> the urandom device and then found the global_ssp boolean when looking at
> stuff through apol. (20070329 ref policy btw). Anyway I also saw this
>
> http://www.nsa.gov/selinux/list-archive/0603/thread_body35.cfm
>
> documenting this gentoo-only flag. The only trouble is that the
> booleans.conf that unpacks with the reference policy has this set to
> false. Is this worth a trip to bugzilla to write it up?
setsebool -P global_ssp 1
That will enable it and make it so it is set on boot. The purpose of
booleans is to provide options to the users.
--
Chris PeBenito
<
[EMAIL PROTECTED]
<http://gmane.org/get-address.php?address=pebenito%2daBrp7R%2bbbdUdnm%2byROfE0A%40public.gmane.org>>
Developer,
Hardened Gentoo Linux
On 9/13/07, guo walter <[EMAIL PROTECTED] > wrote:
>
> According to the thread, I did the followings, now, when running " dmesg"
> the avc lines deducted to 200 lines from more than 700 lines initially, a
> little progress :)
> Here is what I did.
>
> (1)#cp -a /dev /mnt/usb
> (2)cd /mnt/usb/
> #setfilecon system_u:object_r:console_device_t console
> #setfilecon system_u:object_r:security_t selinux
> (3)boot from 2005.1 selinux livecd, copy /mnt/usb/dev back
> (4)reboot
>
>
> On 9/13/07, guo walter <[EMAIL PROTECTED] > wrote:
> >
> > Or just a specific directory ( dont know whhic directory ) instead of
> >
> > On 9/13/07, guo walter < [EMAIL PROTECTED] > wrote:
> > >
> > > Thanks for your answer, now it seems more clear. I downloaded
> > > hardened-livecd-2005.1.iso , but I can not use rlpkg to re-label
> > > directly from the livedcd system.
> > >
> > > How about this idea:
> > > (1) cp -a / to a USB Storage disk with jfs file system
> > > (2) mount the USB Storage jfs file system
> > > (3) rlpkg -a -r
> > > (4) boot from the hardened-livecd-2005.1.iso, cp -a the new labled
> > > system back.
> > > Can these steps solved the problem?
> > >
> > >
> > > Walter
> > >
> > >
> > >
> > > On 9/11/07, Remy Bosch <[EMAIL PROTECTED] > wrote:
> > > >
> > > > guo walter wrote:
> > > > > Yep, my question should be the same thing with thread, and it
> > > > seems
> > > > > there no clear solution by now, doesn't it?
> > > >
> > > > Alas, no. Not as simple as in the past without selinux ;)
> > > > The thing here, is that at some point have a running system, but
> > > > there
> > > > are a few directories/files that need labeling, which cannot be done
> > > > straight forward, because they're used. You need the bare filesystem
> > > > as-is, so mount your root somewhere else and label them as wanted.
> > > > It
> > > > takes care of the first warnings. After that, you'll have to
> > > > ask/read
> > > > around as information is a bit fragmented. There isn't a full easy
> > > > howto
> > > > yet, though there are some very good starter point's - sorry, I
> > > > don't
> > > > have the adresses at hand here.
> > > >
> > > > Good luck,
> > > >
> > > >
> > > > Remy
> > > >
> > > > --
> > > > [EMAIL PROTECTED] mailing list
> > > >
> > > >
> > >
> >
>