Matt Harrison wrote:
max wrote:
Matt Harrison wrote:
Matt Harrison wrote:
I previously installed a virtual machine with selinux etc to see if I
could get my head round it and it all worked fine.
Actually this isn't true, when enabling enforce on my test machine it
locks me out of everything as well.
This is a complete mystery to me and quite disappointing.
set selinux to permissive and check the logs when the box comes up
Thanks for the reply,
Ok, firstly if I boot up in enforcing mode it halts saying something
like access to /sbin/init was denied.
If I boot up permissive I get tonnes of denied messages in dmesg.
There's far too many to list so I've attached a trimmed dmesg output,
starting from the first related message.
>From my untrained eye looking over these messages it seems that a lot of
core system stuff is being denied access, why I have no clue, everything
should be labelled and setup according to the gentoo selinux howto.
Grateful for any input.
Thanks
Matt
Do you happen to have the build.conf file for your policy? I am still
working on building my gentoo box, i mainly run fedora but I notice
that, at least on Fedora, the following is set to allow(From your dmesg):
security: class peer not defined in policy
security: class capability2 not defined in policy
security: permission recvfrom in class node not defined in policy
security: permission sendto in class node not defined in policy
security: permission ingress in class netif not defined in policy
security: permission egress in class netif not defined in policy
security: permission setfcap in class capability not defined in policy
security: permission flow_in in class packet not defined in policy
security: permission flow_out in class packet not defined in policy
security: permission forward_in in class packet not defined in policy
security: permission forward_out in class packet not defined in policy
SELinux: Completing initialization.
SELinux: Setting up existing superblocks.
SELinux: policy loaded with handle_unknown=deny
If i compile a policy on Fedora this is always set to allow, if not I
usually run into problems like your having, I don't know enough about
gentoo to know if this is supposed to be this way here or not, perhaps
someone else can supply the answer. The description in the build.conf file:
# Unknown Permissions Handling
# The behavior for handling permissions defined in the
# kernel but missing from the policy. The permissions
# can either be allowed, denied, or the policy loading
# can be rejected.
# allow, deny, and reject are current options.
You could try recompiling the policy with this set to allow, that, i
think, should resolve the issue for you but I don't really know how
different the default fedora and gentoo policies are so take it with a
grain of salt. Aside from that I could only suggest running the denials
through audit to allow2allow but I think changing that option there is
your best bet. Your showing quite a few things not defined in policy and
they are getting denied.
UNK_PERMS=allow
-Max