On Wednesday, 20 September 2017 09:41:58 UTC+1, pels wrote: > [ 1.617897] systemd[1]: Failed to mount tmpfs at /run: Permission denied > [.[0;1;31m!!!!!!.[0m] Failed to mount API filesystems, freezing. > [ 1.621206] systemd[1]: Freezing execution.
Looks like a tmpfs cannot be mounted at boot. In actual fact: these default policies are never in a "ready to deploy" state. You have to run the policy in permissive mode - throughout the normal boot process, and typical use of the confined binaries. Once you have built a log of fired rules then you have to go back and tweak the policy. There are, shockingly, no good tools to parse selinux audit logs outwith a couple of hard to get tools - distributed in the redhat repos. I think there is a Gentoo overlay that you can reverse engineer, or maybe you can find a working tool. But once you have ironed out all the policy violations,and you can boot without firing anything of concern, then you are ready for enforcing mode. Here are some good primers on the subject. The first video, in particular, shows how to effectively parse audit logs - with the aforementioned redhat tool: https://www.youtube.com/watch?v=MxjenQ31b70 https://www.youtube.com/watch?v=q_y30qZ_plQ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3f1c9bc5-3b46-4b14-8856-1493f9ea6472%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
