On Thursday, September 21, 2017 at 3:48:45 PM UTC+2, jkitt wrote: > On Wednesday, 20 September 2017 09:41:58 UTC+1, pels wrote: > > [ 1.617897] systemd[1]: Failed to mount tmpfs at /run: Permission denied > > [.[0;1;31m!!!!!!.[0m] Failed to mount API filesystems, freezing. > > [ 1.621206] systemd[1]: Freezing execution. > > Looks like a tmpfs cannot be mounted at boot. In actual fact: these default > policies are never in a "ready to deploy" state. You have to run the policy > in permissive mode - throughout the normal boot process, and typical use of > the confined binaries. Once you have built a log of fired rules then you have > to go back and tweak the policy. There are, shockingly, no good tools to > parse selinux audit logs outwith a couple of hard to get tools - distributed > in the redhat repos. I think there is a Gentoo overlay that you can reverse > engineer, or maybe you can find a working tool. But once you have ironed out > all the policy violations,and you can boot without firing anything of > concern, then you are ready for enforcing mode. > > Here are some good primers on the subject. The first video, in particular, > shows how to effectively parse audit logs - with the aforementioned redhat > tool: > > https://www.youtube.com/watch?v=MxjenQ31b70 > > https://www.youtube.com/watch?v=q_y30qZ_plQ
Thank you jkitt for the videos, i'm going to investigate. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/16122d95-d884-4e41-bcfb-22c7d673f844%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
