pytanie apropos selinuxa, ale do rzeczy:
cat /var/log/messages | grep avc pokazuje to
Kod: Zaznacz cały
Jul 23 08:04:06 amd64 kernel: audit(1185177835.888:3): avc: denied { getattr } for pid=1400 comm="mount" name="/" dev=selinuxfs ino=934 scontext=system_u:system_r:mount_t:s0 tcontext=system_u :o bject_r:security_t:s0 tclass=filesystem
Jul 23 08:04:06 amd64 kernel: audit(1185177835.888:4): avc: denied { getattr } for pid=1422 comm="restorecon" name="/" dev=selinuxfs ino=934 scontext=system_u:system_r:restorecon_t:s0 tcontext=system_u :o bject_r:security_t:s0 tclass=filesystem
Jul 23 08:04:06 amd64 kernel: audit(1185177839.388:5): avc: denied { getattr } for pid=2211 comm="swapon" name="/" dev=selinuxfs ino=934 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u :o bject_r:security_t:s0 tclass=filesystem
Jul 23 08:04:06 amd64 kernel: audit(1185170641.562:6): avc: denied { mount } for pid=2378 comm="mount" name="/" dev=fusectl ino=8942 scontext=system_u:system_r:mount_t:s0 tcontext=system_u :o bject_r:unlabeled_t:s0 tclass=filesystem
Jul 23 08:04:06 amd64 kernel: audit(1185170642.062:7): avc: denied { getattr } for pid=2397 comm="mount.ntfs-3g" name="fuse" dev=tmpfs ino=8936 scontext=system_u:system_r:mount_t:s0 tcontext=system_u :o bject_r:device_t:s0 tclass=chr_file
Jul 23 08:04:06 amd64 kernel: audit(1185170642.062:8): avc: denied { read write } for pid=2398 comm="fusermount" name="fuse" dev=tmpfs ino=8936 scontext=system_u:system_r:mount_t:s0 tcontext=system_u :o bject_r:device_t:s0 tclass=chr_file
Jul 23 08:04:06 amd64 kernel: audit(1185170642.062:9): avc: denied { write } for pid=2398 comm="fusermount" name="mtab.fuselock" dev=sda3 ino=1277348 scontext=system_u:system_r:mount_t:s0 tcontext=system_u :o bject_r:etc_t:s0 tclass=file
Jul 23 08:04:06 amd64 kernel: audit(1185170645.563:10): avc: denied { getattr } for pid=2860 comm="restorecon" name="/" dev=selinuxfs ino=934 scontext=system_u:system_r:restorecon_t:s0 tcontext=system_u :o bject_r:security_t:s0 tclass=filesystem
Jul 23 08:04:06 amd64 kernel: audit(1185170646.063:11): avc: denied { read write } for pid=2993 comm="syslogd" name="xconsole" dev=tmpfs ino=10059 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u :o bject_r:device_t:s0 tclass=fifo_file
Jul 23 08:04:06 amd64 kernel: audit(1185170646.063:12): avc: denied { ioctl } for pid=2993 comm="syslogd" name="xconsole" dev=tmpfs ino=10059 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u :o bject_r:device_t:s0 tclass=fifo_file
Jul 23 08:04:07 amd64 kernel: audit(1185170647.063:13): avc: denied { write } for pid=2993 comm="syslogd" name="xconsole" dev=tmpfs ino=10059 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u :o bject_r:device_t:s0 tclass=fifo_file
Jul 23 08:04:12 amd64 kernel: audit(1185170652.063:14): avc: denied { search } for pid=3624 comm="rpc.statd" name="sbin" dev=sda3 ino=163754 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u :o bject_r:sbin_t:s0 tclass=dir
Jul 23 08:04:12 amd64 kernel: audit(1185170652.063:15): avc: denied { search } for pid=3623 comm="rpc.statd" scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u :o bject_r:sysctl_fs_t:s0 tclass=dir
Jul 23 08:04:14 amd64 kernel: audit(1185170654.563:16): avc: denied { getattr } for pid=3725 comm="mount" name="/" dev=selinuxfs ino=934 scontext=system_u:system_r:mount_t:s0 tcontext=system_u :o bject_r:security_t:s0 tclass=filesystem
Jul 23 08:04:15 amd64 kernel: audit(1185170655.063:17): avc: denied { execstack } for pid=3755 comm="Xorg" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process
Jul 23 08:04:15 amd64 kernel: audit(1185170655.063:18): avc: denied { execmem } for pid=3755 comm="Xorg" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process
Jul 23 08:04:42 amd64 kernel: audit(1185170682.565:19): avc: denied { append } for pid=3885 comm="hostname" name=".xsession-errors" dev=sda4 ino=551659 scontext=system_u:system_r:hostname_t:s0 tcontext=user_u :o bject_r:user_home_t:s0 tclass=file
Jul 23 08:05:36 amd64 kernel: audit(1185170736.068:20): avc: denied { write } for pid=2993 comm="syslogd" name="xconsole" dev=tmpfs ino=10059 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u :o bject_r:device_t:s0 tclass=fifo_file
Jul 23 08:05:48 amd64 kernel: audit(1185170748.068:21): avc: denied { execmem } for pid=4206 comm="mono" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process
Jul 23 08:05:48 amd64 kernel: audit(1185170748.568:22): avc: denied { execstack } for pid=4220 comm="glxinfo" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process
cat /vae/log/messages |grep avc | audit2allow (pozniej dalem zeby zapisalo reguly do pliku - na koncu >> regula.te)
wynik polecenia byl taki:
Kod: Zaznacz cały
#============= fsadm_t ==============
allow fsadm_t security_t:filesystem getattr;
#============= hostname_t ==============
allow hostname_t user_home_t:file append;
#============= initrc_t ==============
allow initrc_t self :p rocess { execstack execmem };
#============= mount_t ==============
allow mount_t device_t:chr_file { read write getattr };
allow mount_t etc_t:file write;
allow mount_t security_t:filesystem getattr;
allow mount_t unlabeled_t:filesystem mount;
#============= restorecon_t ==============
allow restorecon_t security_t:filesystem getattr;
#============= rpcd_t ==============
allow rpcd_t sbin_t:dir search;
allow rpcd_t sysctl_fs_t:dir search;
#============= syslogd_t ==============
allow syslogd_t device_t:fifo_file { read write ioctl };
Kod: Zaznacz cały
maciek@amd64:~$ aptitude search selinux-policy
i selinux-policy-refpolicy-dev - Headers from the SELinux reference policy for building modules
i selinux-policy-refpolicy-doc - Documentation for the SELinux reference policy
i selinux-policy-refpolicy-src - Source of the SELinux reference policy for customization
i selinux-policy-refpolicy-strict - Strict variant of the SELinux reference policy
i selinux-policy-refpolicy-targeted - Targeted variant of the SELinux reference policy