Polskie Forum Użytkowników Debiana

Polski portal użytkowników dystrybucji Debian GNU/Linux, dyskusje, artykuły, nowości, blog, porady, pomoc.
https://www.debian.pl/

https://www.debian.pl/viewtopic.php?t=3042

Strona 1 z 1

ładowanie reguł selinux

: 23 lipca 2007, 09:11
autor: fleshm
witam,
pytanie apropos selinuxa, ale do rzeczy:

cat /var/log/messages | grep avc pokazuje to

Kod: Zaznacz cały

Jul 23 08:04:06 amd64 kernel: audit(1185177835.888:3): avc:  denied  { getattr } for  pid=1400 comm="mount" name="/" dev=selinuxfs ino=934 scontext=system_u:system_r:mount_t:s0 tcontext=system_u :o bject_r:security_t:s0 tclass=filesystem
Jul 23 08:04:06 amd64 kernel: audit(1185177835.888:4): avc:  denied  { getattr } for  pid=1422 comm="restorecon" name="/" dev=selinuxfs ino=934 scontext=system_u:system_r:restorecon_t:s0 tcontext=system_u :o bject_r:security_t:s0 tclass=filesystem
Jul 23 08:04:06 amd64 kernel: audit(1185177839.388:5): avc:  denied  { getattr } for  pid=2211 comm="swapon" name="/" dev=selinuxfs ino=934 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u :o bject_r:security_t:s0 tclass=filesystem
Jul 23 08:04:06 amd64 kernel: audit(1185170641.562:6): avc:  denied  { mount } for  pid=2378 comm="mount" name="/" dev=fusectl ino=8942 scontext=system_u:system_r:mount_t:s0 tcontext=system_u :o bject_r:unlabeled_t:s0 tclass=filesystem
Jul 23 08:04:06 amd64 kernel: audit(1185170642.062:7): avc:  denied  { getattr } for  pid=2397 comm="mount.ntfs-3g" name="fuse" dev=tmpfs ino=8936 scontext=system_u:system_r:mount_t:s0 tcontext=system_u :o bject_r:device_t:s0 tclass=chr_file
Jul 23 08:04:06 amd64 kernel: audit(1185170642.062:8): avc:  denied  { read write } for  pid=2398 comm="fusermount" name="fuse" dev=tmpfs ino=8936 scontext=system_u:system_r:mount_t:s0 tcontext=system_u :o bject_r:device_t:s0 tclass=chr_file
Jul 23 08:04:06 amd64 kernel: audit(1185170642.062:9): avc:  denied  { write } for  pid=2398 comm="fusermount" name="mtab.fuselock" dev=sda3 ino=1277348 scontext=system_u:system_r:mount_t:s0 tcontext=system_u :o bject_r:etc_t:s0 tclass=file
Jul 23 08:04:06 amd64 kernel: audit(1185170645.563:10): avc:  denied  { getattr } for  pid=2860 comm="restorecon" name="/" dev=selinuxfs ino=934 scontext=system_u:system_r:restorecon_t:s0 tcontext=system_u :o bject_r:security_t:s0 tclass=filesystem
Jul 23 08:04:06 amd64 kernel: audit(1185170646.063:11): avc:  denied  { read write } for  pid=2993 comm="syslogd" name="xconsole" dev=tmpfs ino=10059 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u :o bject_r:device_t:s0 tclass=fifo_file
Jul 23 08:04:06 amd64 kernel: audit(1185170646.063:12): avc:  denied  { ioctl } for  pid=2993 comm="syslogd" name="xconsole" dev=tmpfs ino=10059 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u :o bject_r:device_t:s0 tclass=fifo_file
Jul 23 08:04:07 amd64 kernel: audit(1185170647.063:13): avc:  denied  { write } for  pid=2993 comm="syslogd" name="xconsole" dev=tmpfs ino=10059 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u :o bject_r:device_t:s0 tclass=fifo_file
Jul 23 08:04:12 amd64 kernel: audit(1185170652.063:14): avc:  denied  { search } for  pid=3624 comm="rpc.statd" name="sbin" dev=sda3 ino=163754 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u :o bject_r:sbin_t:s0 tclass=dir
Jul 23 08:04:12 amd64 kernel: audit(1185170652.063:15): avc:  denied  { search } for  pid=3623 comm="rpc.statd" scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u :o bject_r:sysctl_fs_t:s0 tclass=dir
Jul 23 08:04:14 amd64 kernel: audit(1185170654.563:16): avc:  denied  { getattr } for  pid=3725 comm="mount" name="/" dev=selinuxfs ino=934 scontext=system_u:system_r:mount_t:s0 tcontext=system_u :o bject_r:security_t:s0 tclass=filesystem
Jul 23 08:04:15 amd64 kernel: audit(1185170655.063:17): avc:  denied  { execstack } for  pid=3755 comm="Xorg" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process
Jul 23 08:04:15 amd64 kernel: audit(1185170655.063:18): avc:  denied  { execmem } for  pid=3755 comm="Xorg" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process
Jul 23 08:04:42 amd64 kernel: audit(1185170682.565:19): avc:  denied  { append } for  pid=3885 comm="hostname" name=".xsession-errors" dev=sda4 ino=551659 scontext=system_u:system_r:hostname_t:s0 tcontext=user_u :o bject_r:user_home_t:s0 tclass=file
Jul 23 08:05:36 amd64 kernel: audit(1185170736.068:20): avc:  denied  { write } for  pid=2993 comm="syslogd" name="xconsole" dev=tmpfs ino=10059 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u :o bject_r:device_t:s0 tclass=fifo_file
Jul 23 08:05:48 amd64 kernel: audit(1185170748.068:21): avc:  denied  { execmem } for  pid=4206 comm="mono" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process
Jul 23 08:05:48 amd64 kernel: audit(1185170748.568:22): avc:  denied  { execstack } for  pid=4220 comm="glxinfo" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process
jak widac 3ba uzyc polecenia audit2allow, no to uzylem

cat /vae/log/messages |grep avc | audit2allow (pozniej dalem zeby zapisalo reguly do pliku - na koncu >> regula.te)

wynik polecenia byl taki:

Kod: Zaznacz cały

#============= fsadm_t ==============
allow fsadm_t security_t:filesystem getattr;

#============= hostname_t ==============
allow hostname_t user_home_t:file append;

#============= initrc_t ==============
allow initrc_t self :p rocess { execstack execmem };

#============= mount_t ==============
allow mount_t device_t:chr_file { read write getattr };
allow mount_t etc_t:file write;
allow mount_t security_t:filesystem getattr;
allow mount_t unlabeled_t:filesystem mount;

#============= restorecon_t ==============
allow restorecon_t security_t:filesystem getattr;

#============= rpcd_t ==============
allow rpcd_t sbin_t:dir search;
allow rpcd_t sysctl_fs_t:dir search;

#============= syslogd_t ==============
allow syslogd_t device_t:fifo_file { read write ioctl };
po resecie te same komunikaty dostaje. za chiny nie moge znalezc zrodel policy selinux a aptitude twierdzi ze sa zainstalowane - fajnie tylko ze nigdzie nie ma folderu src :|. i przez to nie mozna odpalic make load dla policy :|

Kod: Zaznacz cały

maciek@amd64:~$ aptitude search selinux-policy
i   selinux-policy-refpolicy-dev                                          - Headers from the SELinux reference policy for building modules
i   selinux-policy-refpolicy-doc                                          - Documentation for the SELinux reference policy
i   selinux-policy-refpolicy-src                                          - Source of the SELinux reference policy for customization
i   selinux-policy-refpolicy-strict                                       - Strict variant of the SELinux reference policy
i   selinux-policy-refpolicy-targeted                                     - Targeted variant of the SELinux reference policy
i tak to z nim jest. juz mnie wnerwiac to zaczyna bo mi sie kdm sam wywala pod normalnym userem przy probie zalogowania (na roocie nie oO ) - pomaga usuniecie /tmp i reset reczny ctrl+alt+backspace -sadze ze to chyba wina czegos w xorgu byc moze tych execstack i execmem. jak ktos cos wie lub zrozumial z tego bełkotu coś :PP to niech da znac. z gory dzieki za odpowiedz
Strefa czasowa UTC+02:00
Strona 1 z 1

Technologię dostarcza phpBB® Forum Software © phpBB Limited

Polski pakiet językowy dostarcza phpBB.pl