Re: Trying SELinux again on CentOS 5.1 - HOPELESS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Daniel J Walsh wrote:
Simplest thing is to run this through
# grep avc /var/log/audit2allow | audit2allow -M mypol
# semodule -i mypol.pp


You might want to first update to the U2 preview policy, available on
http://people.redhat.com/dwalsh/SELinux/RHEL5

This is turning into a worse disaster than I would have imagined.
I updated to selinux-policy-targeted-2.4.6-122.el5 and ran
audit2allow and semodule from the AVCs I now got when starting
eth1.  All looked good for a moment.  Then I tried changing
the config file for named so that the next network restart
would cause an update.  Got 151 new AVCs from that.  Built
a new policy to include allows for those AVCs, installed that,
and tried the experiment again.  Got another 20 AVCs.  This
is unending.  The cuplrit appears to be a "pidof -o $PPID named"
command which is getting a denial for each process on the
system:

avc: denied { ptrace } for pid=6134 comm="pidof" scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=process

OK, it only really needs to succeed for the tcontext of the actual
named process, but the log is going to get flooded with meaningless
denials every time this runs.

While I was tracking that down, a cron job that fetches news started
and plopped a bunch more AVC denials in the log.  When I printed out
the /etc/dhclient-exit-hooks script for study, I got a whole bunch
move denials from the hplip package.

This situation is 100% hopeless.  SELinux just keeps getting worse
and worse.  Enforcing mode would be equivalent to turning the system
off.  I'd need a daemon that scans the log for AVC denials and
automatically runs audit2allow, etc., on whatever it finds to have
any hope of keeping up.  Absent a paid expert to write custom policy,
SELinux on the desktop is suitable only for systems that run the
Linux distribution 100% as supplied, with no changes whatsoever,
and with the additional restriction that the user's interaction is
limited to clicking on icons.

--
Bob Nichols     "NOSPAM" is really part of my email address.
                Do NOT delete it.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux