Dear SELinux Gurus, I am a PhD candidate conducting research into the usability of security mechanisms. I would really appreciate some help regarding the use of SELinux. Let me know if this is not the right place to be asking these types of questions. I generated a policy for opera using polgengui. I then ran the generated ./opera.sh. Although SELinux was still set to enforcing mode opera seemed to run unconfined. The executable and process was labelled as expected (unconfined_u:unconfined_r:opera_t). AVCs were generated, but not enforced. I added to opera.te using grep opera /var/log/audit/audit.log | audit2allow >> opera.te and reran ./opera.sh until no AVCs were generated. Looking at opera.te I noticed the line “permissive opera_t”, and not knowing exactly what this line does, I thought it may be placing this domain into permissive mode (although the gui tools suggest otherwise). Removing the line causes “/bin/sh: /usr/bin/opera: Permission denied”. No AVCs are generated. So I am not sure why opera seams to be unconfined, or if removing the permissive line was on the right track. Any advice? Also I tried creating a policy for kwrite. This time the created policy seemed to be in effect as soon as I ran the kwrite.sh script. I set setenforce 0 and added to kwrite.te (as above for opera) until no error msgs were generated. Then I reran ./kwrite.sh. Now kwrite exists with “kwrite(2533): Couldn’t register name ‘”org.kate-editor.kwrite-2533’” with DBUS – another process owns it already!”. When setenforce 0 it runs without AVCs. Again I am sure I am missing something simple and your advice will help a lot. I need to resolve this asap and will really appreciate any advice. Soon I will be running a comparative study comparing a number of security mechanisms and I need to sort this out. Thank you, Cliffe. |
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list