Hi,
I am using rehel 6.0.
As a beginner I picked dummy policies in linux-2.6.32-71.el6/scripts/selinux/.
This is a monolithic policy.
After setting up every thing, I rebooted the machine. It did all the relabling.
In permissive mode I looked at audit logs and found messages :
type=USER_AVC msg=audit(1360672844.901:8): user pid=1658 uid=81 auid=4294967295 ses=4294967295 subj=admin_u:admin_r:base_t msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=1 scontext=admin_u:admin_r:base_t tcontext=admin_u:admin_r:base_t tclass=dbus exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1360672844.903:9): user pid=1658 uid=81 auid=4294967295 ses=4294967295 subj=admin_u:admin_r:base_t msg='avc: denied { acquire_svc } for service=com.ubuntu.Upstart spid=1 scontext=admin_u:admin_r:base_t tcontext=admin_u:admin_r:base_t tclass=dbus exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1360672844.903:9): user pid=1658 uid=81 auid=4294967295 ses=4294967295 subj=admin_u:admin_r:base_t msg='avc: denied { acquire_svc } for service=com.ubuntu.Upstart spid=1 scontext=admin_u:admin_r:base_t tcontext=admin_u:admin_r:base_t tclass=dbus exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Then I used audit2allow and it suggested:
allow base_t self:dbus acquire_svc
allow base_t self:dbus send_msg
allow base_t self:dbus send_msg
I added these in policy.conf and recreated policy.24 using checkpolicy.
There was no dbus class define in policy.conf So i decleared it
class dbus
{
acquire_svc
send_msg
}
{
acquire_svc
send_msg
}
I rebooted machine in enforcement mode.
And I could not loginin in init5.( I was able to login to init 3).
I saw following message:
"Could not connect to session bus: An SELinux policy prevents this sender from sending this message to this recepient (rejected message had sender "(unset)" interface "org.freedesktop.DBus" member "Hello" error name"(unset)" destination org.freedesktop.DBus")
Then again I went into permissive mode and looked at audit.log and found the above messages again.
Can someone please help on this ?
--
------------------
with regards
Rahul Khali
------------------
with regards
Rahul Khali
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
