Hello,
I'm trying to stabilize refpolicy-20070928 on Debian Etch.
Repository with some updated selinux packages will be available soon.
I took packages from Sid and updated these with 20070928 upstream
releases.
I'm SELinux beginer, but my intention is to understand the SELinux
finally :) and run targeted and possibly strict policies in production
environment on Debian.
Currently I'm booting Xen DomU Debian Etch in permissive mode.
There are two audit messages, and I found solution (attached) in
selinux-devel@xxxxxxxxxxxxxxxxxxxxxxxx
audit(1195215260.590:3): avc: denied { getattr } for pid=760
comm="mount" name="/" dev=selinuxfs ino=475
scontext=system_u:system_r:mo
unt_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
audit(1195215263.626:6): avc: denied { getattr } for pid=1017
comm="swapon" name="/" dev=selinuxfs ino=475 scontext=system_u:system_r:
fsadm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
So after insertion
selinux_get_fs_mount(fsadm_t)
-> ./policy/modules/system/fstools.te
selinux_get_fs_mount(mount_t)
-> ./policy/modules/system/mount.te
both messages dismiss.
Is such solution ok and acceptable upstream (conditionaly for
Debian distro or so)?
Regards
--
Zito
--- Begin Message ---
- To: selinux-devel@xxxxxxxxxxxxxxxxxxxxxxx
- Subject: [DSE-Dev] /selinux getattr messages
- From: Martin Orr <martin@xxxxxxxxxxxxxx>
- Date: Sat, 23 Jun 2007 12:39:11 +0100
- Delivery-date: Mon, 25 Jun 2007 08:53:53 +0200
- Envelope-to: zito@localhost
- User-agent: Mozilla-Thunderbird 2.0.0.4 (X11/20070621)
I am using the targeted policy in permissive mode. During boot I get the following messages: audit(1182511335.252:36): avc: denied { getattr } for pid=1249 comm="mount" name="/" dev=selinuxfs ino=318 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem audit(1182511346.457:47): avc: denied { getattr } for pid=1503 comm="swapon" name="/" dev=selinuxfs ino=318 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem audit(1182511347.644:48): avc: denied { getattr } for pid=1570 comm="iptables" name="/" dev=selinuxfs ino=318 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem These come because libblkid and iptables are both linked against libselinux, which locates the selinux mount point in a constructor. When this was introduced in libselinux, the selinux_get_fs_mount interface was added to the reference policy to allow this. So mount.te should gain selinux_get_fs_mount(mount_t) and fstools.te should gain selinux_get_fs_mount(fsadm_t) So far as I can see iptables has no need to be linked against libselinux, but I will check further. -- Martin OrrAttachment: signature.asc
Description: OpenPGP digital signature_______________________________________________ SELinux-devel mailing list SELinux-devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.alioth.debian.org/mailman/listinfo/selinux-devel
--- End Message ---
