On Sun, 2010-01-31 at 19:05 +0300, AlannY wrote: > Hi there. Still tryint to go to enforcing in Archlinux. > > First of all, my sestatus -v > > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: permissive > Mode from config file: permissive > Policy version: 24 > Policy from config file: refpolicy > > Process contexts: > Current context: user_u:user_r:user_t:s0 > Init context: system_u:system_r:init_t:s0 > /sbin/agetty system_u:system_r:getty_t:s0 > > File contexts: > Controlling term: user_u:object_r:user_tty_device_t:s0 > /etc/passwd system_u:object_r:etc_t:s0 > /etc/shadow system_u:object_r:shadow_t:s0 > /bin/bash system_u:object_r:shell_exec_t:s0 > /bin/login system_u:object_r:login_exec_t:s0 > /bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0 > /sbin/agetty system_u:object_r:getty_exec_t:s0 > /sbin/init system_u:object_r:init_exec_t:s0 > /lib/libc.so.6 system_u:object_r:lib_t:s0 -> system_u:object_r:lib_t:s0 > > I'm using latest refpolicy with build.conf as in Fedora: > > TYPE = mcs > NAME = refpolicy > DISTRO = redhat > UNK_PERMS = allow > DIRECT_INITRC = y > MONOLITHIC = n > UBAC = n > MCS_CATS = 1024 > > I want to make system as Fedora do. But, when I'm in enforcing in Fedora I have: > > %# id -Z > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > On Archlinux I have: > > %# id -Z > user_u:user_r:user_t:s0 > > After > > %# su > %# setenforce > > I cannot > > %# ls > > Error: Permission denied. With non-root user I can `ls` directory. After `exit` from current user, > nothing shows (must show another login prompt), system hangs and I can only reboot it and boot in permissive. > > %# audit2allow -d > > #============= chkpwd_t ============== > allow chkpwd_t tmpfs_t:dir search; > > #============= getty_t ============== > allow getty_t tmpfs_t:dir search; > > #============= sysadm_t ============== > allow sysadm_t file_t:chr_file { read write }; > > #============= user_su_t ============== > allow user_su_t default_context_t:file { read getattr open }; > allow user_su_t init_t:unix_stream_socket connectto; > allow user_su_t security_t:security compute_user; > allow user_su_t tmpfs_t:dir search; > allow user_su_t tmpfs_t:sock_file write; > > #============= user_t ============== > allow user_t self:capability { sys_ptrace dac_override }; > > What should I do next? Repeat: I want SELinux system in Archlinux that works like Fedora. semanage login -l shows what? You want to map your users to unconfined_u if you want targeted policy behavior. On a stock Fedora system, semanage login -l shows: Login Name SELinux User MLS/MCS Range __default__ unconfined_u s0-s0:c0.c1023 root unconfined_u s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023 -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.