On 02/07/10 00:12, Elko Kuric wrote:
Hi all, I decided to move my debian installation to use Selinux, and I installed it using http://wiki.debian.org/SELinux howto ( Debian 5 ) When Selinux is in "permissive" mode, network connection is up and it works but when I switch Selinux to "enforcing" mode network interface is down after reboot. seaudit-report report the following output: Feb 07 08:36:58 firewall kernel: avc: denied pid=1290 comm=ifup name=ifstate ino=4103 dev=hda1 \ scontext=system_u:system_r:udev_t tcontext=system_u:object_r:etc_runtime_t tclass=file Feb 07 08:36:58 firewall kernel: avc: denied pid=1297 comm=ifup name=ifstate ino=4103 dev=hda1 \ scontext=system_u:system_r:udev_t tcontext=system_u:object_r:etc_runtime_t tclass=file I can understand that selinux is preventing ifup to be executed, but I still do not have counterpart in debian for RedHat's sealert -a audit.log , where it suggest what is necessary to do in order to allow access. I can bring interface up when logged as rood and using "ifconfig " Any comment is welcome and thank you in advance, Regards, Elko -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
not sure what policy debian is using. if it's regular targeted(binary), you should be able to just do a audit2allow -dM modulename(to build the module) then sudo semodule -i modulename(to install the module) (if an error happens then you need to manually edit the *.te file then use sepackage(I think),and/or semodule to build the *.pp). (there is a kernelparameter for network for SELinux but last I remember that was for policy-default(many moon ago)); Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
