On Sun, Feb 7, 2010 at 9:42 AM, Justin P. Mattock <justinmattock@xxxxxxxxx> wrote: > On 02/07/10 00:12, Elko Kuric wrote: >> >> Hi all, >> >> I decided to move my debian installation to use Selinux, and I >> installed it using >> >> http://wiki.debian.org/SELinux howto ( Debian 5 ) >> >> >> When Selinux is in "permissive" mode, network connection is up and it >> works >> but when I switch Selinux to "enforcing" mode network interface is >> down after reboot. >> >> seaudit-report report the following output: >> >> Feb 07 08:36:58 firewall kernel: avc: denied pid=1290 comm=ifup >> name=ifstate ino=4103 dev=hda1 \ >> scontext=system_u:system_r:udev_t >> tcontext=system_u:object_r:etc_runtime_t tclass=file >> >> Feb 07 08:36:58 firewall kernel: avc: denied pid=1297 comm=ifup >> name=ifstate ino=4103 dev=hda1 \ >> scontext=system_u:system_r:udev_t >> tcontext=system_u:object_r:etc_runtime_t tclass=file >> >> I can understand that selinux is preventing ifup to be executed, but I >> still do not have counterpart in debian >> for RedHat's >> >> sealert -a audit.log >> >> , where it suggest what is necessary to do in order to allow access. >> >> I can bring interface up when logged as rood and using "ifconfig " >> >> Any comment is welcome and thank you in advance, >> >> Regards, >> >> Elko >> >> -- >> This message was distributed to subscribers of the selinux mailing list. >> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx >> with >> the words "unsubscribe selinux" without quotes as the message. >> > > not sure what policy debian is using. > if it's regular targeted(binary), you should be able > to just do a audit2allow -dM modulename(to build the module) > then sudo semodule -i modulename(to install the module) > (if an error happens then you need to manually > edit the *.te file then use sepackage(I think),and/or > semodule to build the *.pp). > (there is a kernelparameter for network for SELinux > but last I remember that was for policy-default(many moon ago)); > > > Justin P. Mattock > Thanks for mail. I have installed following packages dpkg -l | grep ii | grep selinux ii libselinux1 2.0.65-5 SELinux shared libraries ii python-selinux 2.0.65-5 Python bindings to SELinux shared libraries ii selinux-basics 0.3.5 SELinux basic support ii selinux-policy-default 2:0.0.20080702-6 Strict and Targeted variants of the SELinux policy ii selinux-utils 2.0.65-5 SELinux utility programs I expected some issues with setting up some specific services ( dns/mail ... ), but here I just want to get network functional once I set selinux to "enforcing " policy. Elko -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
