On Thu, 2010-02-18 at 15:17 -0800, Justin P. mattock wrote:
> then after being able to build and install the policy then I focused in
> on the booleans, I set(although am not sure if they fixed the errors
> with avahi)where these:
>
> allow_polyinstantiation=on
> init_upstart=on(although I think they use sysvinit(notsure))
I was suggesting trying to set the init_upstart boolean because it
disables the transition from init_t to sysadm_t on executing a shell and
it appeared that for some reason that was causing system services to be
left in sysadm_t.
Question: Are your boolean settings persisting across reboot?
> then once I was able to get a clean boot(even with the "targeted" dbus
> issue)
> I focused in on the login context:
> name:user_r:user_t
>
> this can be done in:
> /etc/pam.d/{login,gdm,xdm}
>
> adding:
> session required pam_selinux.so close
> session required pam_selinux.so open
> (suse has nothing of this in there files,
> or atleast I didn't see them)
So someone needs to file bugs against those packages asking to have the
pam_selinux.so entries added. Should be harmless if SELinux is
disabled; they will just exit with success.
> so after adding all allow rules from dmesg/messages(audit2allow)
> I then added all allow rules from /var/log/audit/audit.log
> (there probably is a tool, but haven't figured what it is yet)
Well, we ought to look at the actual denials to see if they truly should
be allowed or if they instead indicate problems with your processes
running in the wrong context or your files being mislabeled.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
