On 02/19/2010 06:35 AM, Stephen Smalley wrote:
On Thu, 2010-02-18 at 15:17 -0800, Justin P. mattock wrote:
then after being able to build and install the policy then I focused in
on the booleans, I set(although am not sure if they fixed the errors
with avahi)where these:
allow_polyinstantiation=on
init_upstart=on(although I think they use sysvinit(notsure))
I was suggesting trying to set the init_upstart boolean because it
disables the transition from init_t to sysadm_t on executing a shell and
it appeared that for some reason that was causing system services to be
left in sysadm_t.
Question: Are your boolean settings persisting across reboot?
yep.. i.g. vim policy/booleans.conf(make chnges), then make policy
with the binary policy on my other machine I used setsebool -P
then once I was able to get a clean boot(even with the "targeted" dbus
issue)
I focused in on the login context:
name:user_r:user_t
this can be done in:
/etc/pam.d/{login,gdm,xdm}
adding:
session required pam_selinux.so close
session required pam_selinux.so open
(suse has nothing of this in there files,
or atleast I didn't see them)
So someone needs to file bugs against those packages asking to have the
pam_selinux.so entries added. Should be harmless if SELinux is
disabled; they will just exit with success.
yeah I was surprised to not see them there.
so after adding all allow rules from dmesg/messages(audit2allow)
I then added all allow rules from /var/log/audit/audit.log
(there probably is a tool, but haven't figured what it is yet)
Well, we ought to look at the actual denials to see if they truly should
be allowed or if they instead indicate problems with your processes
running in the wrong context or your files being mislabeled.
seemed like it was o.k., to me(but could be wrong).
there was I think three avc's that where defined as neverallow
in the policy.
an avc from hal which executed execmem to lower the gpu power level.
mount mounting the hard drive(if remember correctly).
and then a capability avc's
in the past running ubuntu I remember those three,if I can remember the
next policy update had fixed those or later down the line.
BTW: just to let you know I took that image and reformatted it
and put on my system so I can start looking into a kernel bug
if you need me to reinstall let me know(should only take a few mins to
get back where I was(now that I have a handle on whats happening)).
Justin P. Mattock
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
