Hi folks,
I have started in earnest to try and get the current reference
policy to the point where I can create a headless build virtual machine
running strict policy in enforcing mode. At this point, I have a
local.te file that enables me to log in, either as root or as myself,
mount a hostfs directory, unmount it, and log out. There were not too
many differences yet:
,----
| __> egrep allow localStrict.te | wc -l
| 6
| __> egrep dontaudit localStrict.te | wc -l
| 6
`----
I am attaching the local.te file below for comment; some of this
should probably go into the refpolicy package, and, eventually,
upstream.
I note, however, that I am not able to install packages without
AVC denials, copy things out of the hostfs to my home directory, or
compile anything; so there will be more changes required to the strict
policy.
For those interested in the technique I am using, I look at the
screenlog.0 file (essentially the console of the UML virtual machine;
would be /var/log/messages on a real box).
I then use an editor to chop the audit messages in the file into
separate files, one group of related audit messages per resulting
file. This allows me to correlate the changes to the denial messages.
Next, I look at what audit2allow has to say, and copy the
reasonable bits into my local policy (using s/^allow/dontaudit/
liberally where I do not want to give the access).
,----
| __> egrep '^audit' avc.201* | audit2allow -v -m localstrict
| __> $EDITOR localStrict.te
| __> checkmodule -M -m -o localStrict.mod localStrict.te
| __> semodule_package -o localStrict.pp -m localStrict.mod
`----
Now, I just have to copy the file into my virtual machine
root_fs, run the virtual machine, and install inside the VM using
semodule -i localStrict.pp
manoj
--
Do YOU have redeeming social value?
Manoj Srivastava <[EMAIL PROTECTED]> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
