-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 21.07.2012 15:51, Ivan Gooten wrote:
> hello,
>
> I have just installed selinux on my gentoo box, and getting
> difficulties in permissive mode. If someone can have a look at this
> and point me somewhere...
>
> Emerge doesn't work If i run it from terminal in X11 - it call
> traces, cant merge anything. In dmesg I can find:
>
> ---------------- type=1400 audit(1342877962.365:424): avc: denied
> { read write } for pid=15719 comm="sh" name="1" dev="devpts" ino=4
> scontext=system_u:system_r:portage_fetch_t
> tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400
> audit(1342877962.367:425): avc: denied { search } for pid=15719
> comm="sh" name="ivan" dev="dm-3" ino=20709377
> scontext=system_u:system_r:portage_fetch_t
> tcontext=staff_u:object_r:user_home_dir_t tclass=dir type=1400
> audit(1342877962.394:426): avc: denied { search } for pid=15720
> comm="id" name="/" dev="sysfs" ino=1
> scontext=system_u:system_r:portage_fetch_t
> tcontext=system_u:object_r:sysfs_t tclass=dir type=1400
> audit(1342878036.496:428): avc: denied { read write } for
> pid=15894 comm="emerge" name="1" dev="devpts" ino=4
> scontext=system_u:system_r:portage_t
> tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400
> audit(1342878036.500:429): avc: denied { ioctl } for pid=15894
> comm="emerge" path="/dev/pts/1" dev="devpts" ino=4
> scontext=system_u:system_r:portage_t
> tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400
> audit(1342878036.505:430): avc: denied { getattr } for pid=15894
> comm="emerge" path="/dev/pts/1" dev="devpts" ino=4
> scontext=system_u:system_r:portage_t
> tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400
> audit(1342878083.667:431): avc: denied { read write } for
> pid=16890 comm="sh" name="1" dev="devpts" ino=4
> scontext=system_u:system_r:portage_fetch_t
> tcontext=system_u:object_r:devpts_t tclass=chr_file type=1400
> audit(1342878083.671:432): avc: denied { search } for pid=16892
> comm="id" name="/" dev="sysfs" ino=1
> scontext=system_u:system_r:portage_fetch_t
> tcontext=system_u:object_r:sysfs_t tclass=dir ---------------- I'm
> running xdm - gdm3 to be more accurate - and as normal user in
> terminal I switch to root and then do newrole -t sysadm_t - after
> that I'm trying to emerge something. Ofcourse from raw console
> a.k.a. non X env, emerging works.
>
> Additional info: ---------------- # sestatus SELinux status:
> enabled SELinuxfs mount: /sys/fs/selinux SELinux
> root directory: /etc/selinux Loaded policy name:
> targeted Current mode: permissive Mode from
> config file: permissive Policy MLS status:
> disabled Policy deny_unknown status: denied Max kernel policy
> version: 26 ---------------- # id -Z // after switching to
> root and changing newrole system_u:system_r:sysadm_t
> ---------------- all installed sec-policy packages are from
> hardened-devel overlay = 2.20120215-r14 ---------------- I did
> rlpkg -a -r so many times.. :-)
>
> thanks in advance
>
> Ivan Gooten
>
Hi,
the first few things I notice are that it's "newrole -r sysadm_r" -
"newrole -t" just switches the type.
You shouldn't be in system_u, either, but in staff_u.
Since you are using a targeted policy you acually would have more
rights, if you remove the selinux usermapping for your user at all,
because you would be in "unconfined_r:unconfined_t" which means that
there aren't really any restrictions for you user except they're
stated explicitly.
WKR
Hinnerk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJQCrYjAAoJEJwwOFaNFkYcbysH/37pEdkLN/kp8S+Hr9O7rrbI
20cQI6IoDnWc4KtzBK9lhbI8RV3xSvsKSG2/nS8kY9CmMEwEdrXnnRrOtPDuxOez
4KXCQH4CSVARmU3YW/HxPDfm5/PL2h4npOuPjGU2ZQ9oQNt89CKS6zPc/OmWhqJe
PnTZwioVdRH5bHvcsjAsO2niSYCvoex7mjxTZB2RzniRHV0ZsGRzCHj6qiVwQeE4
xAP1Rk3Gzr9kwfIDOWDq47/mlhnUEIp3E6fNmsscta8FcZjh/kGxtOwNlfxwu1hg
+zS/Q7iREffLAsBOGlICbMkm4859bW1dDi9IW+VT5CzTQkUygTbQ/t2dYQJ3NUU=
=Lvu6
-----END PGP SIGNATURE-----
