On Sat, Jul 21, 2012 at 03:51:52PM +0200, Ivan Gooten wrote:
> I have just installed selinux on my gentoo box, and getting difficulties in
> permissive mode. If someone can have a look at this and point me
> somewhere...
>
> Emerge doesn't work If i run it from terminal in X11 - it call traces,
> cant merge anything. In dmesg I can find:
>
> ----------------
> type=1400 audit(1342877962.365:424): avc: denied { read write } for
> pid=15719 comm="sh" name="1" dev="devpts" ino=4
> scontext=system_u:system_r:portage_fetch_t
> tcontext=system_u:object_r:devpts_t tclass=chr_file
Looking at this first message already shows something weird: it sais that
the source context is "system_u:system_r:portage_fetch_t", whereas this
should be either "staff_u:sysadm_r:portage_fetch_t" or
"root:sysadm_r:portage_fetch_t".
[...]
> I switch to root and then do newrole -t sysadm_t - after that I'm trying to
> emerge something.
> Ofcourse from raw console a.k.a. non X env, emerging works.
[...]
> # id -Z // after switching to root and changing newrole
> system_u:system_r:sysadm_t
It looks like there is no proper transitioning after logon.
First, make sure you ran "dispatch-conf" or "etc-update" to make sure
changes are made to your PAM configuration files.
Next, for the graphical logon (including GDM), you might need to manually
update to add in pam_selinux.so (see
http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=2#doc_chap5_sect3)
Make sure that, when logged on, your "id -Z" shows you as being staff_u (or
user_u, but then you won't be able to adminster the system), or if you log
on as root, probably the "root" SELinux user.
Only then can we go further. And as already mentioned, it's "newrole -r
sysadm_r" as we need to change our (operational) role towards the system
administration role.
Wkr,
Sven Vermeulen
