On Sat, Jul 21, 2012 at 7:14 PM, Sven Vermeulen <[email protected]> wrote:
> On Sat, Jul 21, 2012 at 03:51:52PM +0200, Ivan Gooten wrote:
> > I have just installed selinux on my gentoo box, and getting difficulties
> in
> > permissive mode. If someone can have a look at this and point me
> > somewhere...
> >
> > Emerge doesn't work If i run it from terminal in X11 - it call traces,
> > cant merge anything. In dmesg I can find:
> >
> > ----------------
> > type=1400 audit(1342877962.365:424): avc: denied { read write } for
> > pid=15719 comm="sh" name="1" dev="devpts" ino=4
> > scontext=system_u:system_r:portage_fetch_t
> > tcontext=system_u:object_r:devpts_t tclass=chr_file
>
> Looking at this first message already shows something weird: it sais that
> the source context is "system_u:system_r:portage_fetch_t", whereas this
> should be either "staff_u:sysadm_r:portage_fetch_t" or
> "root:sysadm_r:portage_fetch_t".
>
> [...]
> > I switch to root and then do newrole -t sysadm_t - after that I'm trying
> to
> > emerge something.
> > Ofcourse from raw console a.k.a. non X env, emerging works.
> [...]
> > # id -Z // after switching to root and changing newrole
> > system_u:system_r:sysadm_t
>
> It looks like there is no proper transitioning after logon.
>
> First, make sure you ran "dispatch-conf" or "etc-update" to make sure
> changes are made to your PAM configuration files.
>
> Next, for the graphical logon (including GDM), you might need to manually
> update to add in pam_selinux.so (see
>
> http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=2#doc_chap5_sect3
> )
>
> Make sure that, when logged on, your "id -Z" shows you as being staff_u (or
> user_u, but then you won't be able to adminster the system), or if you log
> on as root, probably the "root" SELinux user.
>
Thank all you for your replies :-)
So after messing with semanage/pam I have:
--------------------
#semanage login -l
Login Name SELinux User
__default__ user_u
root root
system_u system_u
ivan staff_u
--------------------
which results in console for user root context like
"root:sysadm_r:sysadm_t",
whereas in X11 terminal, (after switching from ivan user to root by su -)
-> "staff_u:staff_r:staff_t".
I understand that in X11 term I'll have to "newrole -r sysadm_r" for root
everytime, when I will want to administrate the system?
And what about the context's difference between root (root:...) logged from
console and root (staff_u:...) logged via x11 terminal - is that wrong?
Ivan
>
> Only then can we go further. And as already mentioned, it's "newrole -r
> sysadm_r" as we need to change our (operational) role towards the system
> administration role.
>
> Wkr,
> Sven Vermeulen
>
>
