On Sun, Aug 26, 2012 at 11:57:46AM +0200, Paolo Barile wrote:
> Hello Sven, first of all, all the denials I wrote here are from
> enforcing mode.
Oh that's good then. Would you also happen to get any failures from the
applications themselves (or error messages you get)?
Or, in other words, why shouldn't I just dontaudit everything ;)
Getting the error messages is a very important and often misunderstood part.
It helps identify the reason why something needs to be allowed (since for
SELinux policies, we have several interfaces that allow something, but
depending on the reason why it needs to be allowed, we might need to use a
different interface) and also document the problem so the fix is easier to
submit upstream.
> >> Aug 25 18:06:05 dell-studio kernel: [ 8.028595] type=1400
> >> audit(1345917944.027:3): avc: denied { search } for pid=1433
> >> comm="alsactl" name="root" dev="sda5" ino=1308163
> >> scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:default_t
> >> tclass=dir
> > This sais /root is default_t again. Mine sais:
> >
> > ~ # matchpathcon /root
> > /root root:object_r:user_home_dir_t
> >
> > ~ # grep '/root' /etc/selinux/strict/contexts/files/file_contexts* | grep
> > user_home_dir_t
> > /etc/selinux/strict/contexts/files/file_contexts.homedirs:/root -d
> > root:object_r:user_home_dir_t
>
> The same gives me nothing.
You'll need to change the directory from strict to targeted in your case.
The root users' home directory should definitely be mentioned here (just
checked on a targeted system at work). Is the root user mapped to a
particular SELinux user?
What does "semanage login -l" say?
[... Allowing global_ssp to allow domains access to urandom ...]
> No, it isn't. I did not enabled it because I'm still not in hardened
> because I'd want let selinux comletely work before the conversion.
That's okay. At least we now know that the domain probably needs it. Do you
only get the denials or also an error?
Wkr,
Sven Vermeulen
