From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <3e1162e60607181311j45ada14ax38591b706cb2c1bd@mail.gmail.com> Date: Tue, 18 Jul 2006 13:11:50 -0700 From: "David Leimbach" To: "Fans of the OS Plan 9 from Bell Labs" <9fans@cse.psu.edu> Subject: Re: [9fans] if you're looking for some fun, check out selinux ... In-Reply-To: <44BD2FF2.9050703@lanl.gov> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44BD2FF2.9050703@lanl.gov> Topicbox-Message-UUID: 82e6065c-ead1-11e9-9d60-3106f5b1d025 Yeah i've got FC4 here... couldn't export a directory with samba until I located the magic flag for the new 'chcon' tool. I gave up on it after not being able to make an LDAP server work with it's own DB directories and being unable to locate the magic chcon flag. It (SELINUX) was easily turned off with a switch in a conf file, but it's such a pain in the ass, I don't know why it's in a "FC" style distribution at all. Dave On 7/18/06, Ronald G Minnich wrote: > > so, on FC5 I did a standard mount -o loop xyz /mnt > cd /mnt/lib64 > rm * > rsync -av /lib64/* . > > rsync fails, you get kernel messages like this: > > system_u:object_r:unlabeled_t:s0 tclass=dir > audit(1153270163.378:19): avc: denied { read } for pid=19059 > comm="python" name="urandom" dev=tmpfs ino=1654 > scontext=root:system_r:semanage_t:s0-s0:c0.c255 > tcontext=system_u:object_r:device_t:s0 tclass=file > audit(1153270198.018:20): avc: denied { read } for pid=19065 > comm="python" name="urandom" dev=tmpfs ino=1654 > scontext=root:system_r:semanage_t:s0-s0:c0.c255 > tcontext=system_u:object_r:device_t:s0 tclass=file > audit(1153270211.628:21): avc: denied { read } for pid=19067 > comm="python" name="urandom" dev=tmpfs ino=1654 > scontext=root:system_r:semanage_t:s0-s0:c0.c255 > tcontext=system_u:object_r:device_t:s0 tclass=file > audit(1153270220.558:22): avc: denied { read } for pid=19068 > comm="python" name="urandom" dev=tmpfs ino=1654 > scontext=root:system_r:semanage_t:s0-s0:c0.c255 > tcontext=system_u:object_r:device_t:s0 tclass=file > > ah, what's it all mean? > > Well, there's an easy way to find out!You can see the necessary allow > rules by running audit2why with this audit message as input. > > lots of barf like this: > audit(1153270220.558:22): avc: denied { read } for pid=19068 > comm="python" name="urandom" dev=tmpfs ino=1654 > scontext=root:system_r:semanage_t:s0-s0:c0.c255 > tcontext=system_u:object_r:device_t:s0 tclass=file > Was caused by: > Missing or disabled TE allow rule. > Allow rules may exist but be disabled by boolean > settings; check boolean settings. > > yee ha! > OF course, it is easy to fix! dmesg | audit2allow > allow mount_t unlabeled_t:filesystem { mount unmount }; > allow semanage_t device_t:file read; > allow semanage_t unlabeled_t:dir search; > allow unlabeled_t fs_t:filesystem associate; > > and where does that go? well, that's a great question, thanks for asking! > > in /etc/selinux there is a bunch of stuff. The one you care about is this: > /etc/linux/config, and before I got much further I noticed this: > > SELINUX=enforcing > is in there, easy to fix, turn all this shit OFF! > > But, wow! Is this where we're all headed? I think I'm more and more > motivated to move everything I can to plan 9 .... this selinux is less > fun than a trip to the dentist. Plus, can you image the permutations of > those rule sets over time? many and varied subtleties shall appear. It's > really quite incredible. > > ron >