Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Semodules install policys
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
ole24
n00b
n00b


Joined: 07 Jun 2019
Posts: 1
Location: Berlin

PostPosted: Thu Jun 20, 2019 12:16 pm    Post subject: Semodules install policys Reply with quote

I'm using SELinux gentoo since one or two days and are not super confident with the whole topic.

I tried to generate a policy with audit2allow, what actually worked. However installing that policy throws an error, I dont know to act on.
Internet search has not been helpful on this particular problem, hope you guys can help me out.

audit2allow -M TESTPOLICY < /var/log/audit/audit.log

gentoo_se ~ # semodule -i TESTPOLICY.pp
libsemanage.get_home_dirs: Error while fetching users. Returning list so far.
Back to top
View user's profile Send private message
alamahant
Tux's lil' helper
Tux's lil' helper


Joined: 23 Mar 2019
Posts: 140

PostPosted: Sat Jun 22, 2019 6:56 pm    Post subject: Reply with quote

The safest way to generate policy is to see the list of the selinux infractions either by:
Code:

grep "preventing" /var/log/messages or
grep "avc: .denied" /var/log/audit/audit.log 

and in the output of this commands you will get instructions on how to build and install modules dealing with the particular situations.
Of course you need to have sys-apps/policycoreutils and setroubleshoot-server---i cant find it in Gentoo though(maybe included)-- installed.
You can also run sealert -l <alert number> for more comprehensive info on the problem.
In the dumps you will find info either how to change fcontext, port, set sebool or how to create modules.
If you really prefer to create a policy module to cover all infractions may be use something like:
Code:

ausearch -m AVC | audit2allow -a -M TESTPOLICY
and
semodule -i TESTPOLICY.pp

BUT why would you give so much pervasive access to all problematic processes?
May be you should be more picky
:)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum