SE Linux Questions

Tue Apr 13 21:17:25 UTC 2004

On Tue, 2004-04-13 at 11:48, Jason Montleon wrote:
> First off I profess total newbie when it comes to SE Linux, I've been 
> reading SE Linux and SE Linux Policy HOWTO's and FAQ's for the last couple 
> days and my head is spinning, so bare with me.

SElinux makes my head spin also, so I'm probably not very helpful here
as far as your primary question below.  The learning curve for
non-SElinux users is going to be very steep with FC2, and would seem to
be a major barrier to adoption without some much better docs and an
install-time option to turn it off.  I'm currently running in permissive
mode much of the time to be able to function.

> 
> I have my system running in runlevel 3, which is how I prefer.
> When I log in with my account on my system I get the following:
> 
> Your default context is user_u:sysadm_r:sysadm_t.
> 
> Do you want to choose a different one? [n]
> 
> I choose no and move on, fair enough.  However, if I try to run startx I get 
> the following :
> Apr 13 11:21:01 fc2 kernel: audit(1081869661.602:0): avc:  denied  { search 
> } for  pid=8996 exe=/usr/X11R6/bin/xauth name=jason dev=hda4 ino=581186 
> scontext=user_u:sysadm_r:sysadm_xauth_t 
> tcontext=system_u:object_r:user_home_dir_t tclass=dir
> 
> 
> So I logged out (newrole doesn't seem to be playing nice but that could be 
> matter of PEBCAK)
> and back in this time selecting user_u:user_r:user:t
> Now I can run startx but when I try to run the system-control-network 
> program, I just get tons of these messages on the screen if I hit 
> Ctrl-Alt-F[1-6]:
> Apr 13 11:11:12 fc2 kernel: audit(1081869072.436:0): avc:  denied  { setuid 
> } for  pid=1237 exe=/bin/bash capability=7 scontext=user_u:user_r:user_t 
> tcontext=user_u:user_r:user_t tclass=capability
> Apr 13 11:11:12 fc2 kernel: audit(1081869072.471:0): avc:  denied  { setuid 
> } for  pid=1237 exe=/usr/sbin/usernetctl capability=7 
> scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t 
> tclass=capability
> 
> Using su to login as me again I choose user_u:sysadm_r:sysadm_t in a 
> gnome-terminal or xterm or whatever and now when I run 
> system-control-network from that terminal and it runs as expected (as a 
> user, which I have by the way configured users to be able to 
> activate/deactive the network interface)
> 
> Also I originally had sendmail installed and did 'rpm -e --nodeps sendmail' 

Very bad idea on the --nodeps flag.  Should only be a last desperate
resort (although I must confess to having resorted to it in the past -
pre-yum/apt-get days).  postfix and sendmail packages seem to be able to
co-exist nicely.

> then 'yum install postfix' Now when postfix starts at system boot up it is 
> giving this error message:
> Apr 13 10:27:24 fc2 kernel: audit(1081866443.844:0): avc:  denied  { write } 
> for  pid=1356 exe=/usr/sbin/postalias name=postfix dev=hda4 ino=1904993 
> scontext=system_u:system_r:postfix_master_t 
> tcontext=system_u:object_r:postfix_etc_t tclass=dir
> 
> I'm not asking how to fix all this per se; when my head stops swimming in 
> info and sorts it out I'll manage that, but how much of this is bad/unsorted 
> out default policy problems that needs to be told to the proper 
> person/bugzilla'd and how much is just getting used to the ways of SE Linux?
> 
> This is with all RPM's updated as of 30 minutes or so ago...

I'll also be interested in answers to the above.

Phil