[DSE-User] troubles
pimpante_v at libero.it
pimpante_v at libero.it
Wed Dec 28 14:27:15 UTC 2011
Dear friends I did install selinux (packages selinux-basics selinux-policy
default) on debian squeeze but did receive this output from audi2allow -a
#============= NetworkManager_t ==============
allow NetworkManager_t dhcpc_state_t:file { read getattr open };
allow NetworkManager_t etc_runtime_t:file append;
allow NetworkManager_t etc_t:file unlink;
#============= consolekit_t ==============
allow consolekit_t self:process setfscreate;
#============= devicekit_power_t ==============
allow devicekit_power_t NetworkManager_exec_t:file getattr;
allow devicekit_power_t anacron_exec_t:file { read getattr open execute
execute_no_trans };
allow devicekit_power_t apmd_exec_t:file getattr;
allow devicekit_power_t audisp_exec_t:file getattr;
allow devicekit_power_t auditd_exec_t:file getattr;
allow devicekit_power_t avahi_exec_t:file getattr;
allow devicekit_power_t consolekit_exec_t:file getattr;
allow devicekit_power_t crond_exec_t:file getattr;
allow devicekit_power_t cupsd_exec_t:file getattr;
allow devicekit_power_t dbusd_exec_t:file getattr;
allow devicekit_power_t devlog_t:sock_file write;
allow devicekit_power_t exim_exec_t:file getattr;
allow devicekit_power_t getty_exec_t:file getattr;
allow devicekit_power_t init_exec_t:file getattr;
allow devicekit_power_t initrc_exec_t:file { read getattr open execute
execute_no_trans };
allow devicekit_power_t initrc_var_run_t:file { read lock open };
allow devicekit_power_t kerneloops_exec_t:file getattr;
allow devicekit_power_t lib_t:file execute_no_trans;
allow devicekit_power_t modemmanager_exec_t:file getattr;
allow devicekit_power_t policykit_exec_t:file getattr;
allow devicekit_power_t portmap_exec_t:file getattr;
allow devicekit_power_t restorecond_exec_t:file getattr;
allow devicekit_power_t rpcd_exec_t:file getattr;
allow devicekit_power_t syslogd_exec_t:file getattr;
allow devicekit_power_t syslogd_t:unix_dgram_socket sendto;
allow devicekit_power_t system_cron_spool_t:dir search;
allow devicekit_power_t system_cron_spool_t:file { read write open setattr };
allow devicekit_power_t system_cronjob_t:process signull;
allow devicekit_power_t udev_exec_t:file getattr;
allow devicekit_power_t var_spool_t:dir search;
allow devicekit_power_t wm_exec_t:file getattr;
allow devicekit_power_t xserver_exec_t:file getattr;
#============= initrc_su_t ==============
allow initrc_su_t system_dbusd_t:unix_stream_socket connectto;
allow initrc_su_t system_dbusd_var_run_t:dir search;
allow initrc_su_t system_dbusd_var_run_t:sock_file write;
allow initrc_su_t user_home_dir_t:dir search;
#============= initrc_t ==============
allow initrc_t lib_t:file execmod;
allow initrc_t self:process { execstack execmem };
#============= modemmanager_t ==============
allow modemmanager_t self:process getsched;
#============= mount_t ==============
allow mount_t fuse_device_t:chr_file { write read };
#============= setfiles_t ==============
allow setfiles_t apt_t:fd use;
#============= system_dbusd_t ==============
allow system_dbusd_t NetworkManager_initrc_exec_t:file { read getattr open
execute execute_no_trans };
allow system_dbusd_t apt_var_lib_t:dir { getattr search };
allow system_dbusd_t avahi_var_run_t:dir { write remove_name add_name };
allow system_dbusd_t avahi_var_run_t:file { rename write getattr create unlink
open };
allow system_dbusd_t bin_t:file { ioctl execute read open getattr
execute_no_trans };
allow system_dbusd_t bin_t:lnk_file read;
allow system_dbusd_t binfmt_misc_fs_t:dir { read getattr };
allow system_dbusd_t boot_t:dir { read getattr };
allow system_dbusd_t dpkg_exec_t:file getattr;
allow system_dbusd_t dpkg_t:unix_stream_socket connectto;
allow system_dbusd_t dpkg_var_lib_t:dir search;
allow system_dbusd_t dpkg_var_lib_t:file getattr;
allow system_dbusd_t etc_runtime_t:file { read getattr open };
allow system_dbusd_t etc_t:file { execute execute_no_trans };
allow system_dbusd_t fixed_disk_device_t:blk_file getattr;
allow system_dbusd_t fonts_cache_t:dir search;
allow system_dbusd_t fonts_cache_t:file { read getattr open };
allow system_dbusd_t fonts_t:dir { getattr search };
allow system_dbusd_t fonts_t:file { read getattr open };
allow system_dbusd_t fusefs_t:dir { read search open getattr };
allow system_dbusd_t fusefs_t:file getattr;
allow system_dbusd_t gconf_etc_t:dir { read search open getattr };
allow system_dbusd_t gconf_etc_t:file { read getattr open };
allow system_dbusd_t gconf_home_t:dir { search read create write getattr
remove_name open add_name };
allow system_dbusd_t gconf_home_t:file { rename setattr read create write
getattr unlink open append };
allow system_dbusd_t ifconfig_exec_t:file { read getattr open execute
execute_no_trans };
allow system_dbusd_t initrc_t:unix_stream_socket connectto;
allow system_dbusd_t initrc_var_run_t:file { read getattr open };
allow system_dbusd_t ldconfig_exec_t:file { read execute open execute_no_trans
};
allow system_dbusd_t lib_t:file execute_no_trans;
allow system_dbusd_t mnt_t:dir { search getattr };
allow system_dbusd_t mono_t:unix_stream_socket connectto;
allow system_dbusd_t node_t:udp_socket node_bind;
allow system_dbusd_t policykit_exec_t:file { read execute open
execute_no_trans };
allow system_dbusd_t proc_net_t:file { read getattr open };
allow system_dbusd_t removable_device_t:blk_file getattr;
allow system_dbusd_t self:capability { net_admin sys_ptrace };
allow system_dbusd_t self:netlink_kobject_uevent_socket { read bind create
setopt getattr };
allow system_dbusd_t self:netlink_route_socket nlmsg_write;
allow system_dbusd_t self:process execmem;
allow system_dbusd_t self:shm { unix_read write unix_write read destroy create
};
allow system_dbusd_t shell_exec_t:file { read execute open execute_no_trans };
allow system_dbusd_t sysctl_fs_t:dir search;
allow system_dbusd_t sysctl_net_t:dir search;
allow system_dbusd_t system_dbusd_tmp_t:sock_file { write create unlink
setattr };
allow system_dbusd_t tmpfs_t:dir { read getattr };
allow system_dbusd_t tmpfs_t:file { read write };
allow system_dbusd_t unconfined_execmem_t:unix_stream_socket connectto;
allow system_dbusd_t user_home_dir_t:file { read append };
allow system_dbusd_t user_home_t:dir { rename search setattr read reparent
write getattr rmdir remove_name open add_name };
allow system_dbusd_t user_home_t:file { rename write getattr read create
unlink open };
allow system_dbusd_t user_home_t:lnk_file { read rename getattr unlink };
allow system_dbusd_t var_lib_t:dir { write remove_name add_name };
allow system_dbusd_t var_lib_t:file { rename read create write getattr unlink
open append };
allow system_dbusd_t wpa_cli_exec_t:file getattr;
allow system_dbusd_t xserver_t:unix_stream_socket connectto;
#============= system_mail_t ==============
allow system_mail_t var_lib_t:file { read getattr open };
#============= udev_t ==============
allow udev_t consolekit_var_run_t:dir search;
allow udev_t consolekit_var_run_t:file { read getattr open };
allow udev_t system_dbusd_t:fd use;
#============= xserver_t ==============
allow xserver_t lib_t:file execmod;
I did try a local policies by means of audit2allow -M and semodule -i but
they don't work because I get from audit -a -w all messages as
Possible mismatch between this policy and the one under which the audit
message was generated.
Possible mismatch between current in-memory boolean settings vs. permanent
ones.
and from audit2allow -a the same initial output above.
I'll be very gratefull to you for any helps
Victor
More information about the Selinux-user
mailing list