Sandro Posted May 29, 2017 Report Share Posted May 29, 2017 Hi to All :) I followed the Funtoo guide about SELinux (http://www.funtoo.org/SELinux/Install). Actually, the status is: ci74771ht ~ # sestatus -v SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: disabled Policy deny_unknown status: denied Max kernel policy version: 30 Process contexts: Current context: unconfined_u:unconfined_r:unconfined_t Init context: system_u:system_r:init_t /sbin/agetty system_u:system_r:getty_t /usr/sbin/sshd system_u:system_r:sshd_t File contexts: Controlling terminal: unconfined_u:object_r:user_devpts_t /sbin/init system_u:object_r:init_exec_t /sbin/agetty system_u:object_r:getty_exec_t /bin/login system_u:object_r:login_exec_t /sbin/openrc system_u:object_r:rc_exec_t /usr/sbin/sshd system_u:object_r:sshd_exec_t /sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t /etc/passwd system_u:object_r:etc_t /etc/shadow system_u:object_r:shadow_t /bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t /bin/bash system_u:object_r:shell_exec_t /usr/bin/newrole system_u:object_r:newrole_exec_t /lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:lib_t /lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t And: ci74771ht ~ # id -Z unconfined_u:unconfined_r:unconfined_t If I try to change to "enforcing" .... i had errors abuot iptables , ufw (then abou firewalls i think) and xorg starts but i can notice only a "black screen" and the keyboard seems "freezed". (excuse my bad us_lang). What could I do ? Thx :) Link to comment Share on other sites More sharing options...
kryptus Posted June 12, 2017 Report Share Posted June 12, 2017 I would recommend a day or two of practice with audit2allow in permissive mode, just so you get used to it, and after that it will be easy for you to manage policies etc... Your options pretty much like this: (use permissive for practice, even though it doesn't "deny" it still prints denials, so commands below will work just as good (memorize necessary policies)) # audit2allow -w -a <-- this command will tell you in a human-readable format what has been denied (you are going to use this, a lot)...when you're enforcing, a lot of stuff is going to be denied, like xorg stuff + ip/net stuff (of course) # audit2allow -a <-- this command will print a so-called "type-enforcement rule" # audit2allow -a -M somepolicy <-- Now this is your way around...the output of the audit2allow -a command will now be stored in a somepolicy.pp file (you can use any file name you like, instead of <somepolicy>) # semodule -i mypolicy.pp <-- This is how you install your custom modules, and everything that audit2allow -a has logged as denied will now be allowed NOTE: This is a bad practice in reality (production environment), you should never allow ALL denied services, but for practice it's perfectly fine. I think the policies you make in permissive mode remain across boots/type changes... Let me know how it went, and... Good luck! P.S. Here are some links you might find useful: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html https://wiki.centos.org/HowTos/SELinux http://danwalsh.livejournal.com/24750.html Link to comment Share on other sites More sharing options...
Sandro Posted June 13, 2017 Author Report Share Posted June 13, 2017 Thx Very much ;) Link to comment Share on other sites More sharing options...
Recommended Posts