LINUX.ORG.RU

История изменений

Исправление Atlant, (текущая версия) :

Вырезки из логов для информации.

# cat /etc/selinux/config | grep -v ^#
SELINUX=permissive
SELINUXTYPE=targeted

# dmesg | grep avc
[    7.492739] audit: type=1400 audit(1583328035.300:4): avc:  denied  { write } for  pid=834 comm="lvm" path="/dev/null" dev="devtmpfs" ino=1029 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[    7.613310] audit: type=1400 audit(1583328035.420:5): avc:  denied  { read } for  pid=834 comm="lvm" name="urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[    7.614328] audit: type=1400 audit(1583328035.420:6): avc:  denied  { open } for  pid=834 comm="lvm" path="/dev/urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[    8.625495] audit: type=1400 audit(1583328036.432:7): avc:  denied  { read } for  pid=1211 comm="dmesg" name="linux" dev="md1" ino=393606 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:etc_t tclass=file permissive=1
[    8.626669] audit: type=1400 audit(1583328036.432:8): avc:  denied  { open } for  pid=1211 comm="dmesg" path="/etc/terminfo/l/linux" dev="md1" ino=393606 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:etc_t tclass=file permissive=1
[    8.626669] audit: type=1400 audit(1583328036.432:9): avc:  denied  { getattr } for  pid=1211 comm="dmesg" path="/etc/terminfo/l/linux" dev="md1" ino=393606 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:etc_t tclass=file permissive=1
[    8.837421] audit: type=1400 audit(1583328036.644:10): avc:  denied  { setattr } for  pid=1277 comm="mknod" name="ppp" dev="devtmpfs" ino=5409 scontext=system_u:system_r:tmpfiles_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[    9.026961] audit: type=1400 audit(1583328036.832:11): avc:  denied  { read } for  pid=1346 comm="udevd" name="run" dev="md1" ino=789074 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:unlabeled_t tclass=lnk_file permissive=1
[   11.045839] audit: type=1400 audit(1583328039.232:18): avc:  denied  { read } for  pid=1805 comm="mount" name="run" dev="md1" ino=789074 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:unlabeled_t tclass=lnk_file permissive=1
[   11.442022] audit: type=1400 audit(1583328039.628:19): avc:  denied  { mounton } for  pid=1875 comm="mount" path="/tmp/tmp.sBcvbTl2v0" dev="tmpfs" ino=807 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:initrc_tmp_t tclass=dir permissive=1

# id -Z
id -Z
unconfined_u:unconfined_r:unconfined_t
# ls -Z /dev/null
system_u:object_r:null_device_t /dev/null
# ls -Z /dev/urandom
system_u:object_r:urandom_device_t /dev/urandom


Дальше уже не стал выписывать права.

P.S. для политики «strict» - тоже есть блокировки, только другие.

Я не отрицаю, что Gentoo не предназначена для selinux, но тестировать на ней для меня проще.

Исходная версия Atlant, :

Вырезки из логов для информации.

# cat /etc/selinux/config | grep -v ^#
SELINUX=permissive
SELINUXTYPE=targeted

# dmesg | grep avc
[    7.492739] audit: type=1400 audit(1583328035.300:4): avc:  denied  { write } for  pid=834 comm="lvm" path="/dev/null" dev="devtmpfs" ino=1029 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[    7.613310] audit: type=1400 audit(1583328035.420:5): avc:  denied  { read } for  pid=834 comm="lvm" name="urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[    7.614328] audit: type=1400 audit(1583328035.420:6): avc:  denied  { open } for  pid=834 comm="lvm" path="/dev/urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[    8.625495] audit: type=1400 audit(1583328036.432:7): avc:  denied  { read } for  pid=1211 comm="dmesg" name="linux" dev="md1" ino=393606 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:etc_t tclass=file permissive=1
[    8.626669] audit: type=1400 audit(1583328036.432:8): avc:  denied  { open } for  pid=1211 comm="dmesg" path="/etc/terminfo/l/linux" dev="md1" ino=393606 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:etc_t tclass=file permissive=1
[    8.626669] audit: type=1400 audit(1583328036.432:9): avc:  denied  { getattr } for  pid=1211 comm="dmesg" path="/etc/terminfo/l/linux" dev="md1" ino=393606 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:etc_t tclass=file permissive=1
[    8.837421] audit: type=1400 audit(1583328036.644:10): avc:  denied  { setattr } for  pid=1277 comm="mknod" name="ppp" dev="devtmpfs" ino=5409 scontext=system_u:system_r:tmpfiles_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[    9.026961] audit: type=1400 audit(1583328036.832:11): avc:  denied  { read } for  pid=1346 comm="udevd" name="run" dev="md1" ino=789074 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:unlabeled_t tclass=lnk_file permissive=1
[   11.045839] audit: type=1400 audit(1583328039.232:18): avc:  denied  { read } for  pid=1805 comm="mount" name="run" dev="md1" ino=789074 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:unlabeled_t tclass=lnk_file permissive=1
[   11.442022] audit: type=1400 audit(1583328039.628:19): avc:  denied  { mounton } for  pid=1875 comm="mount" path="/tmp/tmp.sBcvbTl2v0" dev="tmpfs" ino=807 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:initrc_tmp_t tclass=dir permissive=1

# id -Z
id -Z
unconfined_u:unconfined_r:unconfined_t
# ls -Z /dev/null
system_u:object_r:null_device_t /dev/null
# ls -Z /dev/urandom
system_u:object_r:urandom_device_t /dev/urandom


P.S. для политики «strict» - тоже есть блокировки, только другие.

Я не отрицаю, что Gentoo не предназначена для selinux, но тестировать на ней для меня проще.