История изменений
Исправление Atlant, (текущая версия) :
Вырезки из логов для информации.
# cat /etc/selinux/config | grep -v ^#
SELINUX=permissive
SELINUXTYPE=targeted
# dmesg | grep avc
[ 7.492739] audit: type=1400 audit(1583328035.300:4): avc: denied { write } for pid=834 comm="lvm" path="/dev/null" dev="devtmpfs" ino=1029 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 7.613310] audit: type=1400 audit(1583328035.420:5): avc: denied { read } for pid=834 comm="lvm" name="urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 7.614328] audit: type=1400 audit(1583328035.420:6): avc: denied { open } for pid=834 comm="lvm" path="/dev/urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 8.625495] audit: type=1400 audit(1583328036.432:7): avc: denied { read } for pid=1211 comm="dmesg" name="linux" dev="md1" ino=393606 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:etc_t tclass=file permissive=1
[ 8.626669] audit: type=1400 audit(1583328036.432:8): avc: denied { open } for pid=1211 comm="dmesg" path="/etc/terminfo/l/linux" dev="md1" ino=393606 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:etc_t tclass=file permissive=1
[ 8.626669] audit: type=1400 audit(1583328036.432:9): avc: denied { getattr } for pid=1211 comm="dmesg" path="/etc/terminfo/l/linux" dev="md1" ino=393606 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:etc_t tclass=file permissive=1
[ 8.837421] audit: type=1400 audit(1583328036.644:10): avc: denied { setattr } for pid=1277 comm="mknod" name="ppp" dev="devtmpfs" ino=5409 scontext=system_u:system_r:tmpfiles_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 9.026961] audit: type=1400 audit(1583328036.832:11): avc: denied { read } for pid=1346 comm="udevd" name="run" dev="md1" ino=789074 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:unlabeled_t tclass=lnk_file permissive=1
[ 11.045839] audit: type=1400 audit(1583328039.232:18): avc: denied { read } for pid=1805 comm="mount" name="run" dev="md1" ino=789074 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:unlabeled_t tclass=lnk_file permissive=1
[ 11.442022] audit: type=1400 audit(1583328039.628:19): avc: denied { mounton } for pid=1875 comm="mount" path="/tmp/tmp.sBcvbTl2v0" dev="tmpfs" ino=807 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:initrc_tmp_t tclass=dir permissive=1
# id -Z
id -Z
unconfined_u:unconfined_r:unconfined_t
# ls -Z /dev/null
system_u:object_r:null_device_t /dev/null
# ls -Z /dev/urandom
system_u:object_r:urandom_device_t /dev/urandom
Дальше уже не стал выписывать права.
P.S. для политики «strict» - тоже есть блокировки, только другие.
Я не отрицаю, что Gentoo не предназначена для selinux, но тестировать на ней для меня проще.
Исходная версия Atlant, :
Вырезки из логов для информации.
# cat /etc/selinux/config | grep -v ^#
SELINUX=permissive
SELINUXTYPE=targeted
# dmesg | grep avc
[ 7.492739] audit: type=1400 audit(1583328035.300:4): avc: denied { write } for pid=834 comm="lvm" path="/dev/null" dev="devtmpfs" ino=1029 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 7.613310] audit: type=1400 audit(1583328035.420:5): avc: denied { read } for pid=834 comm="lvm" name="urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 7.614328] audit: type=1400 audit(1583328035.420:6): avc: denied { open } for pid=834 comm="lvm" path="/dev/urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 8.625495] audit: type=1400 audit(1583328036.432:7): avc: denied { read } for pid=1211 comm="dmesg" name="linux" dev="md1" ino=393606 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:etc_t tclass=file permissive=1
[ 8.626669] audit: type=1400 audit(1583328036.432:8): avc: denied { open } for pid=1211 comm="dmesg" path="/etc/terminfo/l/linux" dev="md1" ino=393606 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:etc_t tclass=file permissive=1
[ 8.626669] audit: type=1400 audit(1583328036.432:9): avc: denied { getattr } for pid=1211 comm="dmesg" path="/etc/terminfo/l/linux" dev="md1" ino=393606 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:etc_t tclass=file permissive=1
[ 8.837421] audit: type=1400 audit(1583328036.644:10): avc: denied { setattr } for pid=1277 comm="mknod" name="ppp" dev="devtmpfs" ino=5409 scontext=system_u:system_r:tmpfiles_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 9.026961] audit: type=1400 audit(1583328036.832:11): avc: denied { read } for pid=1346 comm="udevd" name="run" dev="md1" ino=789074 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:unlabeled_t tclass=lnk_file permissive=1
[ 11.045839] audit: type=1400 audit(1583328039.232:18): avc: denied { read } for pid=1805 comm="mount" name="run" dev="md1" ino=789074 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:unlabeled_t tclass=lnk_file permissive=1
[ 11.442022] audit: type=1400 audit(1583328039.628:19): avc: denied { mounton } for pid=1875 comm="mount" path="/tmp/tmp.sBcvbTl2v0" dev="tmpfs" ino=807 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:initrc_tmp_t tclass=dir permissive=1
# id -Z
id -Z
unconfined_u:unconfined_r:unconfined_t
# ls -Z /dev/null
system_u:object_r:null_device_t /dev/null
# ls -Z /dev/urandom
system_u:object_r:urandom_device_t /dev/urandom
P.S. для политики «strict» - тоже есть блокировки, только другие.
Я не отрицаю, что Gentoo не предназначена для selinux, но тестировать на ней для меня проще.