On Tue, Sep 16 2008, Julien Cristau wrote:
> I just tried booting with selinux=1 on my laptop. I see errors from mpd
> related to /usr/lib/libtheora.so.0.3.3, from xdm starting my X session,
> from sudo reading /etc/resolv.conf, from dmesg reading the system log,
> from ssh-add connecting to the ssh agent socket, from dhclient3 reading
> /proc/net, creating a socket and doing anything with it, then some more
> errors from bind startup, postfix startup, mutt, gpgkeys_hkp (apparently
> it's not allowed to connect to 11371/tcp, firefox, or gconfd-2. Uptime
> is about 20 minutes, and dmesg|grep -c 'avc: denied' returns 73.
> Looks like it's not ready for prime time to me.
Hmm.
__> dpkg -l | egrep '^ii' | wc -l
4431
__> uptime
12:56:01 up 1:31, 2 users, load average: 0.46, 0.28, 0.20
__> audit2allow < /var/log/messages | egrep -v '(^$)|(^#)' | wc -l
9
__> audit2allow < /var/log/messages | egrep -v '(^$)|(^#)'
allow avahi_t httpd_t:dbus send_msg;
allow hald_t pcscd_t:dbus send_msg;
allow httpd_t avahi_t:dbus send_msg;
allow httpd_t system_dbusd_t:dbus send_msg;
allow insmod_t lib_t:file execute_no_trans;
allow mdadm_t device_t:blk_file { read ioctl };
allow mdadm_t file_t:dir search;
allow pcscd_t hald_t:dbus send_msg;
allow pcscd_t system_dbusd_t:dbus send_msg;
I have not tried to boot into enforcing mode, but I am not sure
which of these are actually needed, and which can safely be denied
anyway. So, 9 missing lines in policy, out of which 6 are about dbus.
Russell is probably way better than I to try to resolve these issues,
but I'll see what I can do to help.
I have apache2, I run emacs (an OS by itself), I run iceweasel
in a 32-bit chroot. I have modified udev to automagically mount my
ipod/rockbox.
I humbly posit that this is pretty close to working now (for my
development box, in default mode).
manoj
--
"Go! And never darken my towels again!" --Groucho Marx, "Duck Soup".
Manoj Srivastava <[EMAIL PROTECTED]> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
