[DSE-Dev] Run gnome-terminal as 'user_u'
Russell Coker
russell at coker.com.au
Mon Jan 23 14:52:10 UTC 2017
On Monday, 23 January 2017 12:54:35 PM AEDT Reis, Alberto Silos wrote:
> I'm writing a type enforcement file to allow a selinux user 'user_u' start a
> gnome-session but I've got stuck on gnome-terminal. I have spent a couple
> of hours to give permissions as it claimed in AVC, however, now
> the ausearch does not report anything even disabling dontaudit rules.
I'm surprised at this, I had KDE working well and I didn't think that GNOME
required much more access.
> My current SELinux type is default (refpolicy
> selinux-policy-default_2:2.20140421-16_all) running on a Jessie 8.5 and my
> ruleset is at the following link.
Yay people are using that! ;)
> http://paste.debian.net/hidden/66e06cf5
>
> Is there anything else I could do to debug this issue?
What version of systemd are you using? The version from Jessie or something
newer? Systemd has been changing a lot and you can't expect good results from
trying to use Jessie policy with a newer systems. However you can expect the
policy from Stretch to work with Jessie (any ways in which it fails to do so
can be considered as bugs - but I won't promise to fix all such bugs). The
systemd_logind_t access to tmpfs_t suggests to me that you are running a newer
systemd than comes with Jessie.
The standard procedure for upgrading a SE Linux system to a new release of
Debian should be to put it in permissive mode (in single-user mode if
appropriate), upgrade the kernel, policy, and utilities, then touch
/.autorelabel and reboot. Then once you have a working system with the new
policy and kernel you can upgrade daemons at your leisure.
Also you should try the -R and -v options to audit2allow. The policy you get
will often be clearer and more useful if you use the interfaces. The -v
option is handy because sometimes audit2allow gives an inappropriate
interface.
As for the original issue of having no messages reported, sometimes there are
dontaudit rules that stop them. If you run "semodule -DB" to build a policy
without dontaudit rules it can help find such things. Then you have to run
"semodule -B" later to go back to the usual configuration.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
More information about the SELinux-devel
mailing list