Disclaimer: I am 100% newbie on SELinux, so any inaccuracies, mistakes or fallacies are almost sure due to this fact.
After reading Russell's latest post on SELinux, and reading the 5 minutes tutorial on SELinux I decided I should try SELinux on my laptop, too.
Now I have it enabled/enforcing/permissive/refpolicy-targeted.
First issue, hal didn't start in my GNOME session, although the hal module appears to be loaded:
bounty:/emul/ia32-linux/usr/lib/dri# semodule -l | grep hal
hal 1.4.0
It seemed that gdomap indirectly required execstack. I cleared the execstack bit (or whatever it is) on libcallback.so.0.0.0 and libavcall.so.0.0.0 and gdomap started.
OTOH, oolite failed to start since it required execmem:
0 eddy@bounty ~ $ oolite
trampoline: cannot make memory executable
Aborted
And after allowing execmem it worked:
# setsebool allow_execmem=1
0 eddy@bounty ~ $ oolite
2007-10-09 01:42:04.686 oolite[26717] initialising SDL
open /dev/sequencer: No such file or directory
2007-10-09 01:42:04.789 oolite[26717] init: numSticks=0
2007-10-09 01:42:04.789 oolite[26717] CREATING MODE LIST
2007-10-09 01:42:04.789 oolite[26717] Added res 1024 x 768
...
I also seem to have some other denied messages, but I hope I'll understand this soon enough to make it work.
I would like to know if is possible to allow execmem only for oolite, and since I suspect it is, how can I accomplish this?
So, now my question is, where is the fine manual on setting SELinux? I digged the whole evening to get oolite to start.
No comments:
Post a Comment