Dear SELinux Gurus,
I am a PhD candidate conducting research into the usability of security
mechanisms. I would really appreciate some help regarding the use of
SELinux. Let me know if this is not the right place to be asking these
types of questions.
I generated a policy for opera using polgengui. I then ran the
Although SELinux was still set to enforcing mode opera seemed to run
unconfined. The executable and process was labelled as expected
(unconfined_u:unconfined_r:opera_t). AVCs were generated, but not
I added to opera.te using
grep opera /var/log/audit/audit.log | audit2allow >> opera.te
and reran ./opera.sh
until no AVCs were generated.
Looking at opera.te I noticed the line “permissive opera_t”, and not
knowing exactly what this line does, I thought it may be placing this
domain into permissive mode (although the gui tools suggest otherwise).
Removing the line causes “/bin/sh: /usr/bin/opera: Permission denied”.
No AVCs are generated.
So I am not sure why opera seams to be unconfined, or if removing the
permissive line was on the right track. Any advice?
Also I tried creating a policy for kwrite. This time the created policy
seemed to be in effect as soon as I ran the kwrite.sh script. I set
setenforce 0 and added to kwrite.te (as above for opera) until no error
msgs were generated. Then I reran ./kwrite.sh. Now kwrite exists with
“kwrite(2533): Couldn’t register name ‘”org.kate-editor.kwrite-2533’”
with DBUS – another process owns it already!”. When setenforce 0 it
runs without AVCs.
Again I am sure I am missing something simple and your advice will help
I need to resolve this asap and will really appreciate any advice.
Soon I will be running a comparative study comparing a number of
security mechanisms and I need to sort this out.