1 |
Chris PeBenito a écrit : |
2 |
> On Sun, 2008-04-20 at 12:12 +0200, François Valenduc wrote: |
3 |
> |
4 |
>> xake@×××××××××.net a écrit : |
5 |
>> |
6 |
>>>> type=1400 audit(1208682664.167:223): avc: denied { read write } for |
7 |
>>>> pid=29607 comm="hwclock" path="/var/log/faillog" dev=dm-6 ino=271083 |
8 |
>>>> scontext=root:system_r:hwclock_t tcontext=system_u:object_r:faillog_t |
9 |
>>>> tclass=file |
10 |
>>>> |
11 |
>>>> |
12 |
>>> This is just an error about hwclock being unable to write to "faillog" so |
13 |
>>> there must be something that goes wrong (making hwclock want to write to |
14 |
>>> faillog). |
15 |
>>> |
16 |
>>> |
17 |
>>> |
18 |
>>>> I also got this error: |
19 |
>>>> type=1400 audit(1208679707.497:84): avc: denied { read } for |
20 |
>>>> pid=18454 comm="hwclock" path="/dev/urandom" dev=tmpfs ino=2059 |
21 |
>>>> scontext=root:system_r:hwclock_t |
22 |
>>>> tcontext=system_u:object_r:urandom_device_t tclass=chr_file |
23 |
>>>> |
24 |
>>>> However, I think I solved it by issuing the commands "setsebool -P |
25 |
>>>> global_ssp 1" and "load_policy" |
26 |
>>>> |
27 |
>>>> |
28 |
>>> This is becouse you have the hardened toolchain, compiling everything with |
29 |
>>> PIE/SSP by default. SSP want a random number (picked from /dev/urandom) |
30 |
>>> when the binaries start. SELinux disables access to urandom per default so |
31 |
>>> you have to (as you did with sebool) tell SELinux that your system is |
32 |
>>> compiled with SSP and thus the access to urandom should be permitted. |
33 |
>>> |
34 |
>>> |
35 |
>>> |
36 |
>> Yes, this has been solved with sebool. However, I still got the second |
37 |
>> error (related to faillog). It also blocks distccd like this: (even if |
38 |
>> the corresponding selinux policy is loaded): |
39 |
>> type=1400 audit(1208681304.633:191): avc: denied { read write } for |
40 |
>> pid=27886 comm="distccd" path="/var/log/faillog" dev=dm-6 ino=271083 |
41 |
>> scontext=root:system_r:distccd_t tcontext=system_u:object_r:faillog_t |
42 |
>> tclass=file |
43 |
>> |
44 |
>> Do you know how to solve this second type of errors ? |
45 |
>> Thanks for your help. |
46 |
>> |
47 |
> |
48 |
> Seems weird that either of these programs would be writing to faillog, |
49 |
> since that file is usually for logging login failures. Do you have any |
50 |
> idea why this might be happening on your system? |
51 |
> |
52 |
> |
53 |
|
54 |
So, since it's not expected that these programs wil write to faillog, |
55 |
selinux prevent that. I don't have any idea why this is happening. I |
56 |
don't know the internals of these programs. How could I find the reason |
57 |
? Maybe a bad configuration of syslog-ng ? |
58 |
|
59 |
François Valenduc |
60 |
-- |
61 |
gentoo-hardened@l.g.o mailing list |