| 1 |
I've just converted a new 2007.0 amd64 hardened install to SELinux and |
| 2 |
selected the targeted policy. I had some fun and games that required |
| 3 |
downgrading portage to 2.1.2.2, but everything seems to have gone |
| 4 |
relatively smoothly. |
| 5 |
|
| 6 |
However... |
| 7 |
|
| 8 |
The system is still running in permissive mode and I'm seeing lots of avc |
| 9 |
log traffic for stuff I shouldn't be. A simple 'df' as root gives: |
| 10 |
|
| 11 |
denied { getattr } for pid=22043 comm="df" name="/" dev=selinuxfs ino=473 scontext=user_u:system_r:system_chkpwd_t tcontext=system_u:object_r:security_t tclass=filesystem |
| 12 |
denied { getattr } for pid=22043 comm="df" name="/" dev=sysfs ino=1 scontext=user_u:system_r:system_chkpwd_t tcontext=system_u:object_r:sysfs_t tclass=filesystem |
| 13 |
denied { getattr } for pid=22043 comm="df" name="/" dev=sysfs ino=1 scontext=user_u:system_r:system_chkpwd_t tcontext=system_u:object_r:sysfs_t tclass=dir |
| 14 |
... |
| 15 |
|
| 16 |
It looks like pretty much everything I do is getting logged. |
| 17 |
|
| 18 |
As far as I can tell everything is set up as it should be. The only thing |
| 19 |
I can find that looks unusual is: |
| 20 |
|
| 21 |
# ps -axZf |
| 22 |
|
| 23 |
system_u:system_r:sshd_t 24605 ? Ss 0:00 \_ sshd: ronan [priv] |
| 24 |
system_u:system_r:sshd_t 24610 ? S 0:00 | \_ sshd: ronan@pts/1 |
| 25 |
user_u:system_r:system_chkpwd_t 24611 pts/1 Ss 0:00 | \_ -bash |
| 26 |
user_u:system_r:system_chkpwd_t 24616 pts/1 S 0:00 | \_ su - |
| 27 |
user_u:system_r:system_chkpwd_t 24617 pts/1 S+ 0:00 | \_ -su |
| 28 |
|
| 29 |
system_u:system_r:local_login_t 6015 ttyS1 Ss 0:00 /bin/login -- |
| 30 |
root:system_r:unconfined_t 6029 ttyS1 S+ 0:00 \_ -bash |
| 31 |
|
| 32 |
My SSH login and it's child shells are running in system_chkpwd_t, rather |
| 33 |
than unconfined_t (which my console login runs as). This seems to be the |
| 34 |
cause of the avc denials above. |
| 35 |
|
| 36 |
I've re-emerged openssh (with portage 2.1.2.2) but it's made no |
| 37 |
difference. The only modules I've got loaded is: |
| 38 |
|
| 39 |
# semodule -l |
| 40 |
portmap 1.3.1 |
| 41 |
|
| 42 |
Am I missing something obvious, or is there something broken somewhere? |
| 43 |
|
| 44 |
|
| 45 |
-Ronan |
| 46 |
-- |
| 47 |
gentoo-hardened@g.o mailing list |
Archives