1 |
Hi, |
2 |
|
3 |
in the first place I am newbie on selinux. |
4 |
|
5 |
I have installed new machine using |
6 |
http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml . |
7 |
Everything was in order. But when I restart in "full function SELinux" |
8 |
in permissive mode in my log are following avc errors. I think, I forgot |
9 |
to install something, or turn on. |
10 |
|
11 |
Errors from dmesg: |
12 |
type=1400 audit(1329556527.347:3): avc: denied { read write } for |
13 |
pid=1 comm="init" path="/dev/console" dev="rootfs" ino=99 |
14 |
scontext=system_u:system_r:init_t tcontext=system_u:object_r:root_t |
15 |
tclass=chr_file |
16 |
type=1400 audit(1329556527.356:4): avc: denied { rlimitinh } for |
17 |
pid=1 comm="init" scontext=system_u:system_r:kernel_t |
18 |
tcontext=system_u:system_r:init_t tclass=process |
19 |
type=1400 audit(1329556527.365:5): avc: denied { siginh } for pid=1 |
20 |
comm="init" scontext=system_u:system_r:kernel_t |
21 |
tcontext=system_u:system_r:init_t tclass=process |
22 |
type=1400 audit(1329556527.374:6): avc: denied { noatsecure } for |
23 |
pid=1 comm="init" scontext=system_u:system_r:kernel_t |
24 |
tcontext=system_u:system_r:init_t tclass=process |
25 |
type=1400 audit(1329556527.385:7): avc: denied { getattr } for pid=1 |
26 |
comm="init" name="/" dev="selinuxfs" ino=1 |
27 |
scontext=system_u:system_r:init_t tcontext=system_u:object_r:security_t |
28 |
tclass=filesystem |
29 |
type=1400 audit(1329556527.419:8): avc: denied { search } for pid=1 |
30 |
comm="init" name="var" dev="sda3" ino=260609 |
31 |
scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t |
32 |
tclass=dir |
33 |
type=1400 audit(1329556527.452:9): avc: denied { rlimitinh } for |
34 |
pid=615 comm="rc" scontext=system_u:system_r:init_t |
35 |
tcontext=system_u:system_r:initrc_t tclass=process |
36 |
type=1400 audit(1329556527.463:10): avc: denied { siginh } for |
37 |
pid=615 comm="rc" scontext=system_u:system_r:init_t |
38 |
tcontext=system_u:system_r:initrc_t tclass=process |
39 |
|
40 |
.... |
41 |
|
42 |
type=1400 audit(1329552931.276:64): avc: denied { rlimitinh } for |
43 |
pid=893 comm="pvscan" scontext=system_u:system_r:initrc_t |
44 |
tcontext=system_u:system_r:lvm_t tclass=process |
45 |
type=1400 audit(1329552931.276:65): avc: denied { siginh } for |
46 |
pid=893 comm="pvscan" scontext=system_u:system_r:initrc_t |
47 |
tcontext=system_u:system_r:lvm_t tclass=process |
48 |
type=1400 audit(1329552931.276:66): avc: denied { noatsecure } for |
49 |
pid=893 comm="pvscan" scontext=system_u:system_r:initrc_t |
50 |
tcontext=system_u:system_r:lvm_t tclass=process |
51 |
type=1400 audit(1329552931.555:67): avc: denied { setattr } for pid=7 |
52 |
comm="kdevtmpfs" name="dm-0" dev="devtmpfs" ino=1365 |
53 |
scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:device_t |
54 |
tclass=blk_file |
55 |
type=1400 audit(1329552931.591:68): avc: denied { rlimitinh } for |
56 |
pid=908 comm="dmsetup" scontext=system_u:system_r:udev_t |
57 |
tcontext=system_u:system_r:lvm_t tclass=process |
58 |
type=1400 audit(1329552931.592:69): avc: denied { siginh } for |
59 |
pid=908 comm="dmsetup" scontext=system_u:system_r:udev_t |
60 |
tcontext=system_u:system_r:lvm_t tclass=process |
61 |
type=1400 audit(1329552931.592:70): avc: denied { noatsecure } for |
62 |
pid=908 comm="dmsetup" scontext=system_u:system_r:udev_t |
63 |
tcontext=system_u:system_r:lvm_t tclass=process |
64 |
type=1400 audit(1329552932.032:71): avc: denied { read } for pid=711 |
65 |
comm="udevd" name="15" dev="tmpfs" ino=1182 |
66 |
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t |
67 |
tclass=lnk_file |
68 |
type=1400 audit(1329552932.032:72): avc: denied { unlink } for |
69 |
pid=896 comm="udevd" name="15" dev="tmpfs" ino=1182 |
70 |
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t |
71 |
tclass=lnk_file |
72 |
type=1400 audit(1329552932.095:73): avc: denied { open } for pid=896 |
73 |
comm="udevd" name="disk\x2fby-id\x2fata-Maxtor_7Y250M0_Y652ABXE-part5" |
74 |
dev="tmpfs" ino=1173 scontext=system_u:system_r:udev_t |
75 |
tcontext=system_u:object_r:udev_tbl_t tclass=dir |
76 |
|
77 |
.... |
78 |
|
79 |
type=1400 audit(1329552936.309:104): avc: denied { read } for |
80 |
pid=1297 comm="ip" name="console" dev="tmpfs" ino=308 |
81 |
scontext=system_u:system_r:ifconfig_t |
82 |
tcontext=system_u:object_r:console_device_t tclass=chr_file |
83 |
type=1400 audit(1329552936.309:105): avc: denied { rlimitinh } for |
84 |
pid=1297 comm="ip" scontext=system_u:system_r:initrc_t |
85 |
tcontext=system_u:system_r:ifconfig_t tclass=process |
86 |
type=1400 audit(1329552936.309:106): avc: denied { siginh } for |
87 |
pid=1297 comm="ip" scontext=system_u:system_r:initrc_t |
88 |
tcontext=system_u:system_r:ifconfig_t tclass=process |
89 |
type=1400 audit(1329552936.309:107): avc: denied { noatsecure } for |
90 |
pid=1297 comm="ip" scontext=system_u:system_r:initrc_t |
91 |
tcontext=system_u:system_r:ifconfig_t tclass=process |
92 |
|
93 |
.... |
94 |
|
95 |
type=1400 audit(1329552936.600:108): avc: denied { write } for |
96 |
pid=1394 comm="mount" name="/" dev="binfmt_misc" ino=1 |
97 |
scontext=system_u:system_r:mount_t |
98 |
tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir |
99 |
|
100 |
.... |
101 |
|
102 |
type=1400 audit(1329552937.232:109): avc: denied { use } for pid=1519 |
103 |
comm="dhcpcd" path="/dev/console" dev="tmpfs" ino=308 |
104 |
scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:init_t |
105 |
tclass=fd |
106 |
type=1400 audit(1329552937.232:110): avc: denied { read } for |
107 |
pid=1519 comm="dhcpcd" path="/dev/console" dev="tmpfs" ino=308 |
108 |
scontext=system_u:system_r:dhcpc_t |
109 |
tcontext=system_u:object_r:console_device_t tclass=chr_file |
110 |
type=1400 audit(1329552937.232:111): avc: denied { rlimitinh } for |
111 |
pid=1519 comm="dhcpcd" scontext=system_u:system_r:initrc_t |
112 |
tcontext=system_u:system_r:dhcpc_t tclass=process |
113 |
type=1400 audit(1329552937.232:112): avc: denied { siginh } for |
114 |
pid=1519 comm="dhcpcd" scontext=system_u:system_r:initrc_t |
115 |
tcontext=system_u:system_r:dhcpc_t tclass=process |
116 |
type=1400 audit(1329552937.232:113): avc: denied { noatsecure } for |
117 |
pid=1519 comm="dhcpcd" scontext=system_u:system_r:initrc_t |
118 |
tcontext=system_u:system_r:dhcpc_t tclass=process |
119 |
|
120 |
.... |
121 |
|
122 |
type=1400 audit(1329552945.165:115): avc: denied { read write } for |
123 |
pid=1562 comm="hostname" path="socket:[2866]" dev="sockfs" ino=2866 |
124 |
scontext=system_u:system_r:hostname_t tcontext=system_u:system_r:dhcpc_t |
125 |
tclass=unix_stream_socket |
126 |
type=1400 audit(1329552945.165:116): avc: denied { rlimitinh } for |
127 |
pid=1562 comm="hostname" scontext=system_u:system_r:dhcpc_t |
128 |
tcontext=system_u:system_r:hostname_t tclass=process |
129 |
type=1400 audit(1329552945.165:117): avc: denied { siginh } for |
130 |
pid=1562 comm="hostname" scontext=system_u:system_r:dhcpc_t |
131 |
tcontext=system_u:system_r:hostname_t tclass=process |
132 |
type=1400 audit(1329552945.165:118): avc: denied { noatsecure } for |
133 |
pid=1562 comm="hostname" scontext=system_u:system_r:dhcpc_t |
134 |
tcontext=system_u:system_r:hostname_t tclass=process |
135 |
type=1400 audit(1329552945.221:119): avc: denied { execute } for |
136 |
pid=1571 comm="rc-service" name="rc" dev="sda3" ino=390958 |
137 |
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:rc_exec_t |
138 |
tclass=file |
139 |
type=1400 audit(1329552945.221:120): avc: denied { read open } for |
140 |
pid=1571 comm="rc-service" name="rc" dev="sda3" ino=390958 |
141 |
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:rc_exec_t |
142 |
tclass=file |
143 |
type=1400 audit(1329552945.221:121): avc: denied { execute_no_trans } |
144 |
for pid=1571 comm="rc-service" path="/sbin/rc" dev="sda3" ino=390958 |
145 |
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:rc_exec_t |
146 |
tclass=file |
147 |
type=1400 audit(1329552945.225:122): avc: denied { getattr } for |
148 |
pid=1571 comm="rc" path="/etc/init.d/ntpd" dev="sda3" ino=765 |
149 |
scontext=system_u:system_r:dhcpc_t |
150 |
tcontext=system_u:object_r:initrc_exec_t tclass=file |
151 |
type=1400 audit(1329552945.244:123): avc: denied { execute } for |
152 |
pid=1573 comm="rc" name="ntpd" dev="sda3" ino=765 |
153 |
scontext=system_u:system_r:dhcpc_t |
154 |
tcontext=system_u:object_r:initrc_exec_t tclass=file |
155 |
type=1400 audit(1329552945.244:124): avc: denied { read open } for |
156 |
pid=1573 comm="rc" name="ntpd" dev="sda3" ino=765 |
157 |
scontext=system_u:system_r:dhcpc_t |
158 |
tcontext=system_u:object_r:initrc_exec_t tclass=file |
159 |
|
160 |
Thanks |
161 |
-- |
162 |
Tomas Dobrovolny |