Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: "Tomáš Dobrovolný" <tomas@××××××××××.eu>
To: gentoo-hardened@l.g.o
Subject: [gentoo-hardened] Switching hardened amd64 to SELinux
Date: Sat, 18 Feb 2012 10:14:40
Message-Id: 4F3F79D0.3030500@dobrovolny.eu
1 Hi,
2
3 in the first place I am newbie on selinux.
4
5 I have installed new machine using
6 http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml .
7 Everything was in order. But when I restart in "full function SELinux"
8 in permissive mode in my log are following avc errors. I think, I forgot
9 to install something, or turn on.
10
11 Errors from dmesg:
12 type=1400 audit(1329556527.347:3): avc: denied { read write } for
13 pid=1 comm="init" path="/dev/console" dev="rootfs" ino=99
14 scontext=system_u:system_r:init_t tcontext=system_u:object_r:root_t
15 tclass=chr_file
16 type=1400 audit(1329556527.356:4): avc: denied { rlimitinh } for
17 pid=1 comm="init" scontext=system_u:system_r:kernel_t
18 tcontext=system_u:system_r:init_t tclass=process
19 type=1400 audit(1329556527.365:5): avc: denied { siginh } for pid=1
20 comm="init" scontext=system_u:system_r:kernel_t
21 tcontext=system_u:system_r:init_t tclass=process
22 type=1400 audit(1329556527.374:6): avc: denied { noatsecure } for
23 pid=1 comm="init" scontext=system_u:system_r:kernel_t
24 tcontext=system_u:system_r:init_t tclass=process
25 type=1400 audit(1329556527.385:7): avc: denied { getattr } for pid=1
26 comm="init" name="/" dev="selinuxfs" ino=1
27 scontext=system_u:system_r:init_t tcontext=system_u:object_r:security_t
28 tclass=filesystem
29 type=1400 audit(1329556527.419:8): avc: denied { search } for pid=1
30 comm="init" name="var" dev="sda3" ino=260609
31 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t
32 tclass=dir
33 type=1400 audit(1329556527.452:9): avc: denied { rlimitinh } for
34 pid=615 comm="rc" scontext=system_u:system_r:init_t
35 tcontext=system_u:system_r:initrc_t tclass=process
36 type=1400 audit(1329556527.463:10): avc: denied { siginh } for
37 pid=615 comm="rc" scontext=system_u:system_r:init_t
38 tcontext=system_u:system_r:initrc_t tclass=process
39
40 ....
41
42 type=1400 audit(1329552931.276:64): avc: denied { rlimitinh } for
43 pid=893 comm="pvscan" scontext=system_u:system_r:initrc_t
44 tcontext=system_u:system_r:lvm_t tclass=process
45 type=1400 audit(1329552931.276:65): avc: denied { siginh } for
46 pid=893 comm="pvscan" scontext=system_u:system_r:initrc_t
47 tcontext=system_u:system_r:lvm_t tclass=process
48 type=1400 audit(1329552931.276:66): avc: denied { noatsecure } for
49 pid=893 comm="pvscan" scontext=system_u:system_r:initrc_t
50 tcontext=system_u:system_r:lvm_t tclass=process
51 type=1400 audit(1329552931.555:67): avc: denied { setattr } for pid=7
52 comm="kdevtmpfs" name="dm-0" dev="devtmpfs" ino=1365
53 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:device_t
54 tclass=blk_file
55 type=1400 audit(1329552931.591:68): avc: denied { rlimitinh } for
56 pid=908 comm="dmsetup" scontext=system_u:system_r:udev_t
57 tcontext=system_u:system_r:lvm_t tclass=process
58 type=1400 audit(1329552931.592:69): avc: denied { siginh } for
59 pid=908 comm="dmsetup" scontext=system_u:system_r:udev_t
60 tcontext=system_u:system_r:lvm_t tclass=process
61 type=1400 audit(1329552931.592:70): avc: denied { noatsecure } for
62 pid=908 comm="dmsetup" scontext=system_u:system_r:udev_t
63 tcontext=system_u:system_r:lvm_t tclass=process
64 type=1400 audit(1329552932.032:71): avc: denied { read } for pid=711
65 comm="udevd" name="15" dev="tmpfs" ino=1182
66 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t
67 tclass=lnk_file
68 type=1400 audit(1329552932.032:72): avc: denied { unlink } for
69 pid=896 comm="udevd" name="15" dev="tmpfs" ino=1182
70 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t
71 tclass=lnk_file
72 type=1400 audit(1329552932.095:73): avc: denied { open } for pid=896
73 comm="udevd" name="disk\x2fby-id\x2fata-Maxtor_7Y250M0_Y652ABXE-part5"
74 dev="tmpfs" ino=1173 scontext=system_u:system_r:udev_t
75 tcontext=system_u:object_r:udev_tbl_t tclass=dir
76
77 ....
78
79 type=1400 audit(1329552936.309:104): avc: denied { read } for
80 pid=1297 comm="ip" name="console" dev="tmpfs" ino=308
81 scontext=system_u:system_r:ifconfig_t
82 tcontext=system_u:object_r:console_device_t tclass=chr_file
83 type=1400 audit(1329552936.309:105): avc: denied { rlimitinh } for
84 pid=1297 comm="ip" scontext=system_u:system_r:initrc_t
85 tcontext=system_u:system_r:ifconfig_t tclass=process
86 type=1400 audit(1329552936.309:106): avc: denied { siginh } for
87 pid=1297 comm="ip" scontext=system_u:system_r:initrc_t
88 tcontext=system_u:system_r:ifconfig_t tclass=process
89 type=1400 audit(1329552936.309:107): avc: denied { noatsecure } for
90 pid=1297 comm="ip" scontext=system_u:system_r:initrc_t
91 tcontext=system_u:system_r:ifconfig_t tclass=process
92
93 ....
94
95 type=1400 audit(1329552936.600:108): avc: denied { write } for
96 pid=1394 comm="mount" name="/" dev="binfmt_misc" ino=1
97 scontext=system_u:system_r:mount_t
98 tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir
99
100 ....
101
102 type=1400 audit(1329552937.232:109): avc: denied { use } for pid=1519
103 comm="dhcpcd" path="/dev/console" dev="tmpfs" ino=308
104 scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:init_t
105 tclass=fd
106 type=1400 audit(1329552937.232:110): avc: denied { read } for
107 pid=1519 comm="dhcpcd" path="/dev/console" dev="tmpfs" ino=308
108 scontext=system_u:system_r:dhcpc_t
109 tcontext=system_u:object_r:console_device_t tclass=chr_file
110 type=1400 audit(1329552937.232:111): avc: denied { rlimitinh } for
111 pid=1519 comm="dhcpcd" scontext=system_u:system_r:initrc_t
112 tcontext=system_u:system_r:dhcpc_t tclass=process
113 type=1400 audit(1329552937.232:112): avc: denied { siginh } for
114 pid=1519 comm="dhcpcd" scontext=system_u:system_r:initrc_t
115 tcontext=system_u:system_r:dhcpc_t tclass=process
116 type=1400 audit(1329552937.232:113): avc: denied { noatsecure } for
117 pid=1519 comm="dhcpcd" scontext=system_u:system_r:initrc_t
118 tcontext=system_u:system_r:dhcpc_t tclass=process
119
120 ....
121
122 type=1400 audit(1329552945.165:115): avc: denied { read write } for
123 pid=1562 comm="hostname" path="socket:[2866]" dev="sockfs" ino=2866
124 scontext=system_u:system_r:hostname_t tcontext=system_u:system_r:dhcpc_t
125 tclass=unix_stream_socket
126 type=1400 audit(1329552945.165:116): avc: denied { rlimitinh } for
127 pid=1562 comm="hostname" scontext=system_u:system_r:dhcpc_t
128 tcontext=system_u:system_r:hostname_t tclass=process
129 type=1400 audit(1329552945.165:117): avc: denied { siginh } for
130 pid=1562 comm="hostname" scontext=system_u:system_r:dhcpc_t
131 tcontext=system_u:system_r:hostname_t tclass=process
132 type=1400 audit(1329552945.165:118): avc: denied { noatsecure } for
133 pid=1562 comm="hostname" scontext=system_u:system_r:dhcpc_t
134 tcontext=system_u:system_r:hostname_t tclass=process
135 type=1400 audit(1329552945.221:119): avc: denied { execute } for
136 pid=1571 comm="rc-service" name="rc" dev="sda3" ino=390958
137 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:rc_exec_t
138 tclass=file
139 type=1400 audit(1329552945.221:120): avc: denied { read open } for
140 pid=1571 comm="rc-service" name="rc" dev="sda3" ino=390958
141 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:rc_exec_t
142 tclass=file
143 type=1400 audit(1329552945.221:121): avc: denied { execute_no_trans }
144 for pid=1571 comm="rc-service" path="/sbin/rc" dev="sda3" ino=390958
145 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:rc_exec_t
146 tclass=file
147 type=1400 audit(1329552945.225:122): avc: denied { getattr } for
148 pid=1571 comm="rc" path="/etc/init.d/ntpd" dev="sda3" ino=765
149 scontext=system_u:system_r:dhcpc_t
150 tcontext=system_u:object_r:initrc_exec_t tclass=file
151 type=1400 audit(1329552945.244:123): avc: denied { execute } for
152 pid=1573 comm="rc" name="ntpd" dev="sda3" ino=765
153 scontext=system_u:system_r:dhcpc_t
154 tcontext=system_u:object_r:initrc_exec_t tclass=file
155 type=1400 audit(1329552945.244:124): avc: denied { read open } for
156 pid=1573 comm="rc" name="ntpd" dev="sda3" ino=765
157 scontext=system_u:system_r:dhcpc_t
158 tcontext=system_u:object_r:initrc_exec_t tclass=file
159
160 Thanks
161 --
162 Tomas Dobrovolny

Attachments

File name MIME type
kernconfig.pingui.xz application/x-xz
dmesg.pingui.xz application/x-xz

Replies

Subject Author
Re: [gentoo-hardened] Switching hardened amd64 to SELinux Sven Vermeulen <swift@g.o>
Report Message
Find on MARC Find on Google Groups