Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: "François Valenduc" <francois.valenduc@××××××××××.be>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] hwclock and selinux
Date: Sun, 20 Apr 2008 10:12:09
Message-Id: 480B16F7.3090908@tvcablenet.be
In Reply to: Re: [gentoo-hardened] hwclock and selinux by xake@rymdraket.net
1 xake@×××××××××.net a écrit :
2 >> type=1400 audit(1208682664.167:223): avc: denied { read write } for
3 >> pid=29607 comm="hwclock" path="/var/log/faillog" dev=dm-6 ino=271083
4 >> scontext=root:system_r:hwclock_t tcontext=system_u:object_r:faillog_t
5 >> tclass=file
6 >>
7 >
8 > This is just an error about hwclock being unable to write to "faillog" so
9 > there must be something that goes wrong (making hwclock want to write to
10 > faillog).
11 >
12 >
13 >> I also got this error:
14 >> type=1400 audit(1208679707.497:84): avc: denied { read } for
15 >> pid=18454 comm="hwclock" path="/dev/urandom" dev=tmpfs ino=2059
16 >> scontext=root:system_r:hwclock_t
17 >> tcontext=system_u:object_r:urandom_device_t tclass=chr_file
18 >>
19 >> However, I think I solved it by issuing the commands "setsebool -P
20 >> global_ssp 1" and "load_policy"
21 >>
22 >
23 > This is becouse you have the hardened toolchain, compiling everything with
24 > PIE/SSP by default. SSP want a random number (picked from /dev/urandom)
25 > when the binaries start. SELinux disables access to urandom per default so
26 > you have to (as you did with sebool) tell SELinux that your system is
27 > compiled with SSP and thus the access to urandom should be permitted.
28 >
29 >
30 Yes, this has been solved with sebool. However, I still got the second
31 error (related to faillog). It also blocks distccd like this: (even if
32 the corresponding selinux policy is loaded):
33 type=1400 audit(1208681304.633:191): avc: denied { read write } for
34 pid=27886 comm="distccd" path="/var/log/faillog" dev=dm-6 ino=271083
35 scontext=root:system_r:distccd_t tcontext=system_u:object_r:faillog_t
36 tclass=file
37
38 Do you know how to solve this second type of errors ?
39 Thanks for your help.
40
41 François Valenduc
42
43 --
44 gentoo-hardened@l.g.o mailing list

Replies

Subject Author
Re: [gentoo-hardened] hwclock and selinux Chris PeBenito <pebenito@g.o>
Report Message
Find on MARC Find on Google Groups