1 |
xake@×××××××××.net a écrit : |
2 |
>> type=1400 audit(1208682664.167:223): avc: denied { read write } for |
3 |
>> pid=29607 comm="hwclock" path="/var/log/faillog" dev=dm-6 ino=271083 |
4 |
>> scontext=root:system_r:hwclock_t tcontext=system_u:object_r:faillog_t |
5 |
>> tclass=file |
6 |
>> |
7 |
> |
8 |
> This is just an error about hwclock being unable to write to "faillog" so |
9 |
> there must be something that goes wrong (making hwclock want to write to |
10 |
> faillog). |
11 |
> |
12 |
> |
13 |
>> I also got this error: |
14 |
>> type=1400 audit(1208679707.497:84): avc: denied { read } for |
15 |
>> pid=18454 comm="hwclock" path="/dev/urandom" dev=tmpfs ino=2059 |
16 |
>> scontext=root:system_r:hwclock_t |
17 |
>> tcontext=system_u:object_r:urandom_device_t tclass=chr_file |
18 |
>> |
19 |
>> However, I think I solved it by issuing the commands "setsebool -P |
20 |
>> global_ssp 1" and "load_policy" |
21 |
>> |
22 |
> |
23 |
> This is becouse you have the hardened toolchain, compiling everything with |
24 |
> PIE/SSP by default. SSP want a random number (picked from /dev/urandom) |
25 |
> when the binaries start. SELinux disables access to urandom per default so |
26 |
> you have to (as you did with sebool) tell SELinux that your system is |
27 |
> compiled with SSP and thus the access to urandom should be permitted. |
28 |
> |
29 |
> |
30 |
Yes, this has been solved with sebool. However, I still got the second |
31 |
error (related to faillog). It also blocks distccd like this: (even if |
32 |
the corresponding selinux policy is loaded): |
33 |
type=1400 audit(1208681304.633:191): avc: denied { read write } for |
34 |
pid=27886 comm="distccd" path="/var/log/faillog" dev=dm-6 ino=271083 |
35 |
scontext=root:system_r:distccd_t tcontext=system_u:object_r:faillog_t |
36 |
tclass=file |
37 |
|
38 |
Do you know how to solve this second type of errors ? |
39 |
Thanks for your help. |
40 |
|
41 |
François Valenduc |
42 |
|
43 |
-- |
44 |
gentoo-hardened@l.g.o mailing list |