1 |
Hello all,
|
2 |
|
3 |
I'm new to SELinux and just upgraded to the new 2.4.22-hardened
|
4 |
sources and other new API stuff... then i found some messages...
|
5 |
|
6 |
dmesg
|
7 |
=====
|
8 |
|
9 |
Linux version 2.4.22-hardened (root@ipx10154) (gcc version 3.3.1 20030927 (Gentoo Linux 3.3.1-r5, propolice)) #2 Sat Nov 1
|
10 |
12:51:01 CET 2003
|
11 |
...
|
12 |
Security Scaffold v1.0.0 initialized
|
13 |
SELinux: Initializing.
|
14 |
SELinux: Starting in permissive mode
|
15 |
There is already a security framework initialized, register_security failed.
|
16 |
Failure registering capabilities with the kernel
|
17 |
selinux_register_security: Registering secondary module capability
|
18 |
Capability LSM initialized
|
19 |
Dentry cache hash table entries: 65536 (order: 7, 524288 bytes)
|
20 |
Inode cache hash table entries: 32768 (order: 6, 262144 bytes)
|
21 |
Mount cache hash table entries: 512 (order: 0, 4096 bytes)
|
22 |
Buffer cache hash table entries: 32768 (order: 5, 131072 bytes)
|
23 |
Page-cache hash table entries: 131072 (order: 7, 524288 bytes)
|
24 |
|
25 |
"There is already a security framework initialized, register_security failed.
|
26 |
Failure registering capabilities with the kernel", is this an error
|
27 |
that needs to be fixed? and when, how?
|
28 |
|
29 |
make relabel
|
30 |
============
|
31 |
|
32 |
is it normal that doing this creates the following kernel messages?
|
33 |
|
34 |
avc: denied { read } for pid=1237 exe=/usr/sbin/setfiles dev=03:04 ino=966657 scontext=root:staff_r:staff_t tcontext=system_u:object_r:devfs_state_t tclass=dir
|
35 |
avc: denied { search } for pid=1237 exe=/usr/sbin/setfiles dev=03:04 ino=966657 scontext=root:staff_r:staff_t tcontext=system_u:object_r:devfs_state_t tclass=dir
|
36 |
avc: denied { getattr } for pid=1237 exe=/usr/sbin/setfiles dev=03:04 ino=1785864 scontext=root:staff_r:staff_t tcontext=system_u:object_r:devfs_state_t tclass=file
|
37 |
avc: denied { getattr } for pid=1237 exe=/usr/sbin/setfiles dev=03:04 ino=950350 scontext=root:staff_r:staff_t tcontext=system_u:object_r:devfs_state_t tclass=chr_file
|
38 |
avc: denied { getattr } for pid=1237 exe=/usr/sbin/setfiles dev=03:04 ino=2998639 scontext=root:staff_r:staff_t tcontext=system_u:object_r:modules_object_t tclass=dir
|
39 |
|
40 |
make initrd
|
41 |
===========
|
42 |
|
43 |
I am getting many many denieds when running this, but it seems that
|
44 |
everything runs fine, because i get a working initrd.gz...
|
45 |
|
46 |
avc: denied { execute } for pid=1255 exe=/usr/bin/make dev=03:04 ino=3096789 scontext=root:staff_r:staff_t tcontext=system_u:object_r:mkinitrd_exec_t tclass=file
|
47 |
avc: denied { execute_no_trans } for pid=1255 exe=/usr/bin/make path=/sbin/mkinitrd dev=03:04 ino=3096789 scontext=root:staff_r:staff_t tcontext=system_u:object_r:mkinitrd_exec_t tclass=file
|
48 |
avc: denied { read } for pid=1255 exe=/bin/bash dev=03:04 ino=3096789 scontext=root:staff_r:staff_t tcontext=system_u:object_r:mkinitrd_exec_t tclass=file
|
49 |
avc: denied { ioctl } for pid=1255 exe=/bin/bash path=/sbin/mkinitrd dev=03:04 ino=3096789 scontext=root:staff_r:staff_t tcontext=system_u:object_r:mkinitrd_exec_t tclass=file
|
50 |
avc: denied { read } for pid=1272 exe=/bin/gawk-3.1.3 dev=03:04 ino=3473938 scontext=root:staff_r:staff_t tcontext=system_u:object_r:modules_dep_t tclass=file
|
51 |
avc: denied { ioctl } for pid=1272 exe=/bin/gawk-3.1.3 path=/lib/modules/2.4.22-hardened/modules.dep dev=03:04 ino=3473938 scontext=root:staff_r:staff_t tcontext=system_u:object_r:modules_dep_t tclass=file
|
52 |
avc: denied { read } for pid=1333 exe=/sbin/nash dev=03:04 ino=4063265 scontext=root:staff_r:staff_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
|
53 |
loop: loaded (max 8 devices)
|
54 |
avc: denied { ioctl } for pid=1333 exe=/sbin/nash path=/dev/loop0 dev=03:04 ino=4063265 scontext=root:staff_r:staff_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
|
55 |
avc: denied { execute } for pid=1335 exe=/bin/bash dev=03:04 ino=1327648 scontext=root:staff_r:staff_t tcontext=system_u:object_r:fsadm_exec_t tclass=file
|
56 |
avc: denied { execute_no_trans } for pid=1335 exe=/bin/bash path=/sbin/losetup dev=03:04 ino=1327648 scontext=root:staff_r:staff_t tcontext=system_u:object_r:fsadm_exec_t tclass=file
|
57 |
avc: denied { read } for pid=1335 dev=03:04 ino=1327648 scontext=root:staff_r:staff_t tcontext=system_u:object_r:fsadm_exec_t tclass=file
|
58 |
avc: denied { write } for pid=1335 exe=/sbin/losetup dev=03:04 ino=4063265 scontext=root:staff_r:staff_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
|
59 |
avc: denied { ipc_lock } for pid=1335 capability=14 scontext=root:staff_r:staff_t tcontext=root:staff_r:staff_t tclass=capability
|
60 |
avc: denied { mounton } for pid=1341 exe=/bin/mount path=/tmp/initrd.mnt.FpPYhc dev=03:04 ino=2015491 scontext=root:staff_r:staff_t tcontext=root:object_r:staff_tmp_t tclass=dir
|
61 |
SELinux: initialized (dev 07:00, type ext2), uses xattr
|
62 |
avc: denied { rmdir } for pid=1351 exe=/bin/rm dev=07:00 ino=11 scontext=root:staff_r:staff_t tcontext=system_u:object_r:file_t tclass=dir
|
63 |
avc: denied { read } for pid=1353 exe=/bin/cp dev=03:04 ino=2883892 scontext=root:staff_r:staff_t tcontext=system_u:object_r:insmod_exec_t tclass=file
|
64 |
avc: denied { read } for pid=1357 exe=/bin/cp dev=03:04 ino=180315 scontext=root:staff_r:staff_t tcontext=system_u:object_r:policy_config_t tclass=file
|
65 |
avc: denied { read } for pid=1358 exe=/bin/cp dev=03:04 ino=3096678 scontext=root:staff_r:staff_t tcontext=system_u:object_r:load_policy_exec_t tclass=file
|
66 |
avc: denied { mknod } for pid=1359 exe=/bin/mknod capability=27 scontext=root:staff_r:staff_t tcontext=root:staff_r:staff_t tclass=capability
|
67 |
avc: denied { create } for pid=1359 exe=/bin/mknod scontext=root:staff_r:staff_t tcontext=root:object_r:staff_tmp_t tclass=chr_file
|
68 |
avc: denied { create } for pid=1361 exe=/bin/mknod scontext=root:staff_r:staff_t tcontext=root:object_r:staff_tmp_t tclass=blk_file
|
69 |
avc: denied { add_name } for pid=1371 exe=/bin/tar scontext=root:staff_r:staff_t tcontext=system_u:object_r:file_t tclass=dir
|
70 |
avc: denied { create } for pid=1371 exe=/bin/tar scontext=root:staff_r:staff_t tcontext=root:object_r:file_t tclass=dir
|
71 |
avc: denied { setattr } for pid=1371 exe=/bin/tar dev=07:00 ino=11 scontext=root:staff_r:staff_t tcontext=root:object_r:file_t tclass=dir
|
72 |
avc: denied { search } for pid=1371 exe=/bin/tar dev=07:00 ino=12 scontext=root:staff_r:staff_t tcontext=root:object_r:file_t tclass=dir
|
73 |
avc: denied { write } for pid=1371 exe=/bin/tar dev=07:00 ino=12 scontext=root:staff_r:staff_t tcontext=root:object_r:file_t tclass=dir
|
74 |
avc: denied { add_name } for pid=1371 exe=/bin/tar scontext=root:staff_r:staff_t tcontext=root:object_r:file_t tclass=dir
|
75 |
avc: denied { create } for pid=1371 exe=/bin/tar scontext=root:staff_r:staff_t tcontext=root:object_r:file_t tclass=file
|
76 |
avc: denied { write } for pid=1371 exe=/bin/tar path=/tmp/initrd.mnt.FpPYhc/bin/nash dev=07:00 ino=13 scontext=root:staff_r:staff_t tcontext=root:object_r:file_t tclass=file
|
77 |
avc: denied { setattr } for pid=1371 exe=/bin/tar dev=07:00 ino=13 scontext=root:staff_r:staff_t tcontext=root:object_r:file_t tclass=file
|
78 |
avc: denied { create } for pid=1371 exe=/bin/tar scontext=root:staff_r:staff_t tcontext=root:object_r:file_t tclass=chr_file
|
79 |
avc: denied { setattr } for pid=1371 exe=/bin/tar dev=07:00 ino=22 scontext=root:staff_r:staff_t tcontext=root:object_r:file_t tclass=chr_file
|
80 |
avc: denied { create } for pid=1371 exe=/bin/tar scontext=root:staff_r:staff_t tcontext=root:object_r:file_t tclass=blk_file
|
81 |
avc: denied { setattr } for pid=1371 exe=/bin/tar dev=07:00 ino=24 scontext=root:staff_r:staff_t tcontext=root:object_r:file_t tclass=blk_file
|
82 |
avc: denied { create } for pid=1371 exe=/bin/tar scontext=root:staff_r:staff_t tcontext=root:object_r:file_t tclass=lnk_file
|
83 |
avc: denied { setattr } for pid=1371 exe=/bin/tar dev=07:00 ino=33 scontext=root:staff_r:staff_t tcontext=root:object_r:file_t tclass=lnk_file
|
84 |
avc: denied { remove_name } for pid=1371 exe=/bin/tar dev=07:00 ino=15 scontext=root:staff_r:staff_t tcontext=root:object_r:file_t tclass=dir
|
85 |
avc: denied { unlink } for pid=1371 exe=/bin/tar dev=07:00 ino=15 scontext=root:staff_r:staff_t tcontext=root:object_r:file_t tclass=file
|
86 |
avc: denied { unmount } for pid=1372 exe=/bin/umount scontext=root:staff_r:staff_t tcontext=system_u:object_r:fs_t tclass=filesystem
|
87 |
avc: denied { setattr } for pid=1372 exe=/bin/umount dev=03:04 ino=66119 scontext=root:staff_r:staff_t tcontext=root:object_r:etc_t tclass=file
|
88 |
avc: denied { rename } for pid=1372 exe=/bin/umount dev=03:04 ino=66119 scontext=root:staff_r:staff_t tcontext=root:object_r:etc_t tclass=file
|
89 |
avc: denied { unlink } for pid=1372 exe=/bin/umount dev=03:04 ino=66118 scontext=root:staff_r:staff_t tcontext=system_u:object_r:etc_runtime_t tclass=file
|
90 |
avc: denied { write } for pid=1374 exe=/bin/bash dev=03:01 ino=2 scontext=root:staff_r:staff_t tcontext=system_u:object_r:boot_t tclass=dir
|
91 |
avc: denied { add_name } for pid=1374 exe=/bin/bash scontext=root:staff_r:staff_t tcontext=system_u:object_r:boot_t tclass=dir
|
92 |
avc: denied { create } for pid=1374 exe=/bin/bash scontext=root:staff_r:staff_t tcontext=root:object_r:boot_t tclass=file
|
93 |
avc: denied { ioctl } for pid=1374 exe=/bin/gzip path=/boot/initrd.gz dev=03:01 ino=30 scontext=root:staff_r:staff_t tcontext=root:object_r:boot_t tclass=file
|
94 |
avc: denied { write } for pid=1374 exe=/bin/gzip path=/boot/initrd.gz dev=03:01 ino=30 scontext=root:staff_r:staff_t tcontext=root:object_r:boot_t tclass=file
|
95 |
avc: denied { unlink } for pid=1375 exe=/bin/rm dev=03:04 ino=2015557 scontext=root:staff_r:staff_t tcontext=root:object_r:staff_tmp_t tclass=chr_file
|
96 |
avc: denied { unlink } for pid=1375 exe=/bin/rm dev=03:04 ino=2015559 scontext=root:staff_r:staff_t tcontext=root:object_r:staff_tmp_t tclass=blk_file
|
97 |
|
98 |
can you help me with this?
|
99 |
|
100 |
gOA-pSY |