1 |
On Tue, 2007-03-13 at 16:38 -0400, Mike Edenfield wrote: |
2 |
> Chris PeBenito wrote: |
3 |
> > On Tue, 2007-03-06 at 15:33 -0500, Mike Edenfield wrote: |
4 |
> |
5 |
> > Sorry for the slow response. These messages are likely due to the |
6 |
> > static device nodes under a udev /dev. |
7 |
[cut] |
8 |
> Thanks for this, and also to the person who wrote the |
9 |
> previous reply recommending a static /dev. (I meant to |
10 |
> reply sooner but have been on vacation). This actually |
11 |
> eliminated a big chunk of my problems. |
12 |
> |
13 |
> I'm still hoping someone can point me to a more general |
14 |
> tutorial on troubleshooting these types of errors. Now that |
15 |
> I'm trying to get actual services running on the system, I'm |
16 |
> obviously having more of them, and I don't want to waste |
17 |
> this list's time trying to explain every one of them to me |
18 |
> :x Things like this (two of which I assume are being |
19 |
> generated because I'm running dhcpcd on this machine at boot): |
20 |
> |
21 |
> Mar 13 06:39:09 [kernel] audit(1173782339.840:57): avc: |
22 |
> denied { write } for pid=2775 comm="runscript.sh" |
23 |
> name="resolv.conf" dev=hda3 ino=1556987 |
24 |
> scontext=system_u:system_r:initrc_t |
25 |
> tcontext=system_u:object_r:net_conf_t tclass=file |
26 |
> |
27 |
> Mar 13 06:39:09 [kernel] audit(1173782339.850:58): avc: |
28 |
> denied { setattr } for pid=2989 comm="chmod" |
29 |
> name="resolv.conf" dev=hda3 ino=1556987 |
30 |
> scontext=system_u:system_r:initrc_t |
31 |
> tcontext=system_u:object_r:net_conf_t tclass=file |
32 |
> |
33 |
> Mar 13 06:39:09 [kernel] audit(1173782348.950:59): avc: |
34 |
> denied { ptrace } for pid=4000 comm="pidof" |
35 |
> scontext=system_u:system_r:initrc_t |
36 |
> tcontext=system_u:system_r:init_t tclass=process |
37 |
> |
38 |
> Mar 13 06:39:09 [kernel] audit(1173782348.950:60): avc: |
39 |
> denied { ptrace } for pid=4000 comm="pidof" |
40 |
> scontext=system_u:system_r:initrc_t |
41 |
> tcontext=system_u:system_r:kernel_t tclass=process |
42 |
> |
43 |
> Obviously, I can get rid of these by adding rules like this: |
44 |
> |
45 |
> allow initrc_t init_t:process ptrace; |
46 |
> allow initrc_t kernel_t:process ptrace; |
47 |
> allow initrc_t net_conf_t:file { setattr write }; |
48 |
> |
49 |
> My question is more theoretical, that is, is there a reason |
50 |
> why those rules aren't *already* there? |
51 |
|
52 |
I can't really make general statements about this. It depends on many |
53 |
factors. Sometimes its a due to a new feature of a package that the |
54 |
policy does not yet account for. Sometimes checks are added/changed. |
55 |
Sometimes its simply a feature or error path that hasn't been covered |
56 |
yet. The pidof ptrace denials are an example of a check being added. |
57 |
|
58 |
> Is it normal to have to tweak the policy files right out of the box, |
59 |
> or after installing a new ebuild, and I should feel "ok" with doing |
60 |
> it? |
61 |
|
62 |
The hope is that it should work out of the box. Since its impossible |
63 |
for us to anticipate all possible conditions or maybe non-standard file |
64 |
locations, a couple may pop up. |
65 |
|
66 |
> Or does it point to a bigger problem with my install that I messed up |
67 |
> and need to fix? |
68 |
|
69 |
If those are the only denials you are receiving, I'd say you're in |
70 |
pretty good shape. |
71 |
|
72 |
I suspect that the ptrace denials can be dontaudited, i.e. |
73 |
|
74 |
dontaudit initrc_t init_t:process ptrace; |
75 |
dontaudit initrc_t kernel_t:process ptrace; |
76 |
|
77 |
It would be nice to find out more specifically what is going on with the |
78 |
other two denials, but I suspect that it will be ok to allow. I use |
79 |
dhcpcd on my server, but don't see this problem. |
80 |
|
81 |
-- |
82 |
Chris PeBenito |
83 |
<pebenito@g.o> |
84 |
Developer, |
85 |
Hardened Gentoo Linux |
86 |
|
87 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
88 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |