[gentoo-hardened] conversion to selinux fails - gentoo-hardened

From:	Julien Mercay <jmercay@××××××.com>
To:	gentoo-hardened@l.g.o
Subject:	[gentoo-hardened] conversion to selinux fails
Date:	Fri, 14 May 2004 18:57:00
Message-Id:	`40A51641.7070802@orbeon.com`

1

All,

2

3

I converted my Gentoo X86 to selinux, using the QuickStart guide, but 

4

have the following problems when booting with the policies enabled. The 

5

init script can only mount my root filesystem, and drop my to a shell. 

6

Even more strange, my root fs is wrong on the mount table:

7

8

# mount

9

/dev/ROOT on / type xfs (rw,noatime)

10

none on /selinux type selinuxfs (rw)

11

none on /proc type proc (rw)

12

13

But my root fs is ext3 on /dev/md0 !

14

15

I can then mount the other fs manually and start a few services. Looking 

16

a the logs, I see a lot a access denied, but don't understand why they 

17

are not part of the default policies. Here are a few lines of my logs:

18

19

May 13 11:20:39 fez avc:  denied  { getattr } for  pid=1 exe=/sbin/init 

20

name=initctl dev=09:00 ino=23257 scontext=system_u:system_r:kernel_t 

21

tcontext=system_u:object_r:file_t tclass=fifo_file

22

May 13 11:21:24 fez avc:  denied  { getattr } for  pid=1 exe=/sbin/init 

23

name=initctl dev=09:00 ino=23257 scontext=system_u:system_r:kernel_t 

24

tcontext=system_u:object_r:file_t tclass=fifo_file

25

May 13 11:21:44 fez avc:  denied  { read } for  pid=1 exe=/sbin/init 

26

path=/dev/initctl dev=09:00 ino=23257 

27

scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t 

28

tclass=fifo_file

29

May 13 11:21:44 fez avc:  denied  { write } for  pid=1 exe=/sbin/init 

30

name=log dev=09:00 ino=23258 scontext=system_u:system_r:kernel_t 

31

tcontext=system_u:object_r:unlabeled_t tclass=sock_file

32

May 13 11:33:39 fez avc:  denied  { getattr } for  pid=1 exe=/sbin/init 

33

name=initctl dev=09:00 ino=23257 scontext=system_u:system_r:kernel_t 

34

tcontext=system_u:object_r:file_t tclass=fifo_file

35

May 13 11:33:49 fez avc:  denied  { getattr } for  pid=1 exe=/sbin/init 

36

name=initctl dev=09:00 ino=23257 scontext=system_u:system_r:kernel_t 

37

tcontext=system_u:object_r:initctl_t tclass=fifo_file

38

May 13 11:38:21 fez avc:  denied  { read } for  pid=1 exe=/sbin/init 

39

path=/dev/initctl dev=09:00 ino=23257 

40

scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:initctl_t 

41

tclass=fifo_file

42

May 13 11:38:21 fez avc:  denied  { append } for  pid=1 exe=/sbin/init 

43

name=wtmp dev=09:03 ino=466844 scontext=system_u:system_r:kernel_t 

44

tcontext=system_u:object_r:wtmp_t tclass=file

45

May 13 11:38:21 fez avc:  denied  { write } for  pid=1 exe=/sbin/init 

46

name=wtmp dev=09:03 ino=466844 scontext=system_u:system_r:kernel_t 

47

tcontext=system_u:object_r:wtmp_t tclass=file

48

May 13 11:38:21 fez avc:  denied  { lock } for  pid=1 exe=/sbin/init 

49

path=/var/log/wtmp dev=09:03 ino=466844 

50

scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:wtmp_t 

51

tclass=file

52

May 13 11:31:01 fez avc:  denied  { relabelto } for  pid=2714 

53

exe=/usr/sbin/setfiles name=mount dev=09:03 ino=305931 

54

scontext=system_u:system_r:kernel_t 

55

tcontext=system_u:object_r:mount_exec_t tclass=file

56

May 13 11:31:01 fez avc:  denied  { getattr } for  pid=3966 

57

exe=/usr/bin/python2.3 name=mount dev=09:03 ino=305931 

58

scontext=system_u:system_r:kernel_t 

59

tcontext=system_u:object_r:mount_exec_t tclass=file

60

May 13 11:31:01 fez avc:  denied  { read } for  pid=3966 

61

exe=/usr/bin/python2.3 name=mount dev=09:03 ino=305931 

62

scontext=system_u:system_r:kernel_t 

63

tcontext=system_u:object_r:mount_exec_t tclass=file

64

May 13 11:31:01 fez avc:  denied  { unlink } for  pid=3966 

65

exe=/usr/bin/python2.3 name=mount dev=09:03 ino=305931 

66

scontext=system_u:system_r:kernel_t 

67

tcontext=system_u:object_r:mount_exec_t tclass=file

68

May 13 11:33:47 fez avc:  denied  { relabelto } for  pid=6300 

69

exe=/usr/sbin/setfiles name=mount dev=09:00 ino=20095 

70

scontext=system_u:system_r:kernel_t 

71

tcontext=system_u:object_r:mount_exec_t tclass=file

72

73

And my emerge info for good measure:

74

75

Portage 2.0.50-r6 (x86, gcc-3.3.2, glibc-2.3.2-r9, 2.4.25-selinux-r2)

76

=================================================================

77

System uname: 2.4.25-selinux-r2 i686 Intel(R) Pentium(R) 4 CPU 3.20GHz

78

Gentoo Base System version 1.4.10

79

Autoconf: sys-devel/autoconf-2.58-r1

80

Automake: sys-devel/automake-1.8.3

81

ACCEPT_KEYWORDS="x86"

82

AUTOCLEAN="yes"

83

CFLAGS="-O2 -march=pentium4 -pipe -fomit-frame-pointer"

84

CHOST="i686-pc-linux-gnu"

85

COMPILER="gcc3"

86

CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config 

87

/usr/share/config /var/qmail/control"

88

CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"

89

CXXFLAGS="-O2 -march=pentium4 -pipe -fomit-frame-pointer"

90

DISTDIR="/usr/portage/distfiles"

91

FEATURES="autoaddcvs ccache loadpolicy sandbox sfperms strict"

92

GENTOO_MIRRORS="ftp://ftp.ucsb.edu/pub/mirrors/linux/gentoo/"

93

MAKEOPTS="-j 3"

94

PKGDIR="/usr/portage/packages"

95

PORTAGE_TMPDIR="/var/tmp"

96

PORTDIR="/usr/portage"

97

PORTDIR_OVERLAY=""

98

SYNC="rsync://rsync.gentoo.org/gentoo-portage"

99

USE="apache2 berkdb crypt cups ldap ncurses pam python readline selinux 

100

slpi ssl tcpd x86 zlib"

Thanks a lot!

105

Julien

106

107

--

108

gentoo-hardened@g.o mailing list

Gentoo Archives: gentoo-hardened

Replies

1	All,
2
3	I converted my Gentoo X86 to selinux, using the QuickStart guide, but
4	have the following problems when booting with the policies enabled. The
5	init script can only mount my root filesystem, and drop my to a shell.
6	Even more strange, my root fs is wrong on the mount table:
7
8	# mount
9	/dev/ROOT on / type xfs (rw,noatime)
10	none on /selinux type selinuxfs (rw)
11	none on /proc type proc (rw)
12
13	But my root fs is ext3 on /dev/md0 !
14
15	I can then mount the other fs manually and start a few services. Looking
16	a the logs, I see a lot a access denied, but don't understand why they
17	are not part of the default policies. Here are a few lines of my logs:
18
19	May 13 11:20:39 fez avc: denied { getattr } for pid=1 exe=/sbin/init
20	name=initctl dev=09:00 ino=23257 scontext=system_u:system_r:kernel_t
21	tcontext=system_u:object_r:file_t tclass=fifo_file
22	May 13 11:21:24 fez avc: denied { getattr } for pid=1 exe=/sbin/init
23	name=initctl dev=09:00 ino=23257 scontext=system_u:system_r:kernel_t
24	tcontext=system_u:object_r:file_t tclass=fifo_file
25	May 13 11:21:44 fez avc: denied { read } for pid=1 exe=/sbin/init
26	path=/dev/initctl dev=09:00 ino=23257
27	scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t
28	tclass=fifo_file
29	May 13 11:21:44 fez avc: denied { write } for pid=1 exe=/sbin/init
30	name=log dev=09:00 ino=23258 scontext=system_u:system_r:kernel_t
31	tcontext=system_u:object_r:unlabeled_t tclass=sock_file
32	May 13 11:33:39 fez avc: denied { getattr } for pid=1 exe=/sbin/init
33	name=initctl dev=09:00 ino=23257 scontext=system_u:system_r:kernel_t
34	tcontext=system_u:object_r:file_t tclass=fifo_file
35	May 13 11:33:49 fez avc: denied { getattr } for pid=1 exe=/sbin/init
36	name=initctl dev=09:00 ino=23257 scontext=system_u:system_r:kernel_t
37	tcontext=system_u:object_r:initctl_t tclass=fifo_file
38	May 13 11:38:21 fez avc: denied { read } for pid=1 exe=/sbin/init
39	path=/dev/initctl dev=09:00 ino=23257
40	scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:initctl_t
41	tclass=fifo_file
42	May 13 11:38:21 fez avc: denied { append } for pid=1 exe=/sbin/init
43	name=wtmp dev=09:03 ino=466844 scontext=system_u:system_r:kernel_t
44	tcontext=system_u:object_r:wtmp_t tclass=file
45	May 13 11:38:21 fez avc: denied { write } for pid=1 exe=/sbin/init
46	name=wtmp dev=09:03 ino=466844 scontext=system_u:system_r:kernel_t
47	tcontext=system_u:object_r:wtmp_t tclass=file
48	May 13 11:38:21 fez avc: denied { lock } for pid=1 exe=/sbin/init
49	path=/var/log/wtmp dev=09:03 ino=466844
50	scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:wtmp_t
51	tclass=file
52	May 13 11:31:01 fez avc: denied { relabelto } for pid=2714
53	exe=/usr/sbin/setfiles name=mount dev=09:03 ino=305931
54	scontext=system_u:system_r:kernel_t
55	tcontext=system_u:object_r:mount_exec_t tclass=file
56	May 13 11:31:01 fez avc: denied { getattr } for pid=3966
57	exe=/usr/bin/python2.3 name=mount dev=09:03 ino=305931
58	scontext=system_u:system_r:kernel_t
59	tcontext=system_u:object_r:mount_exec_t tclass=file
60	May 13 11:31:01 fez avc: denied { read } for pid=3966
61	exe=/usr/bin/python2.3 name=mount dev=09:03 ino=305931
62	scontext=system_u:system_r:kernel_t
63	tcontext=system_u:object_r:mount_exec_t tclass=file
64	May 13 11:31:01 fez avc: denied { unlink } for pid=3966
65	exe=/usr/bin/python2.3 name=mount dev=09:03 ino=305931
66	scontext=system_u:system_r:kernel_t
67	tcontext=system_u:object_r:mount_exec_t tclass=file
68	May 13 11:33:47 fez avc: denied { relabelto } for pid=6300
69	exe=/usr/sbin/setfiles name=mount dev=09:00 ino=20095
70	scontext=system_u:system_r:kernel_t
71	tcontext=system_u:object_r:mount_exec_t tclass=file
72
73	And my emerge info for good measure:
74
75	Portage 2.0.50-r6 (x86, gcc-3.3.2, glibc-2.3.2-r9, 2.4.25-selinux-r2)
76	=================================================================
77	System uname: 2.4.25-selinux-r2 i686 Intel(R) Pentium(R) 4 CPU 3.20GHz
78	Gentoo Base System version 1.4.10
79	Autoconf: sys-devel/autoconf-2.58-r1
80	Automake: sys-devel/automake-1.8.3
81	ACCEPT_KEYWORDS="x86"
82	AUTOCLEAN="yes"
83	CFLAGS="-O2 -march=pentium4 -pipe -fomit-frame-pointer"
84	CHOST="i686-pc-linux-gnu"
85	COMPILER="gcc3"
86	CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config
87	/usr/share/config /var/qmail/control"
88	CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
89	CXXFLAGS="-O2 -march=pentium4 -pipe -fomit-frame-pointer"
90	DISTDIR="/usr/portage/distfiles"
91	FEATURES="autoaddcvs ccache loadpolicy sandbox sfperms strict"
92	GENTOO_MIRRORS="ftp://ftp.ucsb.edu/pub/mirrors/linux/gentoo/"
93	MAKEOPTS="-j 3"
94	PKGDIR="/usr/portage/packages"
95	PORTAGE_TMPDIR="/var/tmp"
96	PORTDIR="/usr/portage"
97	PORTDIR_OVERLAY=""
98	SYNC="rsync://rsync.gentoo.org/gentoo-portage"
99	USE="apache2 berkdb crypt cups ldap ncurses pam python readline selinux
100	slpi ssl tcpd x86 zlib"
101
102
103
104	Thanks a lot!
105	Julien
106
107	--
108	gentoo-hardened@g.o mailing list