1 |
All, |
2 |
|
3 |
I converted my Gentoo X86 to selinux, using the QuickStart guide, but |
4 |
have the following problems when booting with the policies enabled. The |
5 |
init script can only mount my root filesystem, and drop my to a shell. |
6 |
Even more strange, my root fs is wrong on the mount table: |
7 |
|
8 |
# mount |
9 |
/dev/ROOT on / type xfs (rw,noatime) |
10 |
none on /selinux type selinuxfs (rw) |
11 |
none on /proc type proc (rw) |
12 |
|
13 |
But my root fs is ext3 on /dev/md0 ! |
14 |
|
15 |
I can then mount the other fs manually and start a few services. Looking |
16 |
a the logs, I see a lot a access denied, but don't understand why they |
17 |
are not part of the default policies. Here are a few lines of my logs: |
18 |
|
19 |
May 13 11:20:39 fez avc: denied { getattr } for pid=1 exe=/sbin/init |
20 |
name=initctl dev=09:00 ino=23257 scontext=system_u:system_r:kernel_t |
21 |
tcontext=system_u:object_r:file_t tclass=fifo_file |
22 |
May 13 11:21:24 fez avc: denied { getattr } for pid=1 exe=/sbin/init |
23 |
name=initctl dev=09:00 ino=23257 scontext=system_u:system_r:kernel_t |
24 |
tcontext=system_u:object_r:file_t tclass=fifo_file |
25 |
May 13 11:21:44 fez avc: denied { read } for pid=1 exe=/sbin/init |
26 |
path=/dev/initctl dev=09:00 ino=23257 |
27 |
scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t |
28 |
tclass=fifo_file |
29 |
May 13 11:21:44 fez avc: denied { write } for pid=1 exe=/sbin/init |
30 |
name=log dev=09:00 ino=23258 scontext=system_u:system_r:kernel_t |
31 |
tcontext=system_u:object_r:unlabeled_t tclass=sock_file |
32 |
May 13 11:33:39 fez avc: denied { getattr } for pid=1 exe=/sbin/init |
33 |
name=initctl dev=09:00 ino=23257 scontext=system_u:system_r:kernel_t |
34 |
tcontext=system_u:object_r:file_t tclass=fifo_file |
35 |
May 13 11:33:49 fez avc: denied { getattr } for pid=1 exe=/sbin/init |
36 |
name=initctl dev=09:00 ino=23257 scontext=system_u:system_r:kernel_t |
37 |
tcontext=system_u:object_r:initctl_t tclass=fifo_file |
38 |
May 13 11:38:21 fez avc: denied { read } for pid=1 exe=/sbin/init |
39 |
path=/dev/initctl dev=09:00 ino=23257 |
40 |
scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:initctl_t |
41 |
tclass=fifo_file |
42 |
May 13 11:38:21 fez avc: denied { append } for pid=1 exe=/sbin/init |
43 |
name=wtmp dev=09:03 ino=466844 scontext=system_u:system_r:kernel_t |
44 |
tcontext=system_u:object_r:wtmp_t tclass=file |
45 |
May 13 11:38:21 fez avc: denied { write } for pid=1 exe=/sbin/init |
46 |
name=wtmp dev=09:03 ino=466844 scontext=system_u:system_r:kernel_t |
47 |
tcontext=system_u:object_r:wtmp_t tclass=file |
48 |
May 13 11:38:21 fez avc: denied { lock } for pid=1 exe=/sbin/init |
49 |
path=/var/log/wtmp dev=09:03 ino=466844 |
50 |
scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:wtmp_t |
51 |
tclass=file |
52 |
May 13 11:31:01 fez avc: denied { relabelto } for pid=2714 |
53 |
exe=/usr/sbin/setfiles name=mount dev=09:03 ino=305931 |
54 |
scontext=system_u:system_r:kernel_t |
55 |
tcontext=system_u:object_r:mount_exec_t tclass=file |
56 |
May 13 11:31:01 fez avc: denied { getattr } for pid=3966 |
57 |
exe=/usr/bin/python2.3 name=mount dev=09:03 ino=305931 |
58 |
scontext=system_u:system_r:kernel_t |
59 |
tcontext=system_u:object_r:mount_exec_t tclass=file |
60 |
May 13 11:31:01 fez avc: denied { read } for pid=3966 |
61 |
exe=/usr/bin/python2.3 name=mount dev=09:03 ino=305931 |
62 |
scontext=system_u:system_r:kernel_t |
63 |
tcontext=system_u:object_r:mount_exec_t tclass=file |
64 |
May 13 11:31:01 fez avc: denied { unlink } for pid=3966 |
65 |
exe=/usr/bin/python2.3 name=mount dev=09:03 ino=305931 |
66 |
scontext=system_u:system_r:kernel_t |
67 |
tcontext=system_u:object_r:mount_exec_t tclass=file |
68 |
May 13 11:33:47 fez avc: denied { relabelto } for pid=6300 |
69 |
exe=/usr/sbin/setfiles name=mount dev=09:00 ino=20095 |
70 |
scontext=system_u:system_r:kernel_t |
71 |
tcontext=system_u:object_r:mount_exec_t tclass=file |
72 |
|
73 |
And my emerge info for good measure: |
74 |
|
75 |
Portage 2.0.50-r6 (x86, gcc-3.3.2, glibc-2.3.2-r9, 2.4.25-selinux-r2) |
76 |
================================================================= |
77 |
System uname: 2.4.25-selinux-r2 i686 Intel(R) Pentium(R) 4 CPU 3.20GHz |
78 |
Gentoo Base System version 1.4.10 |
79 |
Autoconf: sys-devel/autoconf-2.58-r1 |
80 |
Automake: sys-devel/automake-1.8.3 |
81 |
ACCEPT_KEYWORDS="x86" |
82 |
AUTOCLEAN="yes" |
83 |
CFLAGS="-O2 -march=pentium4 -pipe -fomit-frame-pointer" |
84 |
CHOST="i686-pc-linux-gnu" |
85 |
COMPILER="gcc3" |
86 |
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config |
87 |
/usr/share/config /var/qmail/control" |
88 |
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" |
89 |
CXXFLAGS="-O2 -march=pentium4 -pipe -fomit-frame-pointer" |
90 |
DISTDIR="/usr/portage/distfiles" |
91 |
FEATURES="autoaddcvs ccache loadpolicy sandbox sfperms strict" |
92 |
GENTOO_MIRRORS="ftp://ftp.ucsb.edu/pub/mirrors/linux/gentoo/" |
93 |
MAKEOPTS="-j 3" |
94 |
PKGDIR="/usr/portage/packages" |
95 |
PORTAGE_TMPDIR="/var/tmp" |
96 |
PORTDIR="/usr/portage" |
97 |
PORTDIR_OVERLAY="" |
98 |
SYNC="rsync://rsync.gentoo.org/gentoo-portage" |
99 |
USE="apache2 berkdb crypt cups ldap ncurses pam python readline selinux |
100 |
slpi ssl tcpd x86 zlib" |
101 |
|
102 |
|
103 |
|
104 |
Thanks a lot! |
105 |
Julien |
106 |
|
107 |
-- |
108 |
gentoo-hardened@g.o mailing list |