Gentoo Linux -- List Archive: gentoo-hardened

Installation:
Gentoo Handbook
Installation Docs

Documentation:
Home
Listing
About Gentoo
Philosophy
Social Contract

Resources:
Bug Tracker
Developer List
Discussion Forums
Gentoo BitTorrents
Gentoo Linux Enhancement Proposals
IRC Channels
Mailing Lists
Mirrors
Name and Logo Guidelines
Online Package Database
Security Announcements
Staffing Needs
Supporting Vendors
View our CVS

Graphics:
Logos and themes
Icons
ScreenShots

Miscellaneous Resources:
Gentoo Linux Store
Gentoo-hosted projects
IBM dW/Intel article archive

List Archive: gentoo-hardened

Navigation:

Lists: gentoo-hardened: < Prev By Thread Next > < Prev By Date Next >

Headers:

To:	gentoo-hardened@g.o
From:	"guo walter" <walter.d.guo.newsgroup@...>
Subject:	Re: Re: lots of avcs when running dmesg, is this nomal ?
Date:	Thu, 20 Sep 2007 23:55:12 +0800

<br>
According the follow, I set &quot;setsebool -P global_ssp 1&quot; reboot,&nbsp; but there are still&nbsp; a few avc left while &quot;dmesg&quot; such as:<br><br>audit(1190258497.269:262): avc:&nbsp; denied&nbsp; { read write } for&nbsp; pid=27657 comm=&quot;firefox-bin&quot; name=&quot;tty1&quot; dev=tmpfs ino=1197 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:object_r:user_tty_device_t tclass=chr_file
<br>audit(1190258497.269:263): avc:&nbsp; denied&nbsp; { execstack } for&nbsp; pid=27657 comm=&quot;firefox-bin&quot; scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_mozilla_t tclass=process<br>audit(1190258497.269:264): avc:&nbsp; denied&nbsp; { execmod } for&nbsp; pid=27657 comm=&quot;firefox-bin&quot; name=&quot;
libGL.so.1.2&quot; dev=sda5 ino=189890 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:object_r:shlib_t tclass=file<br>audit(1190258497.769:265): avc:&nbsp; denied&nbsp; { setattr } for&nbsp; pid=27657 comm=&quot;firefox-bin&quot; name=&quot;.gnome2_private&quot; dev=sda5 ino=791500 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:object_r:user_home_dir_t tclass=dir
<br>audit(1190258497.769:266): avc:&nbsp; denied&nbsp; { getattr } for&nbsp; pid=27657 comm=&quot;firefox-bin&quot; name=&quot;Fonts&quot; dev=sda2 ino=47 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:object_r:unlabeled_t tclass=dir
<br><br><br><br>From: Chris PeBenito &lt;<a href="http://gmane.org/get-address.php?address=pebenito%2daBrp7R%2bbbdUdnm%2byROfE0A%40public.gmane.org" rel="nofollow" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
pebenito@...</a>&gt;<br>
Subject: <a rel="nofollow" href="http://news.gmane.org/find-root.php?message_id=%3c1182876092.5131.20.camel%40defiant.pebenito.net%3e" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">Re: global_ssp boolean
</a><br>
Newsgroups: <a href="http://news.gmane.org/gmane.linux.gentoo.hardened" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">gmane.linux.gentoo.hardened</a><br>
Date: 2007-06-26 16:41:32 GMT
 (12 weeks, 1 day, 11 hours and 41 minutes ago)<br>
<pre>On Sun, 2007-06-24 at 20:41 -0400, Bill Sharer wrote:<br>&gt; Chris P and company<br>&gt; <br>&gt; While rummaging through my dmesg&#39;s I found a lot of denials related to<br>&gt; the urandom device and then found the global_ssp boolean when looking at
<br><br>&gt; stuff through apol.  (20070329 ref policy btw).  Anyway I also saw this<br>&gt; <br>&gt;  <a rel="nofollow" href="http://www.nsa.gov/selinux/list-archive/0603/thread_body35.cfm" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://www.nsa.gov/selinux/list-archive/0603/thread_body35.cfm<br></a><br>&gt; <br>&gt; documenting this gentoo-only flag.  The only trouble is that the<br>&gt; booleans.conf that unpacks with the reference policy has this set to
<br>&gt; false.  Is this worth a trip to bugzilla to write it up?<br><br><br>setsebool -P global_ssp 1<br><br>That will enable it and make it so it is set on boot.  The purpose of<br>booleans is to provide options to the users.
<br><br>-- <br>Chris PeBenito<br>&lt;<a href="http://gmane.org/get-address.php?address=pebenito%2daBrp7R%2bbbdUdnm%2byROfE0A%40public.gmane.org" rel="nofollow" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">

pebenito@...</a>&gt;<br>Developer,<br>Hardened Gentoo Linux<br></pre><br><br><div><span class="gmail_quote">On 9/13/07, <b class="gmail_sendername">guo walter</b> &lt;<a href="mailto:walter.d.guo.newsgroup@..." target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
walter.d.guo.newsgroup@...
</a>&gt; wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">According to the thread, I did the followings, now, when running &quot; dmesg&quot; the avc lines deducted&nbsp; to 200 lines from more than 700 lines initially, a little progress :)
<br>Here is what I did.<br><br>(1)#cp -a /dev /mnt/usb
<br>(2)cd /mnt/usb/ <br>&nbsp;&nbsp;&nbsp; #setfilecon system_u:object_r:console_device_t console<br>&nbsp;&nbsp;&nbsp; #setfilecon system_u:object_r:security_t selinux<br>(3)boot from 2005.1 selinux livecd, copy /mnt/usb/dev back<br>(4)reboot<div><span>

<br><br>
<br><div><span class="gmail_quote">On 9/13/07, <b class="gmail_sendername">guo walter</b> &lt;<a href="mailto:walter.d.guo.newsgroup@..." target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">walter.d.guo.newsgroup@...
</a>&gt; wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Or just a specific directory ( dont know whhic directory ) instead of <div><span><br><br><div><span class="gmail_quote">On 9/13/07, <b class="gmail_sendername">guo walter</b> &lt;<a href="mailto:walter.d.guo.newsgroup@..." target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">



walter.d.guo.newsgroup@...
</a>&gt; wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Thanks for your answer, now it seems more clear. I downloaded hardened-livecd-2005.1.iso




, but I can not use rlpkg to re-label directly from the livedcd system.<br><br>How about this idea: <br>&nbsp;&nbsp; (1) cp -a&nbsp; /&nbsp; to a USB Storage disk with jfs file system
<br>&nbsp;&nbsp; (2) mount the USB Storage jfs file system <br>&nbsp;&nbsp; (3) rlpkg -a -r<br>&nbsp;&nbsp; (4) boot from the hardened-livecd-2005.1.iso, cp -a the new labled system back.<br>Can these steps solved the problem?<br><span><br>
<br>Walter</span><div><span><br><br>
<br><br><div><span class="gmail_quote">On 9/11/07, <b class="gmail_sendername">Remy Bosch</b> &lt;<a href="mailto:remybosch@..." target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">remybosch@...
</a>&gt; wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
guo walter wrote:<br>&gt; Yep, my question should be&nbsp;&nbsp;the same thing with thread, and it seems<br>&gt; there no clear solution by now, doesn&#39;t it?<br><br>Alas, no. Not as simple as in the past without selinux ;)<br>The thing here, is that at some point have a running system, but there
<br>are a few directories/files that need labeling, which cannot be done<br>straight forward, because they&#39;re used. You need the bare filesystem<br>as-is, so mount your root somewhere else and label them as wanted. It
<br>takes care of the first warnings. After that, you&#39;ll have to ask/read<br>around as information is a bit fragmented. There isn&#39;t a full easy howto<br>yet, though there are some very good starter point&#39;s - sorry, I don&#39;t
<br>have the adresses at hand here.<br><br>Good luck,<br><br><br>Remy<br><br>--<br><a href="mailto:gentoo-hardened@g.o" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">gentoo-hardened@g.o
</a> mailing list<br><br></blockquote></div><br>
</span></div></blockquote></div><br>
</span></div></blockquote></div><br>
</span></div></blockquote></div><br>