1 |
Hi all, |
2 |
|
3 |
I just installed a Gentoo box using SELinux (started from stage 1 as specified |
4 |
in the install instructions), which so far runs OK in permissive mode. |
5 |
However, the log is full of deny messages. I have not installed any extra |
6 |
packages or daemons so far... |
7 |
|
8 |
Many access violations seem to be caused by urandom, by a variety of programs |
9 |
which intuitively should not have to have anything to do with that, such as |
10 |
mount or even init. There are also other access violations. Since I am only |
11 |
using the standard selinux packages provided by gentoo and started from |
12 |
scratch, I would expect that at least the boot process should work without |
13 |
causing access violations - so is there something wrong with my system, or is |
14 |
it really the selinux packages that miss some configuration details? What's |
15 |
going wrong here? |
16 |
|
17 |
Some examples from my logs (this is right after reboot and logging in, so I |
18 |
haven't started any other software; network card is controled by dhcpcd, and |
19 |
I am logged in via SSH, immediately switching to sysadm_r before I do |
20 |
anything): |
21 |
|
22 |
**************************************************************** |
23 |
|
24 |
security: 3 users, 6 roles, 362 types |
25 |
security: 30 classes, 21632 rules |
26 |
SELinux: Completing initialization. |
27 |
SELinux: Setting up existing superblocks. |
28 |
SELinux: initialized (dev , type selinuxfs), uses genfs_contexts |
29 |
SELinux: initialized (dev hda3, type ext3), uses xattr |
30 |
SELinux: initialized (dev , type devpts), uses transition SIDs |
31 |
SELinux: initialized (dev , type eventpollfs), uses genfs_contexts |
32 |
SELinux: initialized (dev , type pipefs), uses task SIDs |
33 |
SELinux: initialized (dev , type tmpfs), uses transition SIDs |
34 |
SELinux: initialized (dev , type futexfs), uses genfs_contexts |
35 |
SELinux: initialized (dev , type sockfs), uses task SIDs |
36 |
SELinux: initialized (dev , type proc), uses genfs_contexts |
37 |
SELinux: initialized (dev , type bdev), uses genfs_contexts |
38 |
SELinux: initialized (dev , type rootfs), uses genfs_contexts |
39 |
SELinux: initialized (dev , type sysfs), uses genfs_contexts |
40 |
|
41 |
avc: denied { read } for pid=1 exe=/sbin/init name=urandom dev=hda3 |
42 |
ino=132208 scontext=system_u:system_r:init_t |
43 |
tcontext=system_u:object_r:random_device_t tclass=chr_file |
44 |
|
45 |
avc: denied { read } for pid=20 exe=/bin/mount name=urandom dev=hda3 |
46 |
ino=132208 scontext=system_u:system_r:mount_t |
47 |
tcontext=system_u:object_r:random_device_t tclass=chr_file |
48 |
Adding 546200k swap on /dev/hda2. Priority:-1 extents:1 |
49 |
EXT3 FS on hda3, internal journal |
50 |
|
51 |
avc: denied { read } for pid=201 exe=/bin/bash name=urandom dev=hda3 |
52 |
ino=132208 scontext=system_u:system_r:update_modules_t |
53 |
tcontext=system_u:object_r:random_device_t tclass=chr_file |
54 |
|
55 |
avc: denied { search } for pid=201 exe=/bin/bash name=var dev=hda3 |
56 |
ino=48865 scontext=system_u:system_r:update_modules_t |
57 |
tcontext=system_u:object_r:file_t tclass=dir |
58 |
|
59 |
avc: denied { getattr } for pid=263 exe=/bin/bash path=/tmp dev=hda3 |
60 |
ino=130305 scontext=system_u:system_r:update_modules_t |
61 |
tcontext=system_u:object_r:file_t tclass=dir |
62 |
|
63 |
avc: denied { write } for pid=263 exe=/bin/bash name=tmp dev=hda3 |
64 |
ino=130305 scontext=system_u:system_r:update_modules_t |
65 |
tcontext=system_u:object_r:file_t tclass=dir |
66 |
|
67 |
[ some more of that update_modules stuff ] |
68 |
|
69 |
kjournald starting. Commit interval 5 seconds |
70 |
EXT3 FS on hda1, internal journal |
71 |
EXT3-fs: mounted filesystem with ordered data mode. |
72 |
SELinux: initialized (dev hda1, type ext3), uses xattr |
73 |
kjournald starting. Commit interval 5 seconds |
74 |
EXT3 FS on hda5, internal journal |
75 |
EXT3-fs: mounted filesystem with ordered data mode. |
76 |
SELinux: initialized (dev hda5, type ext3), uses xattr |
77 |
kjournald starting. Commit interval 5 seconds |
78 |
EXT3 FS on hda6, internal journal |
79 |
EXT3-fs: mounted filesystem with ordered data mode. |
80 |
SELinux: initialized (dev hda6, type ext3), uses xattr |
81 |
kjournald starting. Commit interval 5 seconds |
82 |
EXT3 FS on hda7, internal journal |
83 |
EXT3-fs: mounted filesystem with ordered data mode. |
84 |
SELinux: initialized (dev hda7, type ext3), uses xattr |
85 |
kjournald starting. Commit interval 5 seconds |
86 |
EXT3 FS on hda9, internal journal |
87 |
EXT3-fs: mounted filesystem with ordered data mode. |
88 |
SELinux: initialized (dev hda9, type ext3), uses xattr |
89 |
SELinux: initialized (dev , type selinuxfs), uses genfs_contexts |
90 |
Real Time Clock Driver v1.12 |
91 |
|
92 |
avc: denied { read } for pid=2801 exe=/sbin/pam_console_apply name=urandom |
93 |
dev=hda3 ino=132208 scontext=system_u:system_r:pam_console_t |
94 |
tcontext=system_u:object_r:random_device_t tclass=chr_file |
95 |
|
96 |
avc: denied { getattr } for pid=2801 exe=/sbin/pam_console_apply |
97 |
path=/dev/ttyS0 dev=hda3 ino=133133 scontext=system_u:system_r:pam_console_t |
98 |
tcontext=root:object_r:sysadm_tty_device_t tclass=chr_file |
99 |
|
100 |
avc: denied { setattr } for pid=2801 exe=/sbin/pam_console_apply name=ttyS0 |
101 |
dev=hda3 ino=133133 scontext=system_u:system_r:pam_console_t |
102 |
tcontext=root:object_r:sysadm_tty_device_t tclass=chr_file |
103 |
|
104 |
avc: denied { read } for pid=2906 exe=/sbin/ifconfig name=urandom dev=hda3 |
105 |
ino=132208 scontext=system_u:system_r:ifconfig_t |
106 |
tcontext=system_u:object_r:random_device_t tclass=chr_file |
107 |
|
108 |
avc: denied { read } for pid=3057 exe=/usr/sbin/syslog-ng name=urandom |
109 |
dev=hda3 ino=132208 scontext=system_u:system_r:syslogd_t |
110 |
tcontext=system_u:object_r:random_device_t tclass=chr_file |
111 |
|
112 |
avc: denied { append } for pid=3058 exe=/usr/sbin/syslog-ng name=tty12 |
113 |
dev=hda3 ino=132293 scontext=system_u:system_r:syslogd_t |
114 |
tcontext=system_u:object_r:tty_device_t tclass=chr_file |
115 |
|
116 |
avc: denied { setattr } for pid=3058 exe=/usr/sbin/syslog-ng name=tty12 |
117 |
dev=hda3 ino=132293 scontext=system_u:system_r:syslogd_t |
118 |
tcontext=system_u:object_r:tty_device_t tclass=chr_file |
119 |
|
120 |
avc: denied { read } for pid=3109 exe=/sbin/dhcpcd name=dhcpcd-eth0.cache |
121 |
dev=hda6 ino=1108010 scontext=system_u:system_r:dhcpc_t |
122 |
tcontext=system_u:object_r:var_t tclass=file |
123 |
|
124 |
avc: denied { rename } for pid=3109 exe=/sbin/dhcpcd name=ntp.conf dev=hda3 |
125 |
ino=212197 scontext=system_u:system_r:dhcpc_t |
126 |
tcontext=system_u:object_r:etc_t tclass=file |
127 |
|
128 |
avc: denied { write } for pid=3109 exe=/sbin/dhcpcd name=dhcpcd-eth0.cache |
129 |
dev=hda6 ino=1108010 scontext=system_u:system_r:dhcpc_t |
130 |
tcontext=system_u:object_r:var_t tclass=file |
131 |
|
132 |
avc: denied { write } for pid=3109 exe=/sbin/dhcpcd name=dhcpc dev=hda6 |
133 |
ino=895858 scontext=system_u:system_r:dhcpc_t |
134 |
tcontext=system_u:object_r:var_lib_t tclass=dir |
135 |
|
136 |
avc: denied { remove_name } for pid=3109 exe=/sbin/dhcpcd |
137 |
name=dhcpcd-eth0.info dev=hda6 ino=895905 scontext=system_u:system_r:dhcpc_t |
138 |
tcontext=system_u:object_r:var_lib_t tclass=dir |
139 |
|
140 |
avc: denied { rename } for pid=3109 exe=/sbin/dhcpcd name=dhcpcd-eth0.info |
141 |
dev=hda6 ino=895905 scontext=system_u:system_r:dhcpc_t |
142 |
tcontext=system_u:object_r:var_lib_t tclass=file |
143 |
|
144 |
avc: denied { add_name } for pid=3109 exe=/sbin/dhcpcd |
145 |
name=dhcpcd-eth0.info.old dev=hda6 ino=895859 |
146 |
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:var_lib_t |
147 |
tclass=dir |
148 |
|
149 |
avc: denied { unlink } for pid=3109 exe=/sbin/dhcpcd |
150 |
name=dhcpcd-eth0.info.old dev=hda6 ino=895859 |
151 |
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:var_lib_t |
152 |
tclass=file |
153 |
|
154 |
avc: denied { create } for pid=3109 exe=/sbin/dhcpcd name=dhcpcd-eth0.info |
155 |
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:var_lib_t |
156 |
tclass=file |
157 |
|
158 |
avc: denied { getattr } for pid=3109 exe=/sbin/dhcpcd |
159 |
path=/var/lib/dhcpc/dhcpcd-eth0.info dev=hda6 ino=895859 |
160 |
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:var_lib_t |
161 |
tclass=file |
162 |
|
163 |
avc: denied { write } for pid=3109 exe=/sbin/dhcpcd |
164 |
path=/var/lib/dhcpc/dhcpcd-eth0.info dev=hda6 ino=895859 |
165 |
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:var_lib_t |
166 |
tclass=file |
167 |
e100: eth0 NIC Link is Up 100 Mbps Full duplex |
168 |
|
169 |
avc: denied { getattr } for pid=3222 exe=/sbin/agetty path=socket:[3286] |
170 |
dev= ino=3286 scontext=system_u:system_r:getty_t |
171 |
tcontext=system_u:system_r:getty_t tclass=udp_socket |
172 |
|
173 |
avc: denied { read } for pid=3224 exe=/bin/bash name=urandom dev=hda3 |
174 |
ino=132208 scontext=system_u:system_r:system_crond_t |
175 |
tcontext=system_u:object_r:random_device_t tclass=chr_file |
176 |
|
177 |
avc: denied { read } for pid=3297 exe=/usr/bin/newrole name=urandom |
178 |
dev=hda3 ino=132208 scontext=root:staff_r:newrole_t |
179 |
tcontext=system_u:object_r:random_device_t tclass=chr_file |
180 |
|
181 |
******************************************************************************* |
182 |
|
183 |
As you can see at the very end, even newrole seems to need urandom... |
184 |
|
185 |
I tried both the current hardened-sources and gentoo-dev-sources, without any |
186 |
change, and I did all the make relabel stuff as according to the manual. |
187 |
|
188 |
When I then start working with the system, no matter what I do, I keep getting |
189 |
messages like this, and a lot of them deal with urandom, too. |
190 |
|
191 |
Thanks in advance, |
192 |
|
193 |
-- Manuel |
194 |
|
195 |
|
196 |
|
197 |
|
198 |
-- |
199 |
gentoo-hardened@g.o mailing list |