Gentoo Archives: gentoo-hardened

From: Manuel Nickschas <sputnick@×××.net>
To: gentoo-hardened@l.g.o
Subject: [gentoo-hardened] Newly installed - a lot of access probs (esp. urandom)
Date: Sat, 14 Feb 2004 02:34:16
Message-Id: 200402132134.05213.sputnick@gmx.net
1 Hi all,
2
3 I just installed a Gentoo box using SELinux (started from stage 1 as specified
4 in the install instructions), which so far runs OK in permissive mode.
5 However, the log is full of deny messages. I have not installed any extra
6 packages or daemons so far...
7
8 Many access violations seem to be caused by urandom, by a variety of programs
9 which intuitively should not have to have anything to do with that, such as
10 mount or even init. There are also other access violations. Since I am only
11 using the standard selinux packages provided by gentoo and started from
12 scratch, I would expect that at least the boot process should work without
13 causing access violations - so is there something wrong with my system, or is
14 it really the selinux packages that miss some configuration details? What's
15 going wrong here?
16
17 Some examples from my logs (this is right after reboot and logging in, so I
18 haven't started any other software; network card is controled by dhcpcd, and
19 I am logged in via SSH, immediately switching to sysadm_r before I do
20 anything):
21
22 ****************************************************************
23
24 security: 3 users, 6 roles, 362 types
25 security: 30 classes, 21632 rules
26 SELinux: Completing initialization.
27 SELinux: Setting up existing superblocks.
28 SELinux: initialized (dev , type selinuxfs), uses genfs_contexts
29 SELinux: initialized (dev hda3, type ext3), uses xattr
30 SELinux: initialized (dev , type devpts), uses transition SIDs
31 SELinux: initialized (dev , type eventpollfs), uses genfs_contexts
32 SELinux: initialized (dev , type pipefs), uses task SIDs
33 SELinux: initialized (dev , type tmpfs), uses transition SIDs
34 SELinux: initialized (dev , type futexfs), uses genfs_contexts
35 SELinux: initialized (dev , type sockfs), uses task SIDs
36 SELinux: initialized (dev , type proc), uses genfs_contexts
37 SELinux: initialized (dev , type bdev), uses genfs_contexts
38 SELinux: initialized (dev , type rootfs), uses genfs_contexts
39 SELinux: initialized (dev , type sysfs), uses genfs_contexts
40
41 avc: denied { read } for pid=1 exe=/sbin/init name=urandom dev=hda3
42 ino=132208 scontext=system_u:system_r:init_t
43 tcontext=system_u:object_r:random_device_t tclass=chr_file
44
45 avc: denied { read } for pid=20 exe=/bin/mount name=urandom dev=hda3
46 ino=132208 scontext=system_u:system_r:mount_t
47 tcontext=system_u:object_r:random_device_t tclass=chr_file
48 Adding 546200k swap on /dev/hda2. Priority:-1 extents:1
49 EXT3 FS on hda3, internal journal
50
51 avc: denied { read } for pid=201 exe=/bin/bash name=urandom dev=hda3
52 ino=132208 scontext=system_u:system_r:update_modules_t
53 tcontext=system_u:object_r:random_device_t tclass=chr_file
54
55 avc: denied { search } for pid=201 exe=/bin/bash name=var dev=hda3
56 ino=48865 scontext=system_u:system_r:update_modules_t
57 tcontext=system_u:object_r:file_t tclass=dir
58
59 avc: denied { getattr } for pid=263 exe=/bin/bash path=/tmp dev=hda3
60 ino=130305 scontext=system_u:system_r:update_modules_t
61 tcontext=system_u:object_r:file_t tclass=dir
62
63 avc: denied { write } for pid=263 exe=/bin/bash name=tmp dev=hda3
64 ino=130305 scontext=system_u:system_r:update_modules_t
65 tcontext=system_u:object_r:file_t tclass=dir
66
67 [ some more of that update_modules stuff ]
68
69 kjournald starting. Commit interval 5 seconds
70 EXT3 FS on hda1, internal journal
71 EXT3-fs: mounted filesystem with ordered data mode.
72 SELinux: initialized (dev hda1, type ext3), uses xattr
73 kjournald starting. Commit interval 5 seconds
74 EXT3 FS on hda5, internal journal
75 EXT3-fs: mounted filesystem with ordered data mode.
76 SELinux: initialized (dev hda5, type ext3), uses xattr
77 kjournald starting. Commit interval 5 seconds
78 EXT3 FS on hda6, internal journal
79 EXT3-fs: mounted filesystem with ordered data mode.
80 SELinux: initialized (dev hda6, type ext3), uses xattr
81 kjournald starting. Commit interval 5 seconds
82 EXT3 FS on hda7, internal journal
83 EXT3-fs: mounted filesystem with ordered data mode.
84 SELinux: initialized (dev hda7, type ext3), uses xattr
85 kjournald starting. Commit interval 5 seconds
86 EXT3 FS on hda9, internal journal
87 EXT3-fs: mounted filesystem with ordered data mode.
88 SELinux: initialized (dev hda9, type ext3), uses xattr
89 SELinux: initialized (dev , type selinuxfs), uses genfs_contexts
90 Real Time Clock Driver v1.12
91
92 avc: denied { read } for pid=2801 exe=/sbin/pam_console_apply name=urandom
93 dev=hda3 ino=132208 scontext=system_u:system_r:pam_console_t
94 tcontext=system_u:object_r:random_device_t tclass=chr_file
95
96 avc: denied { getattr } for pid=2801 exe=/sbin/pam_console_apply
97 path=/dev/ttyS0 dev=hda3 ino=133133 scontext=system_u:system_r:pam_console_t
98 tcontext=root:object_r:sysadm_tty_device_t tclass=chr_file
99
100 avc: denied { setattr } for pid=2801 exe=/sbin/pam_console_apply name=ttyS0
101 dev=hda3 ino=133133 scontext=system_u:system_r:pam_console_t
102 tcontext=root:object_r:sysadm_tty_device_t tclass=chr_file
103
104 avc: denied { read } for pid=2906 exe=/sbin/ifconfig name=urandom dev=hda3
105 ino=132208 scontext=system_u:system_r:ifconfig_t
106 tcontext=system_u:object_r:random_device_t tclass=chr_file
107
108 avc: denied { read } for pid=3057 exe=/usr/sbin/syslog-ng name=urandom
109 dev=hda3 ino=132208 scontext=system_u:system_r:syslogd_t
110 tcontext=system_u:object_r:random_device_t tclass=chr_file
111
112 avc: denied { append } for pid=3058 exe=/usr/sbin/syslog-ng name=tty12
113 dev=hda3 ino=132293 scontext=system_u:system_r:syslogd_t
114 tcontext=system_u:object_r:tty_device_t tclass=chr_file
115
116 avc: denied { setattr } for pid=3058 exe=/usr/sbin/syslog-ng name=tty12
117 dev=hda3 ino=132293 scontext=system_u:system_r:syslogd_t
118 tcontext=system_u:object_r:tty_device_t tclass=chr_file
119
120 avc: denied { read } for pid=3109 exe=/sbin/dhcpcd name=dhcpcd-eth0.cache
121 dev=hda6 ino=1108010 scontext=system_u:system_r:dhcpc_t
122 tcontext=system_u:object_r:var_t tclass=file
123
124 avc: denied { rename } for pid=3109 exe=/sbin/dhcpcd name=ntp.conf dev=hda3
125 ino=212197 scontext=system_u:system_r:dhcpc_t
126 tcontext=system_u:object_r:etc_t tclass=file
127
128 avc: denied { write } for pid=3109 exe=/sbin/dhcpcd name=dhcpcd-eth0.cache
129 dev=hda6 ino=1108010 scontext=system_u:system_r:dhcpc_t
130 tcontext=system_u:object_r:var_t tclass=file
131
132 avc: denied { write } for pid=3109 exe=/sbin/dhcpcd name=dhcpc dev=hda6
133 ino=895858 scontext=system_u:system_r:dhcpc_t
134 tcontext=system_u:object_r:var_lib_t tclass=dir
135
136 avc: denied { remove_name } for pid=3109 exe=/sbin/dhcpcd
137 name=dhcpcd-eth0.info dev=hda6 ino=895905 scontext=system_u:system_r:dhcpc_t
138 tcontext=system_u:object_r:var_lib_t tclass=dir
139
140 avc: denied { rename } for pid=3109 exe=/sbin/dhcpcd name=dhcpcd-eth0.info
141 dev=hda6 ino=895905 scontext=system_u:system_r:dhcpc_t
142 tcontext=system_u:object_r:var_lib_t tclass=file
143
144 avc: denied { add_name } for pid=3109 exe=/sbin/dhcpcd
145 name=dhcpcd-eth0.info.old dev=hda6 ino=895859
146 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:var_lib_t
147 tclass=dir
148
149 avc: denied { unlink } for pid=3109 exe=/sbin/dhcpcd
150 name=dhcpcd-eth0.info.old dev=hda6 ino=895859
151 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:var_lib_t
152 tclass=file
153
154 avc: denied { create } for pid=3109 exe=/sbin/dhcpcd name=dhcpcd-eth0.info
155 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:var_lib_t
156 tclass=file
157
158 avc: denied { getattr } for pid=3109 exe=/sbin/dhcpcd
159 path=/var/lib/dhcpc/dhcpcd-eth0.info dev=hda6 ino=895859
160 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:var_lib_t
161 tclass=file
162
163 avc: denied { write } for pid=3109 exe=/sbin/dhcpcd
164 path=/var/lib/dhcpc/dhcpcd-eth0.info dev=hda6 ino=895859
165 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:var_lib_t
166 tclass=file
167 e100: eth0 NIC Link is Up 100 Mbps Full duplex
168
169 avc: denied { getattr } for pid=3222 exe=/sbin/agetty path=socket:[3286]
170 dev= ino=3286 scontext=system_u:system_r:getty_t
171 tcontext=system_u:system_r:getty_t tclass=udp_socket
172
173 avc: denied { read } for pid=3224 exe=/bin/bash name=urandom dev=hda3
174 ino=132208 scontext=system_u:system_r:system_crond_t
175 tcontext=system_u:object_r:random_device_t tclass=chr_file
176
177 avc: denied { read } for pid=3297 exe=/usr/bin/newrole name=urandom
178 dev=hda3 ino=132208 scontext=root:staff_r:newrole_t
179 tcontext=system_u:object_r:random_device_t tclass=chr_file
180
181 *******************************************************************************
182
183 As you can see at the very end, even newrole seems to need urandom...
184
185 I tried both the current hardened-sources and gentoo-dev-sources, without any
186 change, and I did all the make relabel stuff as according to the manual.
187
188 When I then start working with the system, no matter what I do, I keep getting
189 messages like this, and a lot of them deal with urandom, too.
190
191 Thanks in advance,
192
193 -- Manuel
194
195
196
197
198 --
199 gentoo-hardened@g.o mailing list

Replies

Subject Author
Re: [gentoo-hardened] Newly installed - a lot of access probs (esp. urandom) Michael Milverton <camel77@×××××××××××.au>