1 |
On Thu, 2008-03-13 at 15:26 +0100, Björn Fahller wrote: |
2 |
> I can just chime in with a me-too. I've installed an x86 2007.0, though. |
3 |
> |
4 |
> A lot of issues could be resolved by manually relabeling following the |
5 |
> discussions in: |
6 |
> |
7 |
> http://www.mail-archive.com/gentoo-hardened%40lists.gentoo.org/msg01610.html |
8 |
> |
9 |
> However, the below ones remain, and I don't know what to do about them. |
10 |
> |
11 |
> For what it's worth, I have indeed rebuilt udev. In fact, I rebeilt every |
12 |
> single package (ouch!) |
13 |
> _ |
14 |
> /Bjorn |
15 |
> |
16 |
> |
17 |
> audit(1205311345.096:2): policy loaded auid=4294967295 |
18 |
> SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs |
19 |
> audit(1205311345.562:3): avc: denied { write } for pid=946 comm="bash" |
20 |
> name="null" dev=tmpfs ino=1313 scontext=system_u:system_r:initrc_t |
21 |
> tcontext=system_u:object_r:device_t tclass=chr_file |
22 |
> audit(1205311345.624:4): avc: denied { read } for pid=955 |
23 |
> comm="write_root_link" name="console" dev=tmpfs ino=1307 |
24 |
> scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t |
25 |
> tclass=chr_file |
26 |
|
27 |
These two will require some investigation to see why there are |
28 |
mislabeled device nodes at this point (i.e. after udev started). |
29 |
|
30 |
> SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs |
31 |
> SELinux: initialized (dev securityfs, type securityfs), not configured for |
32 |
> labeling |
33 |
> audit(1205311352.640:5): avc: denied { mount } for pid=1756 comm="mount" |
34 |
> name="/" dev=securityfs ino=1 scontext=system_u:system_r:mount_t |
35 |
> tcontext=system_u:object_r:unlabeled_t tclass=filesystem |
36 |
|
37 |
I added this to the upstream policy. |
38 |
|
39 |
> Adding 977216k swap on /dev/hda1. Priority:-1 extents:1 across:977216k |
40 |
> audit(1205311359.150:6): avc: denied { write } for pid=2470 |
41 |
> comm="runscript.sh" name="resolv.conf" dev=hda2 ino=46223216 |
42 |
> scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:net_conf_t |
43 |
> tclass=file |
44 |
> audit(1205311359.154:7): avc: denied { setattr } for pid=2525 comm="chmod" |
45 |
> name="resolv.conf" dev=hda2 ino=46223216 scontext=system_u:system_r:initrc_t |
46 |
> tcontext=system_u:object_r:net_conf_t tclass=file |
47 |
|
48 |
Do you use net-dns/resolvconf-gentoo? |
49 |
|
50 |
> audit(1205311362.834:8): avc: denied { search } for pid=3168 |
51 |
> comm="syslog-ng" name="lib" dev=hda2 ino=33576422 |
52 |
> scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_lib_t |
53 |
> tclass=dir |
54 |
> audit(1205311362.834:9): avc: denied { read } for pid=3168 |
55 |
> comm="syslog-ng" name="syslog-ng.persist" dev=hda2 ino=33576402 |
56 |
> scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_lib_t |
57 |
> tclass=file |
58 |
> audit(1205311362.834:10): avc: denied { getattr } for pid=3168 |
59 |
> comm="syslog-ng" path="/var/lib/syslog-ng.persist" dev=hda2 ino=33576402 |
60 |
> scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_lib_t |
61 |
> tclass=file |
62 |
|
63 |
I'll have to add support for this file to the policy. Is this |
64 |
created/modified by syslog-ng too? |
65 |
|
66 |
> eth0: link up, 100Mbps, full-duplex |
67 |
> audit(1205311366.898:11): avc: denied { nlmsg_write } for pid=3576 |
68 |
> comm="dhcpcd" scontext=system_u:system_r:dhcpc_t |
69 |
|
70 |
I'll have to do some investigation on this one. |
71 |
|
72 |
> tcontext=system_u:system_r:dhcpc_t tclass=netlink_route_socket |
73 |
> audit(1205307770.810:12): avc: denied { create } for pid=3889 |
74 |
> comm="agetty" scontext=system_u:system_r:getty_t |
75 |
> tcontext=system_u:system_r:getty_t tclass=netlink_route_socket |
76 |
> audit(1205307770.810:13): avc: denied { bind } for pid=3889 comm="agetty" |
77 |
> scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t |
78 |
> tclass=netlink_route_socket |
79 |
> audit(1205307770.810:14): avc: denied { getattr } for pid=3889 |
80 |
> comm="agetty" scontext=system_u:system_r:getty_t |
81 |
> tcontext=system_u:system_r:getty_t tclass=netlink_route_socket |
82 |
> audit(1205307770.810:15): avc: denied { write } for pid=3889 comm="agetty" |
83 |
> scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t |
84 |
> tclass=netlink_route_socket |
85 |
> audit(1205307770.810:16): avc: denied { nlmsg_read } for pid=3889 |
86 |
> comm="agetty" scontext=system_u:system_r:getty_t |
87 |
> tcontext=system_u:system_r:getty_t tclass=netlink_route_socket |
88 |
> audit(1205307770.810:17): avc: denied { read } for pid=3889 comm="agetty" |
89 |
> scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t |
90 |
> tclass=netlink_route_socket |
91 |
|
92 |
Fixed this upstream too. Its nonfatal, probably just makes the hostname |
93 |
not resolve in your login banner. |
94 |
|
95 |
-- |
96 |
Chris PeBenito |
97 |
<pebenito@g.o> |
98 |
Developer, |
99 |
Hardened Gentoo Linux |
100 |
|
101 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
102 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |