Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: Chris PeBenito <pebenito@g.o>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] Problem with SELinux policy
Date: Thu, 13 Mar 2008 15:29:37
Message-Id: 1205422071.4986.38.camel@defiant.pebenito.net
In Reply to: Re: [gentoo-hardened] Problem with SELinux policy by "Björn Fahller"
1 On Thu, 2008-03-13 at 15:26 +0100, Björn Fahller wrote:
2 > I can just chime in with a me-too. I've installed an x86 2007.0, though.
3 >
4 > A lot of issues could be resolved by manually relabeling following the
5 > discussions in:
6 >
7 > http://www.mail-archive.com/gentoo-hardened%40lists.gentoo.org/msg01610.html
8 >
9 > However, the below ones remain, and I don't know what to do about them.
10 >
11 > For what it's worth, I have indeed rebuilt udev. In fact, I rebeilt every
12 > single package (ouch!)
13 > _
14 > /Bjorn
15 >
16 >
17 > audit(1205311345.096:2): policy loaded auid=4294967295
18 > SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
19 > audit(1205311345.562:3): avc: denied { write } for pid=946 comm="bash"
20 > name="null" dev=tmpfs ino=1313 scontext=system_u:system_r:initrc_t
21 > tcontext=system_u:object_r:device_t tclass=chr_file
22 > audit(1205311345.624:4): avc: denied { read } for pid=955
23 > comm="write_root_link" name="console" dev=tmpfs ino=1307
24 > scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t
25 > tclass=chr_file
26
27 These two will require some investigation to see why there are
28 mislabeled device nodes at this point (i.e. after udev started).
29
30 > SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
31 > SELinux: initialized (dev securityfs, type securityfs), not configured for
32 > labeling
33 > audit(1205311352.640:5): avc: denied { mount } for pid=1756 comm="mount"
34 > name="/" dev=securityfs ino=1 scontext=system_u:system_r:mount_t
35 > tcontext=system_u:object_r:unlabeled_t tclass=filesystem
36
37 I added this to the upstream policy.
38
39 > Adding 977216k swap on /dev/hda1. Priority:-1 extents:1 across:977216k
40 > audit(1205311359.150:6): avc: denied { write } for pid=2470
41 > comm="runscript.sh" name="resolv.conf" dev=hda2 ino=46223216
42 > scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:net_conf_t
43 > tclass=file
44 > audit(1205311359.154:7): avc: denied { setattr } for pid=2525 comm="chmod"
45 > name="resolv.conf" dev=hda2 ino=46223216 scontext=system_u:system_r:initrc_t
46 > tcontext=system_u:object_r:net_conf_t tclass=file
47
48 Do you use net-dns/resolvconf-gentoo?
49
50 > audit(1205311362.834:8): avc: denied { search } for pid=3168
51 > comm="syslog-ng" name="lib" dev=hda2 ino=33576422
52 > scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_lib_t
53 > tclass=dir
54 > audit(1205311362.834:9): avc: denied { read } for pid=3168
55 > comm="syslog-ng" name="syslog-ng.persist" dev=hda2 ino=33576402
56 > scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_lib_t
57 > tclass=file
58 > audit(1205311362.834:10): avc: denied { getattr } for pid=3168
59 > comm="syslog-ng" path="/var/lib/syslog-ng.persist" dev=hda2 ino=33576402
60 > scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_lib_t
61 > tclass=file
62
63 I'll have to add support for this file to the policy. Is this
64 created/modified by syslog-ng too?
65
66 > eth0: link up, 100Mbps, full-duplex
67 > audit(1205311366.898:11): avc: denied { nlmsg_write } for pid=3576
68 > comm="dhcpcd" scontext=system_u:system_r:dhcpc_t
69
70 I'll have to do some investigation on this one.
71
72 > tcontext=system_u:system_r:dhcpc_t tclass=netlink_route_socket
73 > audit(1205307770.810:12): avc: denied { create } for pid=3889
74 > comm="agetty" scontext=system_u:system_r:getty_t
75 > tcontext=system_u:system_r:getty_t tclass=netlink_route_socket
76 > audit(1205307770.810:13): avc: denied { bind } for pid=3889 comm="agetty"
77 > scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t
78 > tclass=netlink_route_socket
79 > audit(1205307770.810:14): avc: denied { getattr } for pid=3889
80 > comm="agetty" scontext=system_u:system_r:getty_t
81 > tcontext=system_u:system_r:getty_t tclass=netlink_route_socket
82 > audit(1205307770.810:15): avc: denied { write } for pid=3889 comm="agetty"
83 > scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t
84 > tclass=netlink_route_socket
85 > audit(1205307770.810:16): avc: denied { nlmsg_read } for pid=3889
86 > comm="agetty" scontext=system_u:system_r:getty_t
87 > tcontext=system_u:system_r:getty_t tclass=netlink_route_socket
88 > audit(1205307770.810:17): avc: denied { read } for pid=3889 comm="agetty"
89 > scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t
90 > tclass=netlink_route_socket
91
92 Fixed this upstream too. Its nonfatal, probably just makes the hostname
93 not resolve in your login banner.
94
95 --
96 Chris PeBenito
97 <pebenito@g.o>
98 Developer,
99 Hardened Gentoo Linux
100
101 Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
102 Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-hardened] Problem with SELinux policy "Björn Fahller" <gentoo@×××××××.se>
Report Message
Find on MARC Find on Google Groups