1 |
> So is there anything I can do about this error message? E.g. can I |
2 |
> adjust the access rights somehow to make it accessible for the source |
3 |
> countext? (I repeat I'm new to SELinux so please tell me if I'm saying |
4 |
> something stupid.) |
5 |
|
6 |
Yes! In /etc/security/selinux/src/policy/domains/misc/ add a file |
7 |
local.te |
8 |
|
9 |
In this file you can define all your local security policies. Add the |
10 |
line: |
11 |
|
12 |
allow { sshd_t } sysadm_tty_device_t:chr_file { read write }; |
13 |
|
14 |
I'll let you find the correlation between this and the avc message :) |
15 |
You can follow a similar process for all other messages you receive. |
16 |
|
17 |
~Michael |
18 |
> |
19 |
> --jd |
20 |
> |
21 |
> Michael Ihde wrote: |
22 |
> > Jan, |
23 |
> > |
24 |
> > I've had the same problem. However, I get quite a few dmesg outputs. |
25 |
> > ~From what I can tell SELinux caches the avc messages and only prints out |
26 |
> > unique ones. When I reload the policy it clears the cache and the |
27 |
> > messages are printed out again. |
28 |
> > |
29 |
> > I've been adding some policies to domains/misc/local.te to try and get |
30 |
> > it to work. With all the local.te policies removed these are the |
31 |
> > messages I get using these commands |
32 |
> > |
33 |
> > $ dmesg -c |
34 |
> > $ make reload |
35 |
> > $ run_init /etc/init.d/sshd restart |
36 |
> > |
37 |
> > (From remote machine) |
38 |
> > ssh <selinux_host> |
39 |
> > |
40 |
> > This was run in permissive mode so it did allow a log-in. I've added |
41 |
> > |
42 |
> > |
43 |
> > ~Michael |
44 |
> > |
45 |
> > |
46 |
> > avc: denied { read } for pid=1215 exe=/usr/bin/checkpolicy |
47 |
> > name=urandom dev=03:47 ino=575343 scontext=root:sysadm_r:checkpolicy_t |
48 |
> > tcontext=system_u:object_r:random_device_t tclass=chr_file |
49 |
> > |
50 |
> > avc: denied { read } for pid=1229 exe=/usr/sbin/load_policy |
51 |
> > name=urandom dev=03:47 ino=575343 scontext=root:sysadm_r:load_policy_t |
52 |
> > tcontext=system_u:object_r:random_device_t tclass=chr_file |
53 |
> > |
54 |
> > avc: granted { load_policy } for pid=1229 exe=/usr/sbin/load_policy |
55 |
> > scontext=root:sysadm_r:load_policy_t |
56 |
> > tcontext=system_u:object_r:security_t tclass=security |
57 |
> > security: 3 users, 6 roles, 356 types |
58 |
> > security: 30 classes, 21122 rules |
59 |
> > |
60 |
> > avc: denied { append } for pid=839 exe=/usr/sbin/syslog-ng |
61 |
> > path=/dev/tty12 dev=03:47 ino=575428 |
62 |
> > scontext=system_u:system_r:syslogd_t |
63 |
> > tcontext=system_u:object_r:tty_device_t tclass=chr_file |
64 |
> > |
65 |
> > avc: denied { read } for pid=1232 exe=/usr/sbin/run_init name=urandom |
66 |
> > dev=03:47 ino=575343 scontext=root:sysadm_r:run_init_t |
67 |
> > tcontext=system_u:object_r:random_device_t tclass=chr_file |
68 |
> > |
69 |
> > avc: denied { read write } for pid=1281 exe=/usr/sbin/sshd |
70 |
> > path=/dev/tty1 dev=03:47 ino=575461 scontext=system_u:system_r:sshd_t |
71 |
> > tcontext=root:object_r:sysadm_tty_device_t tclass=chr_file |
72 |
> > |
73 |
> > avc: denied { read } for pid=1284 exe=/sbin/insmod name=urandom |
74 |
> > dev=03:47 ino=575343 scontext=system_u:system_r:insmod_t |
75 |
> > tcontext=system_u:object_r:random_device_t tclass=chr_file |
76 |
> > |
77 |
> > avc: denied { read write } for pid=1291 exe=/usr/sbin/sshd name=ptyp0 |
78 |
> > dev=03:47 ino=575701 scontext=system_u:system_r:sshd_t |
79 |
> > tcontext=system_u:object_r:device_t tclass=chr_file |
80 |
> > |
81 |
> > avc: denied { ioctl } for pid=1291 exe=/usr/sbin/sshd path=/dev/ptyp0 |
82 |
> > dev=03:47 ino=575701 scontext=system_u:system_r:sshd_t |
83 |
> > tcontext=system_u:object_r:device_t tclass=chr_file |
84 |
> > |
85 |
> > avc: denied { getattr } for pid=1291 exe=/usr/sbin/sshd name=ptyp0 |
86 |
> > dev=03:47 ino=575701 scontext=system_u:system_r:sshd_t |
87 |
> > tcontext=system_u:object_r:device_t tclass=chr_file |
88 |
> > |
89 |
> > avc: denied { getattr } for pid=1291 exe=/usr/sbin/sshd name=ttyp0 |
90 |
> > dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
91 |
> > tcontext=root:object_r:staff_tty_device_t tclass=chr_file |
92 |
> > |
93 |
> > avc: denied { setattr } for pid=1291 exe=/usr/sbin/sshd name=ttyp0 |
94 |
> > dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
95 |
> > tcontext=root:object_r:staff_tty_device_t tclass=chr_file |
96 |
> > |
97 |
> > avc: denied { read write } for pid=1291 exe=/usr/sbin/sshd name=ttyp0 |
98 |
> > dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
99 |
> > tcontext=root:object_r:staff_tty_device_t tclass=chr_file |
100 |
> > |
101 |
> > avc: denied { ioctl } for pid=1291 exe=/usr/sbin/sshd path=/dev/ttyp0 |
102 |
> > dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
103 |
> > tcontext=root:object_r:staff_tty_device_t tclass=chr_file |
104 |
> > |
105 |
> > avc: denied { relabelfrom } for pid=1291 exe=/usr/sbin/sshd |
106 |
> > name=ttyp0 dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
107 |
> > tcontext=root:object_r:staff_tty_device_t tclass=chr_file |
108 |
> > |
109 |
> > avc: denied { relabelto } for pid=1291 exe=/usr/sbin/sshd name=ttyp0 |
110 |
> > dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
111 |
> > tcontext=user_u:object_r:user_tty_device_t tclass=chr_file |
112 |
> > |
113 |
> > avc: denied { getattr } for pid=1291 exe=/usr/sbin/sshd name=ttyp0 |
114 |
> > dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
115 |
> > tcontext=user_u:object_r:user_tty_device_t tclass=chr_file |
116 |
> > |
117 |
> > avc: denied { setattr } for pid=1291 exe=/usr/sbin/sshd name=ttyp0 |
118 |
> > dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
119 |
> > tcontext=user_u:object_r:user_tty_device_t tclass=chr_file |
120 |
> > |
121 |
> > avc: denied { read write } for pid=1293 exe=/usr/sbin/sshd |
122 |
> > path=/dev/ttyp0 dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
123 |
> > tcontext=user_u:object_r:user_tty_device_t tclass=chr_file |
124 |
> > |
125 |
> > avc: denied { ioctl } for pid=1293 exe=/usr/sbin/sshd path=/dev/ttyp0 |
126 |
> > dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
127 |
> > tcontext=user_u:object_r:user_tty_device_t tclass=chr_file |