| 1 |
> So is there anything I can do about this error message? E.g. can I |
| 2 |
> adjust the access rights somehow to make it accessible for the source |
| 3 |
> countext? (I repeat I'm new to SELinux so please tell me if I'm saying |
| 4 |
> something stupid.) |
| 5 |
|
| 6 |
Yes! In /etc/security/selinux/src/policy/domains/misc/ add a file |
| 7 |
local.te |
| 8 |
|
| 9 |
In this file you can define all your local security policies. Add the |
| 10 |
line: |
| 11 |
|
| 12 |
allow { sshd_t } sysadm_tty_device_t:chr_file { read write }; |
| 13 |
|
| 14 |
I'll let you find the correlation between this and the avc message :) |
| 15 |
You can follow a similar process for all other messages you receive. |
| 16 |
|
| 17 |
~Michael |
| 18 |
> |
| 19 |
> --jd |
| 20 |
> |
| 21 |
> Michael Ihde wrote: |
| 22 |
> > Jan, |
| 23 |
> > |
| 24 |
> > I've had the same problem. However, I get quite a few dmesg outputs. |
| 25 |
> > ~From what I can tell SELinux caches the avc messages and only prints out |
| 26 |
> > unique ones. When I reload the policy it clears the cache and the |
| 27 |
> > messages are printed out again. |
| 28 |
> > |
| 29 |
> > I've been adding some policies to domains/misc/local.te to try and get |
| 30 |
> > it to work. With all the local.te policies removed these are the |
| 31 |
> > messages I get using these commands |
| 32 |
> > |
| 33 |
> > $ dmesg -c |
| 34 |
> > $ make reload |
| 35 |
> > $ run_init /etc/init.d/sshd restart |
| 36 |
> > |
| 37 |
> > (From remote machine) |
| 38 |
> > ssh <selinux_host> |
| 39 |
> > |
| 40 |
> > This was run in permissive mode so it did allow a log-in. I've added |
| 41 |
> > |
| 42 |
> > |
| 43 |
> > ~Michael |
| 44 |
> > |
| 45 |
> > |
| 46 |
> > avc: denied { read } for pid=1215 exe=/usr/bin/checkpolicy |
| 47 |
> > name=urandom dev=03:47 ino=575343 scontext=root:sysadm_r:checkpolicy_t |
| 48 |
> > tcontext=system_u:object_r:random_device_t tclass=chr_file |
| 49 |
> > |
| 50 |
> > avc: denied { read } for pid=1229 exe=/usr/sbin/load_policy |
| 51 |
> > name=urandom dev=03:47 ino=575343 scontext=root:sysadm_r:load_policy_t |
| 52 |
> > tcontext=system_u:object_r:random_device_t tclass=chr_file |
| 53 |
> > |
| 54 |
> > avc: granted { load_policy } for pid=1229 exe=/usr/sbin/load_policy |
| 55 |
> > scontext=root:sysadm_r:load_policy_t |
| 56 |
> > tcontext=system_u:object_r:security_t tclass=security |
| 57 |
> > security: 3 users, 6 roles, 356 types |
| 58 |
> > security: 30 classes, 21122 rules |
| 59 |
> > |
| 60 |
> > avc: denied { append } for pid=839 exe=/usr/sbin/syslog-ng |
| 61 |
> > path=/dev/tty12 dev=03:47 ino=575428 |
| 62 |
> > scontext=system_u:system_r:syslogd_t |
| 63 |
> > tcontext=system_u:object_r:tty_device_t tclass=chr_file |
| 64 |
> > |
| 65 |
> > avc: denied { read } for pid=1232 exe=/usr/sbin/run_init name=urandom |
| 66 |
> > dev=03:47 ino=575343 scontext=root:sysadm_r:run_init_t |
| 67 |
> > tcontext=system_u:object_r:random_device_t tclass=chr_file |
| 68 |
> > |
| 69 |
> > avc: denied { read write } for pid=1281 exe=/usr/sbin/sshd |
| 70 |
> > path=/dev/tty1 dev=03:47 ino=575461 scontext=system_u:system_r:sshd_t |
| 71 |
> > tcontext=root:object_r:sysadm_tty_device_t tclass=chr_file |
| 72 |
> > |
| 73 |
> > avc: denied { read } for pid=1284 exe=/sbin/insmod name=urandom |
| 74 |
> > dev=03:47 ino=575343 scontext=system_u:system_r:insmod_t |
| 75 |
> > tcontext=system_u:object_r:random_device_t tclass=chr_file |
| 76 |
> > |
| 77 |
> > avc: denied { read write } for pid=1291 exe=/usr/sbin/sshd name=ptyp0 |
| 78 |
> > dev=03:47 ino=575701 scontext=system_u:system_r:sshd_t |
| 79 |
> > tcontext=system_u:object_r:device_t tclass=chr_file |
| 80 |
> > |
| 81 |
> > avc: denied { ioctl } for pid=1291 exe=/usr/sbin/sshd path=/dev/ptyp0 |
| 82 |
> > dev=03:47 ino=575701 scontext=system_u:system_r:sshd_t |
| 83 |
> > tcontext=system_u:object_r:device_t tclass=chr_file |
| 84 |
> > |
| 85 |
> > avc: denied { getattr } for pid=1291 exe=/usr/sbin/sshd name=ptyp0 |
| 86 |
> > dev=03:47 ino=575701 scontext=system_u:system_r:sshd_t |
| 87 |
> > tcontext=system_u:object_r:device_t tclass=chr_file |
| 88 |
> > |
| 89 |
> > avc: denied { getattr } for pid=1291 exe=/usr/sbin/sshd name=ttyp0 |
| 90 |
> > dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
| 91 |
> > tcontext=root:object_r:staff_tty_device_t tclass=chr_file |
| 92 |
> > |
| 93 |
> > avc: denied { setattr } for pid=1291 exe=/usr/sbin/sshd name=ttyp0 |
| 94 |
> > dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
| 95 |
> > tcontext=root:object_r:staff_tty_device_t tclass=chr_file |
| 96 |
> > |
| 97 |
> > avc: denied { read write } for pid=1291 exe=/usr/sbin/sshd name=ttyp0 |
| 98 |
> > dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
| 99 |
> > tcontext=root:object_r:staff_tty_device_t tclass=chr_file |
| 100 |
> > |
| 101 |
> > avc: denied { ioctl } for pid=1291 exe=/usr/sbin/sshd path=/dev/ttyp0 |
| 102 |
> > dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
| 103 |
> > tcontext=root:object_r:staff_tty_device_t tclass=chr_file |
| 104 |
> > |
| 105 |
> > avc: denied { relabelfrom } for pid=1291 exe=/usr/sbin/sshd |
| 106 |
> > name=ttyp0 dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
| 107 |
> > tcontext=root:object_r:staff_tty_device_t tclass=chr_file |
| 108 |
> > |
| 109 |
> > avc: denied { relabelto } for pid=1291 exe=/usr/sbin/sshd name=ttyp0 |
| 110 |
> > dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
| 111 |
> > tcontext=user_u:object_r:user_tty_device_t tclass=chr_file |
| 112 |
> > |
| 113 |
> > avc: denied { getattr } for pid=1291 exe=/usr/sbin/sshd name=ttyp0 |
| 114 |
> > dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
| 115 |
> > tcontext=user_u:object_r:user_tty_device_t tclass=chr_file |
| 116 |
> > |
| 117 |
> > avc: denied { setattr } for pid=1291 exe=/usr/sbin/sshd name=ttyp0 |
| 118 |
> > dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
| 119 |
> > tcontext=user_u:object_r:user_tty_device_t tclass=chr_file |
| 120 |
> > |
| 121 |
> > avc: denied { read write } for pid=1293 exe=/usr/sbin/sshd |
| 122 |
> > path=/dev/ttyp0 dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
| 123 |
> > tcontext=user_u:object_r:user_tty_device_t tclass=chr_file |
| 124 |
> > |
| 125 |
> > avc: denied { ioctl } for pid=1293 exe=/usr/sbin/sshd path=/dev/ttyp0 |
| 126 |
> > dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
| 127 |
> > tcontext=user_u:object_r:user_tty_device_t tclass=chr_file |
Archives