| 1 |
Dne 20.2.2012 18:22, Sven Vermeulen napsal(a): |
| 2 |
> On Mon, Feb 20, 2012 at 07:17:02AM +0100, TomᨠDobrovolný wrote: |
| 3 |
>> I think, that /dev/console has correct label (on --bind / /mn/gentoo) - |
| 4 |
>> |
| 5 |
>> crw-------. 1 root root system_u:object_r:console_device_t 5, 1 Feb 20 |
| 6 |
>> 01:34 /mnt/gentoo/dev/console |
| 7 |
> Weird, your previous denial logs showed the following: |
| 8 |
> |
| 9 |
> type=1400 audit(1329556527.347:3): avc: denied { read write } for |
| 10 |
> pid=1 comm="init" path="/dev/console" dev="rootfs" ino=99 |
| 11 |
> scontext=system_u:system_r:init_t tcontext=system_u:object_r:root_t |
| 12 |
> tclass=chr_file |
| 13 |
> |
| 14 |
> Either the mislabeling then was already solved, or the /dev on your root |
| 15 |
> file system isn't the same as the one that init found back then. Can you |
| 16 |
> check if /dev/console has inode 99? |
| 17 |
On my root fs /dev/console has inode 260611. |
| 18 |
|
| 19 |
Inode 99 is /etc/init.d/udev. with system_u:object_r:initrc_exec_t |
| 20 |
|
| 21 |
I try again turn off dontaudit semodule -DB, reboot and the errors are |
| 22 |
still the same (same place, same inodes, same files): |
| 23 |
|
| 24 |
VFS: Mounted root (ext4 filesystem) readonly on device 8:3. |
| 25 |
Freeing unused kernel memory: 416k freed |
| 26 |
grsec: mount of proc to /proc by /sbin/init[init:1] uid/euid:0/0 |
| 27 |
gid/egid:0/0, parent /[swapper:0] uid/euid:0/0 gid/egid:0/0 |
| 28 |
grsec: unmount of proc by /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0, |
| 29 |
parent /[swapper:0] uid/euid:0/0 gid/egid:0/0 |
| 30 |
grsec: mount of selinuxfs to /selinux by /sbin/init[init:1] uid/euid:0/0 |
| 31 |
gid/egid:0/0, parent /[swapper:0] uid/euid:0/0 gid/egid:0/0 |
| 32 |
type=1404 audit(1329775199.304:2): enforcing=1 old_enforcing=0 |
| 33 |
auid=4294967295 ses=4294967295 |
| 34 |
SELinux: 2048 avtab hash slots, 25193 rules. |
| 35 |
SELinux: 2048 avtab hash slots, 25193 rules. |
| 36 |
SELinux: 6 users, 6 roles, 1368 types, 80 bools |
| 37 |
SELinux: 81 classes, 25193 rules |
| 38 |
SELinux: Completing initialization. |
| 39 |
SELinux: Setting up existing superblocks. |
| 40 |
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts |
| 41 |
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts |
| 42 |
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts |
| 43 |
SELinux: initialized (dev proc, type proc), uses genfs_contexts |
| 44 |
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs |
| 45 |
SELinux: initialized (dev devtmpfs, type devtmpfs), uses transition SIDs |
| 46 |
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs |
| 47 |
SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts |
| 48 |
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs |
| 49 |
SELinux: initialized (dev anon_inodefs, type anon_inodefs), uses |
| 50 |
genfs_contexts |
| 51 |
SELinux: initialized (dev devpts, type devpts), uses transition SIDs |
| 52 |
SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses transition SIDs |
| 53 |
SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs |
| 54 |
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts |
| 55 |
SELinux: initialized (dev sda3, type ext4), uses xattr |
| 56 |
type=1403 audit(1329775199.361:3): policy loaded auid=4294967295 |
| 57 |
ses=4294967295 |
| 58 |
type=1400 audit(1329775199.365:4): avc: denied { read write } for |
| 59 |
pid=1 comm="init" path="/dev/console" dev="rootfs" ino=99 |
| 60 |
scontext=system_u:system_r:init_t tcontext=system_u:object_r:root_t |
| 61 |
tclass=chr_file |
| 62 |
type=1400 audit(1329775199.374:5): avc: denied { read write } for |
| 63 |
pid=1 comm="init" path="/dev/console" dev="rootfs" ino=99 |
| 64 |
scontext=system_u:system_r:init_t tcontext=system_u:object_r:root_t |
| 65 |
tclass=chr_file |
| 66 |
type=1400 audit(1329775199.384:6): avc: denied { read write } for |
| 67 |
pid=1 comm="init" path="/dev/console" dev="rootfs" ino=99 |
| 68 |
scontext=system_u:system_r:init_t tcontext=system_u:object_r:root_t |
| 69 |
tclass=chr_file |
| 70 |
type=1400 audit(1329775199.393:7): avc: denied { rlimitinh } for |
| 71 |
pid=1 comm="init" scontext=system_u:system_r:kernel_t |
| 72 |
tcontext=system_u:system_r:init_t tclass=process |
| 73 |
type=1400 audit(1329775199.404:8): avc: denied { siginh } for pid=1 |
| 74 |
comm="init" scontext=system_u:system_r:kernel_t |
| 75 |
tcontext=system_u:system_r:init_t tclass=process |
| 76 |
type=1400 audit(1329775199.415:9): avc: denied { noatsecure } for |
| 77 |
pid=1 comm="init" scontext=system_u:system_r:kernel_t |
| 78 |
tcontext=system_u:system_r:init_t tclass=process |
| 79 |
type=1400 audit(1329775199.427:10): avc: denied { getattr } for pid=1 |
| 80 |
comm="init" name="/" dev="selinuxfs" ino=1 |
| 81 |
scontext=system_u:system_r:init_t tcontext=system_u:object_r:security_t |
| 82 |
tclass=filesystem |
| 83 |
|
| 84 |
|
| 85 |
Is it correct, that rootfs is mounted without seclabel? |
| 86 |
|
| 87 |
/proc/mounts: |
| 88 |
rootfs / rootfs rw 0 0 |
| 89 |
/dev/root / ext4 |
| 90 |
rw,seclabel,relatime,user_xattr,acl,barrier=1,data=ordered 0 0 |
| 91 |
|
| 92 |
>> But for now I have one avc denials -- the /etc/init.d/sysctl cannot set |
| 93 |
>> kernel parameters, but direct calling of syctl -p can. avc error is: |
| 94 |
>> avc: denied { sys_admin } for pid=1860 comm="sysctl" capability=21 |
| 95 |
>> scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t |
| 96 |
>> tclass=capabilty |
| 97 |
> Hmm... for some reason, refpolicy has explicitly disabled the sys_admin |
| 98 |
> capability for the initrc_t domain: |
| 99 |
> |
| 100 |
> allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; |
| 101 |
> allow initrc_t self:capability ~{ sys_admin sys_module }; |
| 102 |
> dontaudit initrc_t self:capability sys_module; # sysctl is triggering this |
| 103 |
> |
| 104 |
> I'll need to check the commit history to see if there was a particular |
| 105 |
> reason why it is explicitly not set. |
| 106 |
> |
| 107 |
> Wkr, |
| 108 |
> Sven Vermeulen |
| 109 |
> |
| 110 |
|
| 111 |
Maybe to allow it to all init scripts is too strong. It will be better |
| 112 |
to allow it only for specialized scripts ... only one /etc/init.d/sysctl ;-) |
| 113 |
|
| 114 |
-- |
| 115 |
Thanks |
| 116 |
Tomas Dobrovolny |
Archives