1 |
Dne 20.2.2012 18:22, Sven Vermeulen napsal(a): |
2 |
> On Mon, Feb 20, 2012 at 07:17:02AM +0100, TomᨠDobrovolný wrote: |
3 |
>> I think, that /dev/console has correct label (on --bind / /mn/gentoo) - |
4 |
>> |
5 |
>> crw-------. 1 root root system_u:object_r:console_device_t 5, 1 Feb 20 |
6 |
>> 01:34 /mnt/gentoo/dev/console |
7 |
> Weird, your previous denial logs showed the following: |
8 |
> |
9 |
> type=1400 audit(1329556527.347:3): avc: denied { read write } for |
10 |
> pid=1 comm="init" path="/dev/console" dev="rootfs" ino=99 |
11 |
> scontext=system_u:system_r:init_t tcontext=system_u:object_r:root_t |
12 |
> tclass=chr_file |
13 |
> |
14 |
> Either the mislabeling then was already solved, or the /dev on your root |
15 |
> file system isn't the same as the one that init found back then. Can you |
16 |
> check if /dev/console has inode 99? |
17 |
On my root fs /dev/console has inode 260611. |
18 |
|
19 |
Inode 99 is /etc/init.d/udev. with system_u:object_r:initrc_exec_t |
20 |
|
21 |
I try again turn off dontaudit semodule -DB, reboot and the errors are |
22 |
still the same (same place, same inodes, same files): |
23 |
|
24 |
VFS: Mounted root (ext4 filesystem) readonly on device 8:3. |
25 |
Freeing unused kernel memory: 416k freed |
26 |
grsec: mount of proc to /proc by /sbin/init[init:1] uid/euid:0/0 |
27 |
gid/egid:0/0, parent /[swapper:0] uid/euid:0/0 gid/egid:0/0 |
28 |
grsec: unmount of proc by /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0, |
29 |
parent /[swapper:0] uid/euid:0/0 gid/egid:0/0 |
30 |
grsec: mount of selinuxfs to /selinux by /sbin/init[init:1] uid/euid:0/0 |
31 |
gid/egid:0/0, parent /[swapper:0] uid/euid:0/0 gid/egid:0/0 |
32 |
type=1404 audit(1329775199.304:2): enforcing=1 old_enforcing=0 |
33 |
auid=4294967295 ses=4294967295 |
34 |
SELinux: 2048 avtab hash slots, 25193 rules. |
35 |
SELinux: 2048 avtab hash slots, 25193 rules. |
36 |
SELinux: 6 users, 6 roles, 1368 types, 80 bools |
37 |
SELinux: 81 classes, 25193 rules |
38 |
SELinux: Completing initialization. |
39 |
SELinux: Setting up existing superblocks. |
40 |
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts |
41 |
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts |
42 |
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts |
43 |
SELinux: initialized (dev proc, type proc), uses genfs_contexts |
44 |
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs |
45 |
SELinux: initialized (dev devtmpfs, type devtmpfs), uses transition SIDs |
46 |
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs |
47 |
SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts |
48 |
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs |
49 |
SELinux: initialized (dev anon_inodefs, type anon_inodefs), uses |
50 |
genfs_contexts |
51 |
SELinux: initialized (dev devpts, type devpts), uses transition SIDs |
52 |
SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses transition SIDs |
53 |
SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs |
54 |
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts |
55 |
SELinux: initialized (dev sda3, type ext4), uses xattr |
56 |
type=1403 audit(1329775199.361:3): policy loaded auid=4294967295 |
57 |
ses=4294967295 |
58 |
type=1400 audit(1329775199.365:4): avc: denied { read write } for |
59 |
pid=1 comm="init" path="/dev/console" dev="rootfs" ino=99 |
60 |
scontext=system_u:system_r:init_t tcontext=system_u:object_r:root_t |
61 |
tclass=chr_file |
62 |
type=1400 audit(1329775199.374:5): avc: denied { read write } for |
63 |
pid=1 comm="init" path="/dev/console" dev="rootfs" ino=99 |
64 |
scontext=system_u:system_r:init_t tcontext=system_u:object_r:root_t |
65 |
tclass=chr_file |
66 |
type=1400 audit(1329775199.384:6): avc: denied { read write } for |
67 |
pid=1 comm="init" path="/dev/console" dev="rootfs" ino=99 |
68 |
scontext=system_u:system_r:init_t tcontext=system_u:object_r:root_t |
69 |
tclass=chr_file |
70 |
type=1400 audit(1329775199.393:7): avc: denied { rlimitinh } for |
71 |
pid=1 comm="init" scontext=system_u:system_r:kernel_t |
72 |
tcontext=system_u:system_r:init_t tclass=process |
73 |
type=1400 audit(1329775199.404:8): avc: denied { siginh } for pid=1 |
74 |
comm="init" scontext=system_u:system_r:kernel_t |
75 |
tcontext=system_u:system_r:init_t tclass=process |
76 |
type=1400 audit(1329775199.415:9): avc: denied { noatsecure } for |
77 |
pid=1 comm="init" scontext=system_u:system_r:kernel_t |
78 |
tcontext=system_u:system_r:init_t tclass=process |
79 |
type=1400 audit(1329775199.427:10): avc: denied { getattr } for pid=1 |
80 |
comm="init" name="/" dev="selinuxfs" ino=1 |
81 |
scontext=system_u:system_r:init_t tcontext=system_u:object_r:security_t |
82 |
tclass=filesystem |
83 |
|
84 |
|
85 |
Is it correct, that rootfs is mounted without seclabel? |
86 |
|
87 |
/proc/mounts: |
88 |
rootfs / rootfs rw 0 0 |
89 |
/dev/root / ext4 |
90 |
rw,seclabel,relatime,user_xattr,acl,barrier=1,data=ordered 0 0 |
91 |
|
92 |
>> But for now I have one avc denials -- the /etc/init.d/sysctl cannot set |
93 |
>> kernel parameters, but direct calling of syctl -p can. avc error is: |
94 |
>> avc: denied { sys_admin } for pid=1860 comm="sysctl" capability=21 |
95 |
>> scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t |
96 |
>> tclass=capabilty |
97 |
> Hmm... for some reason, refpolicy has explicitly disabled the sys_admin |
98 |
> capability for the initrc_t domain: |
99 |
> |
100 |
> allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; |
101 |
> allow initrc_t self:capability ~{ sys_admin sys_module }; |
102 |
> dontaudit initrc_t self:capability sys_module; # sysctl is triggering this |
103 |
> |
104 |
> I'll need to check the commit history to see if there was a particular |
105 |
> reason why it is explicitly not set. |
106 |
> |
107 |
> Wkr, |
108 |
> Sven Vermeulen |
109 |
> |
110 |
|
111 |
Maybe to allow it to all init scripts is too strong. It will be better |
112 |
to allow it only for specialized scripts ... only one /etc/init.d/sysctl ;-) |
113 |
|
114 |
-- |
115 |
Thanks |
116 |
Tomas Dobrovolny |