1 |
On Thursday 13 March 2008 15.20.21 Chris PeBenito wrote: |
2 |
> On Fri, 2008-02-29 at 22:12 +0700, Michael Metsger wrote: |
3 |
> > I'm trying to use "selinux/2007.0/hardened/amd64" to make |
4 |
> > gentoo-hardened with selinux. I started from |
5 |
> > stage3-amd64-hardened-multilib-2007.0. After update, switch to new |
6 |
> > profile and agin update, booting selinux kernel and relabeling I got |
7 |
> > worked system with many "avc: denied" messages. Some of them I |
8 |
> > solved. |
9 |
> > At this time I don't know how to solve this "avc: denied" correct: |
10 |
> |
11 |
> Did you remerge udev? Most of this is device nodes in udev /dev are |
12 |
> mislabeled. |
13 |
|
14 |
I can just chime in with a me-too. I've installed an x86 2007.0, though. |
15 |
|
16 |
A lot of issues could be resolved by manually relabeling following the |
17 |
discussions in: |
18 |
|
19 |
http://www.mail-archive.com/gentoo-hardened%40lists.gentoo.org/msg01610.html |
20 |
|
21 |
However, the below ones remain, and I don't know what to do about them. |
22 |
|
23 |
For what it's worth, I have indeed rebuilt udev. In fact, I rebeilt every |
24 |
single package (ouch!) |
25 |
_ |
26 |
/Bjorn |
27 |
|
28 |
|
29 |
audit(1205311345.096:2): policy loaded auid=4294967295 |
30 |
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs |
31 |
audit(1205311345.562:3): avc: denied { write } for pid=946 comm="bash" |
32 |
name="null" dev=tmpfs ino=1313 scontext=system_u:system_r:initrc_t |
33 |
tcontext=system_u:object_r:device_t tclass=chr_file |
34 |
audit(1205311345.624:4): avc: denied { read } for pid=955 |
35 |
comm="write_root_link" name="console" dev=tmpfs ino=1307 |
36 |
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t |
37 |
tclass=chr_file |
38 |
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs |
39 |
SELinux: initialized (dev securityfs, type securityfs), not configured for |
40 |
labeling |
41 |
audit(1205311352.640:5): avc: denied { mount } for pid=1756 comm="mount" |
42 |
name="/" dev=securityfs ino=1 scontext=system_u:system_r:mount_t |
43 |
tcontext=system_u:object_r:unlabeled_t tclass=filesystem |
44 |
Adding 977216k swap on /dev/hda1. Priority:-1 extents:1 across:977216k |
45 |
audit(1205311359.150:6): avc: denied { write } for pid=2470 |
46 |
comm="runscript.sh" name="resolv.conf" dev=hda2 ino=46223216 |
47 |
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:net_conf_t |
48 |
tclass=file |
49 |
audit(1205311359.154:7): avc: denied { setattr } for pid=2525 comm="chmod" |
50 |
name="resolv.conf" dev=hda2 ino=46223216 scontext=system_u:system_r:initrc_t |
51 |
tcontext=system_u:object_r:net_conf_t tclass=file |
52 |
audit(1205311362.834:8): avc: denied { search } for pid=3168 |
53 |
comm="syslog-ng" name="lib" dev=hda2 ino=33576422 |
54 |
scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_lib_t |
55 |
tclass=dir |
56 |
audit(1205311362.834:9): avc: denied { read } for pid=3168 |
57 |
comm="syslog-ng" name="syslog-ng.persist" dev=hda2 ino=33576402 |
58 |
scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_lib_t |
59 |
tclass=file |
60 |
audit(1205311362.834:10): avc: denied { getattr } for pid=3168 |
61 |
comm="syslog-ng" path="/var/lib/syslog-ng.persist" dev=hda2 ino=33576402 |
62 |
scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_lib_t |
63 |
tclass=file |
64 |
eth0: link up, 100Mbps, full-duplex |
65 |
audit(1205311366.898:11): avc: denied { nlmsg_write } for pid=3576 |
66 |
comm="dhcpcd" scontext=system_u:system_r:dhcpc_t |
67 |
tcontext=system_u:system_r:dhcpc_t tclass=netlink_route_socket |
68 |
audit(1205307770.810:12): avc: denied { create } for pid=3889 |
69 |
comm="agetty" scontext=system_u:system_r:getty_t |
70 |
tcontext=system_u:system_r:getty_t tclass=netlink_route_socket |
71 |
audit(1205307770.810:13): avc: denied { bind } for pid=3889 comm="agetty" |
72 |
scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t |
73 |
tclass=netlink_route_socket |
74 |
audit(1205307770.810:14): avc: denied { getattr } for pid=3889 |
75 |
comm="agetty" scontext=system_u:system_r:getty_t |
76 |
tcontext=system_u:system_r:getty_t tclass=netlink_route_socket |
77 |
audit(1205307770.810:15): avc: denied { write } for pid=3889 comm="agetty" |
78 |
scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t |
79 |
tclass=netlink_route_socket |
80 |
audit(1205307770.810:16): avc: denied { nlmsg_read } for pid=3889 |
81 |
comm="agetty" scontext=system_u:system_r:getty_t |
82 |
tcontext=system_u:system_r:getty_t tclass=netlink_route_socket |
83 |
audit(1205307770.810:17): avc: denied { read } for pid=3889 comm="agetty" |
84 |
scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t |
85 |
tclass=netlink_route_socket |
86 |
-- |
87 |
gentoo-hardened@l.g.o mailing list |