| 1 |
On Thursday 13 March 2008 15.20.21 Chris PeBenito wrote: |
| 2 |
> On Fri, 2008-02-29 at 22:12 +0700, Michael Metsger wrote: |
| 3 |
> > I'm trying to use "selinux/2007.0/hardened/amd64" to make |
| 4 |
> > gentoo-hardened with selinux. I started from |
| 5 |
> > stage3-amd64-hardened-multilib-2007.0. After update, switch to new |
| 6 |
> > profile and agin update, booting selinux kernel and relabeling I got |
| 7 |
> > worked system with many "avc: denied" messages. Some of them I |
| 8 |
> > solved. |
| 9 |
> > At this time I don't know how to solve this "avc: denied" correct: |
| 10 |
> |
| 11 |
> Did you remerge udev? Most of this is device nodes in udev /dev are |
| 12 |
> mislabeled. |
| 13 |
|
| 14 |
I can just chime in with a me-too. I've installed an x86 2007.0, though. |
| 15 |
|
| 16 |
A lot of issues could be resolved by manually relabeling following the |
| 17 |
discussions in: |
| 18 |
|
| 19 |
http://www.mail-archive.com/gentoo-hardened%40lists.gentoo.org/msg01610.html |
| 20 |
|
| 21 |
However, the below ones remain, and I don't know what to do about them. |
| 22 |
|
| 23 |
For what it's worth, I have indeed rebuilt udev. In fact, I rebeilt every |
| 24 |
single package (ouch!) |
| 25 |
_ |
| 26 |
/Bjorn |
| 27 |
|
| 28 |
|
| 29 |
audit(1205311345.096:2): policy loaded auid=4294967295 |
| 30 |
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs |
| 31 |
audit(1205311345.562:3): avc: denied { write } for pid=946 comm="bash" |
| 32 |
name="null" dev=tmpfs ino=1313 scontext=system_u:system_r:initrc_t |
| 33 |
tcontext=system_u:object_r:device_t tclass=chr_file |
| 34 |
audit(1205311345.624:4): avc: denied { read } for pid=955 |
| 35 |
comm="write_root_link" name="console" dev=tmpfs ino=1307 |
| 36 |
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t |
| 37 |
tclass=chr_file |
| 38 |
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs |
| 39 |
SELinux: initialized (dev securityfs, type securityfs), not configured for |
| 40 |
labeling |
| 41 |
audit(1205311352.640:5): avc: denied { mount } for pid=1756 comm="mount" |
| 42 |
name="/" dev=securityfs ino=1 scontext=system_u:system_r:mount_t |
| 43 |
tcontext=system_u:object_r:unlabeled_t tclass=filesystem |
| 44 |
Adding 977216k swap on /dev/hda1. Priority:-1 extents:1 across:977216k |
| 45 |
audit(1205311359.150:6): avc: denied { write } for pid=2470 |
| 46 |
comm="runscript.sh" name="resolv.conf" dev=hda2 ino=46223216 |
| 47 |
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:net_conf_t |
| 48 |
tclass=file |
| 49 |
audit(1205311359.154:7): avc: denied { setattr } for pid=2525 comm="chmod" |
| 50 |
name="resolv.conf" dev=hda2 ino=46223216 scontext=system_u:system_r:initrc_t |
| 51 |
tcontext=system_u:object_r:net_conf_t tclass=file |
| 52 |
audit(1205311362.834:8): avc: denied { search } for pid=3168 |
| 53 |
comm="syslog-ng" name="lib" dev=hda2 ino=33576422 |
| 54 |
scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_lib_t |
| 55 |
tclass=dir |
| 56 |
audit(1205311362.834:9): avc: denied { read } for pid=3168 |
| 57 |
comm="syslog-ng" name="syslog-ng.persist" dev=hda2 ino=33576402 |
| 58 |
scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_lib_t |
| 59 |
tclass=file |
| 60 |
audit(1205311362.834:10): avc: denied { getattr } for pid=3168 |
| 61 |
comm="syslog-ng" path="/var/lib/syslog-ng.persist" dev=hda2 ino=33576402 |
| 62 |
scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_lib_t |
| 63 |
tclass=file |
| 64 |
eth0: link up, 100Mbps, full-duplex |
| 65 |
audit(1205311366.898:11): avc: denied { nlmsg_write } for pid=3576 |
| 66 |
comm="dhcpcd" scontext=system_u:system_r:dhcpc_t |
| 67 |
tcontext=system_u:system_r:dhcpc_t tclass=netlink_route_socket |
| 68 |
audit(1205307770.810:12): avc: denied { create } for pid=3889 |
| 69 |
comm="agetty" scontext=system_u:system_r:getty_t |
| 70 |
tcontext=system_u:system_r:getty_t tclass=netlink_route_socket |
| 71 |
audit(1205307770.810:13): avc: denied { bind } for pid=3889 comm="agetty" |
| 72 |
scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t |
| 73 |
tclass=netlink_route_socket |
| 74 |
audit(1205307770.810:14): avc: denied { getattr } for pid=3889 |
| 75 |
comm="agetty" scontext=system_u:system_r:getty_t |
| 76 |
tcontext=system_u:system_r:getty_t tclass=netlink_route_socket |
| 77 |
audit(1205307770.810:15): avc: denied { write } for pid=3889 comm="agetty" |
| 78 |
scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t |
| 79 |
tclass=netlink_route_socket |
| 80 |
audit(1205307770.810:16): avc: denied { nlmsg_read } for pid=3889 |
| 81 |
comm="agetty" scontext=system_u:system_r:getty_t |
| 82 |
tcontext=system_u:system_r:getty_t tclass=netlink_route_socket |
| 83 |
audit(1205307770.810:17): avc: denied { read } for pid=3889 comm="agetty" |
| 84 |
scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t |
| 85 |
tclass=netlink_route_socket |
| 86 |
-- |
| 87 |
gentoo-hardened@l.g.o mailing list |
Archives