[gentoo-hardened] Some Selinux questions on a fresh install - gentoo-hardened

From:	"Ben P." <ben@××××××.org>
To:	gentoo-hardened@l.g.o
Subject:	[gentoo-hardened] Some Selinux questions on a fresh install
Date:	Thu, 21 Feb 2013 20:46:57
Message-Id:	`2490355.UkoxDBnvjC@bentablet`

1

Hello everyone

2

3

I've put Gentoo-Hardened on a testing computer and been learning a lot about 

4

selinux. Everything works, including X, but I have a few entries in my avc log 

5

that I'm not sure about.

6

7

I note that this is running on an encrypted root drive and therefore I need an 

8

initramfs. Dracut wasn't working for me so I rolled my own, which does boot in 

9

enforcing mode (with a few minor errors) so bug 397567 seems to not be 

10

universal. So some of these errors may be due to the initramfs then, although 

11

I'm not sure why, since almost everything is unmounted before switch_root.

12

13

avc:  denied  { read write } for  pid=1 comm="init" 

14

path=2F6465762F636F6E736F6C65202864656C6574656429 dev="rootfs" ino=5998 

15

scontext=system_u:system_r:init_t tcontext=system_u:object_r:root_t 

16

tclass=chr_file

17

avc:  denied  { getattr } for  pid=1 comm="init" name="/" dev="selinuxfs" 

18

ino=1 scontext=system_u:system_r:init_t tcontext=system_u:object_r:security_t 

19

tclass=filesystem

20

avc:  denied  { search } for  pid=1 comm="init" name="var" dev="dm-0" 

21

ino=556492 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t 

22

tclass=dir

23

avc:  denied  { write } for  pid=400 comm="cryptsetup" name="read_ahead_kb" 

24

dev="sysfs" ino=14972 scontext=system_u:system_r:lvm_t 

25

tcontext=system_u:object_r:sysfs_t tclass=file

26

avc:  denied  { getattr } for  pid=411 comm="mkswap" name="/" dev="selinuxfs" 

27

ino=1 scontext=system_u:system_r:fsadm_t tcontext=system_u:object_r:security_t 

28

tclass=filesystem

29

avc:  denied  { getattr } for  pid=20 comm="kdevtmpfs" path="/dm-2" 

30

dev="devtmpfs" ino=6891 scontext=system_u:system_r:kernel_t 

31

tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file

32

avc:  denied  { read } for  pid=1019 comm="syslog-ng" path="/dev/console" 

33

dev="devtmpfs" ino=1039 scontext=system_u:system_r:syslogd_t 

34

tcontext=system_u:object_r:console_device_t tclass=chr_file

35

avc:  denied  { read write } for  pid=1084 comm="unix_chkpwd" path="/dev/tty1" 

36

dev="devtmpfs" ino=1045 scontext=system_u:system_r:chkpwd_t 

37

tcontext=system_u:object_r:tty_device_t tclass=chr_file

38

avc:  denied  { search } for  pid=1084 comm="unix_chkpwd" name="/" dev="sysfs" 

39

ino=1 scontext=system_u:system_r:chkpwd_t tcontext=system_u:object_r:sysfs_t 

40

tclass=dir

41

avc:  denied  { getattr } for  pid=1084 comm="unix_chkpwd" name="/" 

42

dev="selinuxfs" ino=1 scontext=system_u:system_r:chkpwd_t 

43

tcontext=system_u:object_r:security_t tclass=filesystem

44

avc:  denied  { getattr } for  pid=1084 comm="unix_chkpwd" 

45

path="/sys/fs/selinux" dev="selinuxfs" ino=1 

46

scontext=system_u:system_r:chkpwd_t tcontext=system_u:object_r:security_t 

47

tclass=dir

48

49

Particularly, I get a lot of unix_chkpwd denials. There's a few more errors 

50

sometimes:

51

52

avc:  denied  { setattr } for  pid=20 comm="kdevtmpfs" name="dm-2" 

53

dev="devtmpfs" ino=1973 scontext=system_u:system_r:kernel_t 

54

tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file

55

avc:  denied  { unlink } for  pid=20 comm="kdevtmpfs" name="dm-2" 

56

dev="devtmpfs" ino=1973 scontext=system_u:system_r:kernel_t 

57

tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file

58

avc:  denied  { module_request } for  pid=977 comm="sshd" kmod="net-pf-10" 

59

scontext=system_u:system_r:sshd_t tcontext=system_u:system_r:kernel_t 

60

tclass=system

61

avc:  denied  { use } for  pid=977 comm="sshd" path="/dev/console" 

62

dev="devtmpfs" ino=1039 scontext=system_u:system_r:sshd_t 

63

tcontext=system_u:system_r:init_t tclass=fd

64

avc:  denied  { use } for  pid=991 comm="cron" path="/dev/console" 

65

dev="devtmpfs" ino=1039 scontext=system_u:system_r:crond_t 

66

tcontext=system_u:system_r:init_t tclass=fd

67

avc:  denied  { read } for  pid=127 comm="rc" name="openrc" dev="dm-0" 

68

ino=591026 scontext=system_u:system_r:initrc_t 

69

tcontext=system_u:object_r:file_t tclass=lnk_file

70

avc:  denied  { read } for  pid=354 comm="hwclock" path="/dev/console" 

71

dev="devtmpfs" ino=1039 scontext=system_u:system_r:hwclock_t 

72

tcontext=system_u:object_r:console_device_t tclass=chr_file

73

avc:  denied  { search } for  pid=1396 comm="X" name="1395" dev="proc" 

74

ino=3997 scontext=user_u:user_r:xserver_t tcontext=user_u:user_r:user_t 

75

tclass=dir

76

avc:  denied  { read } for  pid=1396 comm="X" name="cmdline" dev="proc" 

77

ino=3998 scontext=user_u:user_r:xserver_t tcontext=user_u:user_r:user_t 

78

tclass=file

79

avc:  denied  { open } for  pid=1396 comm="X" path="/proc/1395/cmdline" 

80

dev="proc" ino=3998 scontext=user_u:user_r:xserver_t 

81

tcontext=user_u:user_r:user_t tclass=file

82

83

84

Thoughts?

85

Thanks

86

87

BennyP

Gentoo Archives: gentoo-hardened

Replies

1	Hello everyone
2
3	I've put Gentoo-Hardened on a testing computer and been learning a lot about
4	selinux. Everything works, including X, but I have a few entries in my avc log
5	that I'm not sure about.
6
7	I note that this is running on an encrypted root drive and therefore I need an
8	initramfs. Dracut wasn't working for me so I rolled my own, which does boot in
9	enforcing mode (with a few minor errors) so bug 397567 seems to not be
10	universal. So some of these errors may be due to the initramfs then, although
11	I'm not sure why, since almost everything is unmounted before switch_root.
12
13	avc: denied { read write } for pid=1 comm="init"
14	path=2F6465762F636F6E736F6C65202864656C6574656429 dev="rootfs" ino=5998
15	scontext=system_u:system_r:init_t tcontext=system_u:object_r:root_t
16	tclass=chr_file
17	avc: denied { getattr } for pid=1 comm="init" name="/" dev="selinuxfs"
18	ino=1 scontext=system_u:system_r:init_t tcontext=system_u:object_r:security_t
19	tclass=filesystem
20	avc: denied { search } for pid=1 comm="init" name="var" dev="dm-0"
21	ino=556492 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t
22	tclass=dir
23	avc: denied { write } for pid=400 comm="cryptsetup" name="read_ahead_kb"
24	dev="sysfs" ino=14972 scontext=system_u:system_r:lvm_t
25	tcontext=system_u:object_r:sysfs_t tclass=file
26	avc: denied { getattr } for pid=411 comm="mkswap" name="/" dev="selinuxfs"
27	ino=1 scontext=system_u:system_r:fsadm_t tcontext=system_u:object_r:security_t
28	tclass=filesystem
29	avc: denied { getattr } for pid=20 comm="kdevtmpfs" path="/dm-2"
30	dev="devtmpfs" ino=6891 scontext=system_u:system_r:kernel_t
31	tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
32	avc: denied { read } for pid=1019 comm="syslog-ng" path="/dev/console"
33	dev="devtmpfs" ino=1039 scontext=system_u:system_r:syslogd_t
34	tcontext=system_u:object_r:console_device_t tclass=chr_file
35	avc: denied { read write } for pid=1084 comm="unix_chkpwd" path="/dev/tty1"
36	dev="devtmpfs" ino=1045 scontext=system_u:system_r:chkpwd_t
37	tcontext=system_u:object_r:tty_device_t tclass=chr_file
38	avc: denied { search } for pid=1084 comm="unix_chkpwd" name="/" dev="sysfs"
39	ino=1 scontext=system_u:system_r:chkpwd_t tcontext=system_u:object_r:sysfs_t
40	tclass=dir
41	avc: denied { getattr } for pid=1084 comm="unix_chkpwd" name="/"
42	dev="selinuxfs" ino=1 scontext=system_u:system_r:chkpwd_t
43	tcontext=system_u:object_r:security_t tclass=filesystem
44	avc: denied { getattr } for pid=1084 comm="unix_chkpwd"
45	path="/sys/fs/selinux" dev="selinuxfs" ino=1
46	scontext=system_u:system_r:chkpwd_t tcontext=system_u:object_r:security_t
47	tclass=dir
48
49	Particularly, I get a lot of unix_chkpwd denials. There's a few more errors
50	sometimes:
51
52	avc: denied { setattr } for pid=20 comm="kdevtmpfs" name="dm-2"
53	dev="devtmpfs" ino=1973 scontext=system_u:system_r:kernel_t
54	tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
55	avc: denied { unlink } for pid=20 comm="kdevtmpfs" name="dm-2"
56	dev="devtmpfs" ino=1973 scontext=system_u:system_r:kernel_t
57	tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
58	avc: denied { module_request } for pid=977 comm="sshd" kmod="net-pf-10"
59	scontext=system_u:system_r:sshd_t tcontext=system_u:system_r:kernel_t
60	tclass=system
61	avc: denied { use } for pid=977 comm="sshd" path="/dev/console"
62	dev="devtmpfs" ino=1039 scontext=system_u:system_r:sshd_t
63	tcontext=system_u:system_r:init_t tclass=fd
64	avc: denied { use } for pid=991 comm="cron" path="/dev/console"
65	dev="devtmpfs" ino=1039 scontext=system_u:system_r:crond_t
66	tcontext=system_u:system_r:init_t tclass=fd
67	avc: denied { read } for pid=127 comm="rc" name="openrc" dev="dm-0"
68	ino=591026 scontext=system_u:system_r:initrc_t
69	tcontext=system_u:object_r:file_t tclass=lnk_file
70	avc: denied { read } for pid=354 comm="hwclock" path="/dev/console"
71	dev="devtmpfs" ino=1039 scontext=system_u:system_r:hwclock_t
72	tcontext=system_u:object_r:console_device_t tclass=chr_file
73	avc: denied { search } for pid=1396 comm="X" name="1395" dev="proc"
74	ino=3997 scontext=user_u:user_r:xserver_t tcontext=user_u:user_r:user_t
75	tclass=dir
76	avc: denied { read } for pid=1396 comm="X" name="cmdline" dev="proc"
77	ino=3998 scontext=user_u:user_r:xserver_t tcontext=user_u:user_r:user_t
78	tclass=file
79	avc: denied { open } for pid=1396 comm="X" path="/proc/1395/cmdline"
80	dev="proc" ino=3998 scontext=user_u:user_r:xserver_t
81	tcontext=user_u:user_r:user_t tclass=file
82
83
84	Thoughts?
85	Thanks
86
87	BennyP