Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: Florian Tischler <flo_list2007@×××××.at>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] Problem with SELinux policy
Date: Thu, 13 Mar 2008 21:19:30
Message-Id: 200803132219.10917.flo_list2007@floti.at
In Reply to: Re: [gentoo-hardened] Problem with SELinux policy by "Björn Fahller"
1 Am Donnerstag, 13. März 2008 schrieb Björn Fahller:
2 > On Thursday 13 March 2008 15.20.21 Chris PeBenito wrote:
3 > > On Fri, 2008-02-29 at 22:12 +0700, Michael Metsger wrote:
4 > > > I'm trying to use "selinux/2007.0/hardened/amd64" to make
5 > > > gentoo-hardened with selinux. I started from
6 > > > stage3-amd64-hardened-multilib-2007.0. After update, switch to new
7 > > > profile and agin update, booting selinux kernel and relabeling I got
8 > > > worked system with many "avc: denied" messages. Some of them I
9 > > > solved.
10 > > > At this time I don't know how to solve this "avc: denied" correct:
11 > >
12 > > Did you remerge udev? Most of this is device nodes in udev /dev are
13 > > mislabeled.
14 >
15 > I can just chime in with a me-too. I've installed an x86 2007.0, though.
16 >
17 > A lot of issues could be resolved by manually relabeling following the
18 > discussions in:
19 >
20 > http://www.mail-archive.com/gentoo-hardened%40lists.gentoo.org/msg01610.htm
21 >l
22 >
23 > However, the below ones remain, and I don't know what to do about them.
24 >
25 > For what it's worth, I have indeed rebuilt udev. In fact, I rebeilt every
26 > single package (ouch!)
27
28 Hi,
29
30 I am trying to use SElinux in a Xen DomU. Profile is also
31 selinux/2007.0/hardened/amd64. I am using ~amd64 as accept_keywords, don´t
32 know if this is a good idea when using selinux.
33
34 I get exactly the same error messages like your error messages below + a few
35 additional one. (some of them are probably related to xen)
36
37 I would be very happy if someone could help me fixing this issues.
38
39 Thanks,
40 Florian
41
42 The additional error messages i get:
43
44 audit(1205421548.959:24): avc: denied { getattr } for pid=1561 comm="bash"
45 name="xen" dev=proc ino=4026532902 scontext=system_u:system_r:initrc_t
46 tcontext=system_u:object_r:proc_xen_t tclass=dir
47
48 audit(1205421548.959:25): avc: denied { search } for pid=1561 comm="bash"
49 name="xen" dev=proc ino=4026532902 scontext=system_u:system_r:initrc_t
50 tcontext=system_u:object_r:proc_xen_t tclass=dir
51
52 audit(1205421548.959:26): avc: denied { read } for pid=1561 comm="bash"
53 name="capabilities" dev=proc ino=4026532943
54 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:proc_xen_t
55 tclass=file
56
57 audit(1205421548.963:27): avc: denied { getattr } for pid=1567 comm="grep"
58 name="capabilities" dev=proc ino=4026532943
59 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:proc_xen_t
60 tclass=file
61
62 audit(1205421669.862:40): avc: denied { create } for pid=2815 comm="login"
63 scontext=system_u:system_r:local_login_t
64 tcontext=system_u:system_r:local_login_t tclass=netlink_route_socket
65
66 audit(1205421669.862:41): avc: denied { bind } for pid=2815 comm="login"
67 scontext=system_u:system_r:local_login_t
68 tcontext=system_u:system_r:local_login_t tclass=netlink_route_socket
69
70 audit(1205421669.862:42): avc: denied { getattr } for pid=2815 comm="login"
71 scontext=system_u:system_r:local_login_t
72 tcontext=system_u:system_r:local_login_t tclass=netlink_route_socket
73
74 audit(1205421669.862:43): avc: denied { write } for pid=2815 comm="login"
75 scontext=system_u:system_r:local_login_t
76 tcontext=system_u:system_r:local_login_t tclass=netlink_route_socket
77
78 audit(1205421669.862:44): avc: denied { nlmsg_read } for pid=2815
79 comm="login" scontext=system_u:system_r:local_login_t
80 tcontext=system_u:system_r:local_login_t tclass=netlink_route_socket
81
82 audit(1205421669.862:45): avc: denied { read } for pid=2815 comm="login"
83 scontext=system_u:system_r:local_login_t
84 tcontext=system_u:system_r:local_login_t tclass=netlink_route_socket
85
86 > _
87 > /Bjorn
88 >
89 >
90 > audit(1205311345.096:2): policy loaded auid=4294967295
91 > SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
92 > audit(1205311345.562:3): avc: denied { write } for pid=946 comm="bash"
93 > name="null" dev=tmpfs ino=1313 scontext=system_u:system_r:initrc_t
94 > tcontext=system_u:object_r:device_t tclass=chr_file
95 > audit(1205311345.624:4): avc: denied { read } for pid=955
96 > comm="write_root_link" name="console" dev=tmpfs ino=1307
97 > scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t
98 > tclass=chr_file
99 > SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
100 > SELinux: initialized (dev securityfs, type securityfs), not configured for
101 > labeling
102 > audit(1205311352.640:5): avc: denied { mount } for pid=1756
103 > comm="mount" name="/" dev=securityfs ino=1
104 > scontext=system_u:system_r:mount_t
105 > tcontext=system_u:object_r:unlabeled_t tclass=filesystem
106 > Adding 977216k swap on /dev/hda1. Priority:-1 extents:1 across:977216k
107 > audit(1205311359.150:6): avc: denied { write } for pid=2470
108 > comm="runscript.sh" name="resolv.conf" dev=hda2 ino=46223216
109 > scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:net_conf_t
110 > tclass=file
111 > audit(1205311359.154:7): avc: denied { setattr } for pid=2525
112 > comm="chmod" name="resolv.conf" dev=hda2 ino=46223216
113 > scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:net_conf_t
114 > tclass=file
115 > audit(1205311362.834:8): avc: denied { search } for pid=3168
116 > comm="syslog-ng" name="lib" dev=hda2 ino=33576422
117 > scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_lib_t
118 > tclass=dir
119 > audit(1205311362.834:9): avc: denied { read } for pid=3168
120 > comm="syslog-ng" name="syslog-ng.persist" dev=hda2 ino=33576402
121 > scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_lib_t
122 > tclass=file
123 > audit(1205311362.834:10): avc: denied { getattr } for pid=3168
124 > comm="syslog-ng" path="/var/lib/syslog-ng.persist" dev=hda2 ino=33576402
125 > scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_lib_t
126 > tclass=file
127 > eth0: link up, 100Mbps, full-duplex
128 > audit(1205311366.898:11): avc: denied { nlmsg_write } for pid=3576
129 > comm="dhcpcd" scontext=system_u:system_r:dhcpc_t
130 > tcontext=system_u:system_r:dhcpc_t tclass=netlink_route_socket
131 > audit(1205307770.810:12): avc: denied { create } for pid=3889
132 > comm="agetty" scontext=system_u:system_r:getty_t
133 > tcontext=system_u:system_r:getty_t tclass=netlink_route_socket
134 > audit(1205307770.810:13): avc: denied { bind } for pid=3889
135 > comm="agetty" scontext=system_u:system_r:getty_t
136 > tcontext=system_u:system_r:getty_t tclass=netlink_route_socket
137 > audit(1205307770.810:14): avc: denied { getattr } for pid=3889
138 > comm="agetty" scontext=system_u:system_r:getty_t
139 > tcontext=system_u:system_r:getty_t tclass=netlink_route_socket
140 > audit(1205307770.810:15): avc: denied { write } for pid=3889
141 > comm="agetty" scontext=system_u:system_r:getty_t
142 > tcontext=system_u:system_r:getty_t tclass=netlink_route_socket
143 > audit(1205307770.810:16): avc: denied { nlmsg_read } for pid=3889
144 > comm="agetty" scontext=system_u:system_r:getty_t
145 > tcontext=system_u:system_r:getty_t tclass=netlink_route_socket
146 > audit(1205307770.810:17): avc: denied { read } for pid=3889
147 > comm="agetty" scontext=system_u:system_r:getty_t
148 > tcontext=system_u:system_r:getty_t tclass=netlink_route_socket
149
150
151 --
152 Florian Tischler
153 mailto:flo_list2007@×××××.at
154 icq#11754147
155 --
156 gentoo-hardened@l.g.o mailing list

Replies

Subject Author
Re: [gentoo-hardened] Problem with SELinux policy Chris PeBenito <pebenito@g.o>
Report Message
Find on MARC Find on Google Groups