1 |
Am Donnerstag, 13. März 2008 schrieb Björn Fahller: |
2 |
> On Thursday 13 March 2008 15.20.21 Chris PeBenito wrote: |
3 |
> > On Fri, 2008-02-29 at 22:12 +0700, Michael Metsger wrote: |
4 |
> > > I'm trying to use "selinux/2007.0/hardened/amd64" to make |
5 |
> > > gentoo-hardened with selinux. I started from |
6 |
> > > stage3-amd64-hardened-multilib-2007.0. After update, switch to new |
7 |
> > > profile and agin update, booting selinux kernel and relabeling I got |
8 |
> > > worked system with many "avc: denied" messages. Some of them I |
9 |
> > > solved. |
10 |
> > > At this time I don't know how to solve this "avc: denied" correct: |
11 |
> > |
12 |
> > Did you remerge udev? Most of this is device nodes in udev /dev are |
13 |
> > mislabeled. |
14 |
> |
15 |
> I can just chime in with a me-too. I've installed an x86 2007.0, though. |
16 |
> |
17 |
> A lot of issues could be resolved by manually relabeling following the |
18 |
> discussions in: |
19 |
> |
20 |
> http://www.mail-archive.com/gentoo-hardened%40lists.gentoo.org/msg01610.htm |
21 |
>l |
22 |
> |
23 |
> However, the below ones remain, and I don't know what to do about them. |
24 |
> |
25 |
> For what it's worth, I have indeed rebuilt udev. In fact, I rebeilt every |
26 |
> single package (ouch!) |
27 |
|
28 |
Hi, |
29 |
|
30 |
I am trying to use SElinux in a Xen DomU. Profile is also |
31 |
selinux/2007.0/hardened/amd64. I am using ~amd64 as accept_keywords, don´t |
32 |
know if this is a good idea when using selinux. |
33 |
|
34 |
I get exactly the same error messages like your error messages below + a few |
35 |
additional one. (some of them are probably related to xen) |
36 |
|
37 |
I would be very happy if someone could help me fixing this issues. |
38 |
|
39 |
Thanks, |
40 |
Florian |
41 |
|
42 |
The additional error messages i get: |
43 |
|
44 |
audit(1205421548.959:24): avc: denied { getattr } for pid=1561 comm="bash" |
45 |
name="xen" dev=proc ino=4026532902 scontext=system_u:system_r:initrc_t |
46 |
tcontext=system_u:object_r:proc_xen_t tclass=dir |
47 |
|
48 |
audit(1205421548.959:25): avc: denied { search } for pid=1561 comm="bash" |
49 |
name="xen" dev=proc ino=4026532902 scontext=system_u:system_r:initrc_t |
50 |
tcontext=system_u:object_r:proc_xen_t tclass=dir |
51 |
|
52 |
audit(1205421548.959:26): avc: denied { read } for pid=1561 comm="bash" |
53 |
name="capabilities" dev=proc ino=4026532943 |
54 |
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:proc_xen_t |
55 |
tclass=file |
56 |
|
57 |
audit(1205421548.963:27): avc: denied { getattr } for pid=1567 comm="grep" |
58 |
name="capabilities" dev=proc ino=4026532943 |
59 |
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:proc_xen_t |
60 |
tclass=file |
61 |
|
62 |
audit(1205421669.862:40): avc: denied { create } for pid=2815 comm="login" |
63 |
scontext=system_u:system_r:local_login_t |
64 |
tcontext=system_u:system_r:local_login_t tclass=netlink_route_socket |
65 |
|
66 |
audit(1205421669.862:41): avc: denied { bind } for pid=2815 comm="login" |
67 |
scontext=system_u:system_r:local_login_t |
68 |
tcontext=system_u:system_r:local_login_t tclass=netlink_route_socket |
69 |
|
70 |
audit(1205421669.862:42): avc: denied { getattr } for pid=2815 comm="login" |
71 |
scontext=system_u:system_r:local_login_t |
72 |
tcontext=system_u:system_r:local_login_t tclass=netlink_route_socket |
73 |
|
74 |
audit(1205421669.862:43): avc: denied { write } for pid=2815 comm="login" |
75 |
scontext=system_u:system_r:local_login_t |
76 |
tcontext=system_u:system_r:local_login_t tclass=netlink_route_socket |
77 |
|
78 |
audit(1205421669.862:44): avc: denied { nlmsg_read } for pid=2815 |
79 |
comm="login" scontext=system_u:system_r:local_login_t |
80 |
tcontext=system_u:system_r:local_login_t tclass=netlink_route_socket |
81 |
|
82 |
audit(1205421669.862:45): avc: denied { read } for pid=2815 comm="login" |
83 |
scontext=system_u:system_r:local_login_t |
84 |
tcontext=system_u:system_r:local_login_t tclass=netlink_route_socket |
85 |
|
86 |
> _ |
87 |
> /Bjorn |
88 |
> |
89 |
> |
90 |
> audit(1205311345.096:2): policy loaded auid=4294967295 |
91 |
> SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs |
92 |
> audit(1205311345.562:3): avc: denied { write } for pid=946 comm="bash" |
93 |
> name="null" dev=tmpfs ino=1313 scontext=system_u:system_r:initrc_t |
94 |
> tcontext=system_u:object_r:device_t tclass=chr_file |
95 |
> audit(1205311345.624:4): avc: denied { read } for pid=955 |
96 |
> comm="write_root_link" name="console" dev=tmpfs ino=1307 |
97 |
> scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t |
98 |
> tclass=chr_file |
99 |
> SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs |
100 |
> SELinux: initialized (dev securityfs, type securityfs), not configured for |
101 |
> labeling |
102 |
> audit(1205311352.640:5): avc: denied { mount } for pid=1756 |
103 |
> comm="mount" name="/" dev=securityfs ino=1 |
104 |
> scontext=system_u:system_r:mount_t |
105 |
> tcontext=system_u:object_r:unlabeled_t tclass=filesystem |
106 |
> Adding 977216k swap on /dev/hda1. Priority:-1 extents:1 across:977216k |
107 |
> audit(1205311359.150:6): avc: denied { write } for pid=2470 |
108 |
> comm="runscript.sh" name="resolv.conf" dev=hda2 ino=46223216 |
109 |
> scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:net_conf_t |
110 |
> tclass=file |
111 |
> audit(1205311359.154:7): avc: denied { setattr } for pid=2525 |
112 |
> comm="chmod" name="resolv.conf" dev=hda2 ino=46223216 |
113 |
> scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:net_conf_t |
114 |
> tclass=file |
115 |
> audit(1205311362.834:8): avc: denied { search } for pid=3168 |
116 |
> comm="syslog-ng" name="lib" dev=hda2 ino=33576422 |
117 |
> scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_lib_t |
118 |
> tclass=dir |
119 |
> audit(1205311362.834:9): avc: denied { read } for pid=3168 |
120 |
> comm="syslog-ng" name="syslog-ng.persist" dev=hda2 ino=33576402 |
121 |
> scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_lib_t |
122 |
> tclass=file |
123 |
> audit(1205311362.834:10): avc: denied { getattr } for pid=3168 |
124 |
> comm="syslog-ng" path="/var/lib/syslog-ng.persist" dev=hda2 ino=33576402 |
125 |
> scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_lib_t |
126 |
> tclass=file |
127 |
> eth0: link up, 100Mbps, full-duplex |
128 |
> audit(1205311366.898:11): avc: denied { nlmsg_write } for pid=3576 |
129 |
> comm="dhcpcd" scontext=system_u:system_r:dhcpc_t |
130 |
> tcontext=system_u:system_r:dhcpc_t tclass=netlink_route_socket |
131 |
> audit(1205307770.810:12): avc: denied { create } for pid=3889 |
132 |
> comm="agetty" scontext=system_u:system_r:getty_t |
133 |
> tcontext=system_u:system_r:getty_t tclass=netlink_route_socket |
134 |
> audit(1205307770.810:13): avc: denied { bind } for pid=3889 |
135 |
> comm="agetty" scontext=system_u:system_r:getty_t |
136 |
> tcontext=system_u:system_r:getty_t tclass=netlink_route_socket |
137 |
> audit(1205307770.810:14): avc: denied { getattr } for pid=3889 |
138 |
> comm="agetty" scontext=system_u:system_r:getty_t |
139 |
> tcontext=system_u:system_r:getty_t tclass=netlink_route_socket |
140 |
> audit(1205307770.810:15): avc: denied { write } for pid=3889 |
141 |
> comm="agetty" scontext=system_u:system_r:getty_t |
142 |
> tcontext=system_u:system_r:getty_t tclass=netlink_route_socket |
143 |
> audit(1205307770.810:16): avc: denied { nlmsg_read } for pid=3889 |
144 |
> comm="agetty" scontext=system_u:system_r:getty_t |
145 |
> tcontext=system_u:system_r:getty_t tclass=netlink_route_socket |
146 |
> audit(1205307770.810:17): avc: denied { read } for pid=3889 |
147 |
> comm="agetty" scontext=system_u:system_r:getty_t |
148 |
> tcontext=system_u:system_r:getty_t tclass=netlink_route_socket |
149 |
|
150 |
|
151 |
-- |
152 |
Florian Tischler |
153 |
mailto:flo_list2007@×××××.at |
154 |
icq#11754147 |
155 |
-- |
156 |
gentoo-hardened@l.g.o mailing list |