Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: "Björn Fahller" <gentoo@×××××××.se>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] Problem with SELinux policy
Date: Thu, 13 Mar 2008 16:03:47
Message-Id: 200803131701.24549.gentoo@fahller.se
In Reply to: Re: [gentoo-hardened] Problem with SELinux policy by Chris PeBenito
1 On Thursday 13 March 2008 16.27.51 Chris PeBenito wrote:
2 > On Thu, 2008-03-13 at 15:26 +0100, Björn Fahller wrote:
3
4 > > Adding 977216k swap on /dev/hda1. Priority:-1 extents:1 across:977216k
5 > > audit(1205311359.150:6): avc: denied { write } for pid=2470
6 > > comm="runscript.sh" name="resolv.conf" dev=hda2 ino=46223216
7 > > scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:net_conf_t
8 > > tclass=file
9 > > audit(1205311359.154:7): avc: denied { setattr } for pid=2525
10 > > comm="chmod" name="resolv.conf" dev=hda2 ino=46223216
11 > > scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:net_conf_t
12 > > tclass=file
13 >
14 > Do you use net-dns/resolvconf-gentoo?
15
16 No. Would it help?
17
18 >
19 > > audit(1205311362.834:8): avc: denied { search } for pid=3168
20 > > comm="syslog-ng" name="lib" dev=hda2 ino=33576422
21 > > scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_lib_t
22 > > tclass=dir
23 > > audit(1205311362.834:9): avc: denied { read } for pid=3168
24 > > comm="syslog-ng" name="syslog-ng.persist" dev=hda2 ino=33576402
25 > > scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_lib_t
26 > > tclass=file
27 > > audit(1205311362.834:10): avc: denied { getattr } for pid=3168
28 > > comm="syslog-ng" path="/var/lib/syslog-ng.persist" dev=hda2 ino=33576402
29 > > scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_lib_t
30 > > tclass=file
31 >
32 > I'll have to add support for this file to the policy. Is this
33 > created/modified by syslog-ng too?
34
35 Yes. It can presumably be turned off by the very
36 undocumented "--ignore-persistent" flag, but I don't know what that would
37 change, so I've left everything defaulted.
38
39 > > eth0: link up, 100Mbps, full-duplex
40 > > audit(1205311366.898:11): avc: denied { nlmsg_write } for pid=3576
41 > > comm="dhcpcd" scontext=system_u:system_r:dhcpc_t
42 >
43 > I'll have to do some investigation on this one.
44
45
46 If you use VirtualBox, I can give you the experiment machine to look into.
47 _
48 /Bjorn
49 --
50 gentoo-hardened@l.g.o mailing list

Replies

Subject Author
Re: [gentoo-hardened] Problem with SELinux policy Chris PeBenito <pebenito@g.o>
Report Message
Find on MARC Find on Google Groups