| 1 |
Mike Edenfield wrote: |
| 2 |
> Markus Bartl wrote: |
| 3 |
> |
| 4 |
>> Sep 29 20:20:22 odin type=1400 audit(1222712401.300:3): avc: denied |
| 5 |
>> { read write } for pid=1 comm="init" path="/dev/console" dev=sda3 |
| 6 |
>> ino=1485226 scontext=system_u:system_r:init_t |
| 7 |
>> tcontext=system_u:object_r:file_t tclass=chr_file |
| 8 |
>> Sep 29 20:20:22 odin type=1400 audit(1222712401.304:4): avc: denied |
| 9 |
>> { ioctl } for pid=1 comm="init" path="/dev/tty0" dev=sda3 ino=1485112 |
| 10 |
>> scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t |
| 11 |
>> tclass=chr_file |
| 12 |
>> Sep 29 20:20:22 odin type=1400 audit(1222712401.316:5): avc: denied |
| 13 |
>> { read write } for pid=1081 comm="rc" name="console" dev=sda3 |
| 14 |
>> ino=1485226 scontext=system_u:system_r:initrc_t |
| 15 |
>> tcontext=system_u:object_r:file_t tclass=chr_file |
| 16 |
>> Sep 29 20:20:22 odin type=1400 audit(1222712401.364:6): avc: denied |
| 17 |
>> { read write } for pid=1083 comm="consoletype" name="console" |
| 18 |
>> dev=sda3 ino=1485226 scontext=system_u:system_r:consoletype_t |
| 19 |
>> tcontext=system_u:object_r:file_t tclass=chr_file |
| 20 |
>> Sep 29 20:20:22 odin type=1400 audit(1222712401.364:7): avc: denied |
| 21 |
>> { getattr } for pid=1083 comm="consoletype" path="/dev/console" |
| 22 |
>> dev=sda3 ino=1485226 scontext=system_u:system_r:consoletype_t |
| 23 |
>> tcontext=system_u:object_r:file_t tclass=chr_file |
| 24 |
> |
| 25 |
> These are actually pretty harmless -- it just means your static /dev |
| 26 |
> isn't labeled correctly. This is because the stage3 tarballs don't have |
| 27 |
> any SELinux information in them, so when you unpack it the /dev files |
| 28 |
> are there with no labels, but by the time you get SELinux working enough |
| 29 |
> to relabel your filesystems, udev has taken over /dev. |
| 30 |
> |
| 31 |
> If you want to get rid of these AVC's from your dmesg, you just need to |
| 32 |
> relabel the static dev entries. It's a bit tricky but you only need to |
| 33 |
> do it once: |
| 34 |
> |
| 35 |
> # mkdir -p /mnt/realroot |
| 36 |
> # mount -o bind / /mnt/realroot |
| 37 |
> # setfiles -r /mnt/realroot \ |
| 38 |
> /etc/selinux/strict/contexts/files/file_contexts \ |
| 39 |
> /mnt/realroot/dev |
| 40 |
> # umount /mnt/realroot |
| 41 |
|
| 42 |
That works and I can now boot the machine in enforcing mode. |
| 43 |
|
| 44 |
I'm still suffering some service problems. courier-imap and |
| 45 |
courier-authlib still refuse to start in enforcing mode, they give |
| 46 |
various errors: |
| 47 |
|
| 48 |
type=1400 audit(1222791340.255:367): avc: denied { getattr } for |
| 49 |
pid=6774 comm="courier-authlib" path="/etc/profile.env" dev=hda3 |
| 50 |
ino=62489 scontext=staff_u:sysadm_r:run_init_t |
| 51 |
tcontext=system_u:object_r:etc_runtime_t tclass=file |
| 52 |
type=1400 audit(1222791342.986:368): avc: denied { read } for |
| 53 |
pid=6779 comm="consoletype" name="urandom" dev=tmpfs ino=3320 |
| 54 |
scontext=system_u:system_r:consoletype_t |
| 55 |
tcontext=system_u:object_r:urandom_device_t tclass=chr_file |
| 56 |
type=1400 audit(1222791343.676:369): avc: denied { read } for |
| 57 |
pid=6811 comm="runscript.sh" name="authdaemonrc" dev=hda3 ino=62734 |
| 58 |
scontext=system_u:system_r:initrc_t |
| 59 |
tcontext=system_u:object_r:courier_etc_t tclass=file |
| 60 |
type=1400 audit(1222791344.066:370): avc: denied { read } for |
| 61 |
pid=6840 comm="runscript.sh" name="authdaemonrc" dev=hda3 ino=62734 |
| 62 |
scontext=system_u:system_r:initrc_t |
| 63 |
tcontext=system_u:object_r:courier_etc_t tclass=file |
| 64 |
|
| 65 |
and |
| 66 |
|
| 67 |
type=1400 audit(1222791363.237:372): avc: denied { getattr } for |
| 68 |
pid=6851 comm="courier-imapd" path="/etc/profile.env" dev=hda3 ino=62489 |
| 69 |
scontext=staff_u:sysadm_r:run_init_t |
| 70 |
tcontext=system_u:object_r:etc_runtime_t tclass=file |
| 71 |
type=1400 audit(1222791364.978:373): avc: denied { read } for |
| 72 |
pid=6856 comm="consoletype" name="urandom" dev=tmpfs ino=3320 |
| 73 |
scontext=system_u:system_r:consoletype_t |
| 74 |
tcontext=system_u:object_r:urandom_device_t tclass=chr_file |
| 75 |
type=1400 audit(1222791366.598:374): avc: denied { read } for |
| 76 |
pid=6943 comm="runscript.sh" name="authdaemonrc" dev=hda3 ino=62734 |
| 77 |
scontext=system_u:system_r:initrc_t |
| 78 |
tcontext=system_u:object_r:courier_etc_t tclass=file |
| 79 |
type=1400 audit(1222791366.648:375): avc: denied { execute } for |
| 80 |
pid=6946 comm="env" name="courierlogger" dev=hda5 ino=49145 |
| 81 |
scontext=system_u:system_r:initrc_t |
| 82 |
tcontext=system_u:object_r:courier_exec_t tclass=file |
| 83 |
|
| 84 |
And I'm unable to mount nfs shares, it gives me "can't get address |
| 85 |
for....". But if I switch to permissive I can start both courier |
| 86 |
services and nfs mounts work perfectly. |
| 87 |
|
| 88 |
Also postfix won't start, it's permenantly stuck thinking its started |
| 89 |
but it isn't. It failed to stop or start with messages like: |
| 90 |
|
| 91 |
grsec: From 10.194.217.10: denied resource overstep by requesting |
| 92 |
121724928 for RLIMIT_STACK against limit 8388608 for |
| 93 |
/etc/postfix/postfix-script[postfix-script:6593] uid/euid:0/0 |
| 94 |
gid/egid:0/0, parent /sbin/runscript.sh[runscript.sh:6592] uid/euid:0/0 |
| 95 |
gid/egid:0/ |
| 96 |
|
| 97 |
I tried to start it manually but I get |
| 98 |
|
| 99 |
genesis ~ # postfix -c /etc/postfix/ start |
| 100 |
-su: /usr/sbin/postfix: Permission denied |
| 101 |
|
| 102 |
genesis ~ # ls -l /usr/sbin/postfix |
| 103 |
-rwxr-xr-x+ 1 root root 71892 Sep 25 19:30 /usr/sbin/postfix |
| 104 |
|
| 105 |
Any ideas? |
| 106 |
|
| 107 |
Thanks |
| 108 |
|
| 109 |
Matt |
Archives