| 1 |
Hello to all the list. I need your help to understand what's wrong here. |
| 2 |
I tried to convert my laptop to a selinux profile (targeted) several |
| 3 |
times following the documentation step by step. |
| 4 |
Now, the last time I tried, I'm using 2.20120725-r3 policies from the |
| 5 |
hardened-dev overlay, but I found the same problems with every version |
| 6 |
of policies I try.. The system is mainly amd64 (not ~amd64). |
| 7 |
The problems I find are: |
| 8 |
1) it seems like some part of hardware can't be revealed in enforcing |
| 9 |
mode: Pulseaudio can't see the soundcard, powerdevil can't see power |
| 10 |
statistics, newly atttached usb drives are ingored. Obviously |
| 11 |
selinux-consolekit, selinux-policykit and selinux-dbus are installed. |
| 12 |
2) I use partitions encryption (with cryptsetup) and if booting in |
| 13 |
enforcing mode it complains about a temporary file that is already |
| 14 |
there, but then it goes straight. |
| 15 |
3) Logging in root with su or kdesu (in X environment) takes too long: |
| 16 |
if the password I write is ok, it takes even some minute to give me the |
| 17 |
root shell. |
| 18 |
|
| 19 |
Thank you in advance for your help. |
| 20 |
|
| 21 |
|
| 22 |
This is my emerge --info: |
| 23 |
|
| 24 |
Portage 2.1.11.9 (default/linux/amd64/10.0/selinux, gcc-4.5.3, |
| 25 |
glibc-2.15-r2, 3.3.8-gentoo x86_64) |
| 26 |
================================================================= |
| 27 |
System uname: |
| 28 |
Linux-3.3.8-gentoo-x86_64-Intel-R-_Core-TM-2_Duo_CPU_P8600_@_2.40GHz-with-gentoo-2.1 |
| 29 |
Timestamp of tree: Sun, 19 Aug 2012 12:45:01 +0000 |
| 30 |
app-shells/bash: 4.2_p37 |
| 31 |
dev-java/java-config: 2.1.11-r3 |
| 32 |
dev-lang/python: 2.7.3-r2, 3.2.3 |
| 33 |
dev-util/cmake: 2.8.8-r3 |
| 34 |
dev-util/pkgconfig: 0.27 |
| 35 |
sys-apps/baselayout: 2.1-r1 |
| 36 |
sys-apps/openrc: 0.9.8.4 |
| 37 |
sys-apps/sandbox: 2.5 |
| 38 |
sys-devel/autoconf: 2.13, 2.68 |
| 39 |
sys-devel/automake: 1.11.6 |
| 40 |
sys-devel/binutils: 2.22-r1 |
| 41 |
sys-devel/gcc: 4.5.3-r2 |
| 42 |
sys-devel/gcc-config: 1.7.3 |
| 43 |
sys-devel/libtool: 2.4-r1 |
| 44 |
sys-devel/make: 3.82-r3 |
| 45 |
sys-kernel/linux-headers: 3.4-r2 (virtual/os-headers) |
| 46 |
sys-libs/glibc: 2.15-r2 |
| 47 |
Repositories: gentoo mozilla hardened-dev lcd-filtering |
| 48 |
ACCEPT_KEYWORDS="amd64" |
| 49 |
ACCEPT_LICENSE="*" |
| 50 |
CBUILD="x86_64-pc-linux-gnu" |
| 51 |
CFLAGS="-O2 -pipe -march=core2 -msse4.1 --param l1-cache-size=32 --param |
| 52 |
l1-cache-line-size=64 --param l2-cache-size=3072 -mtune=generic" |
| 53 |
CHOST="x86_64-pc-linux-gnu" |
| 54 |
CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt |
| 55 |
/usr/share/themes/oxygen-gtk/gtk-2.0" |
| 56 |
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d |
| 57 |
/etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release |
| 58 |
/etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" |
| 59 |
CXXFLAGS="-O2 -pipe -march=core2 -msse4.1 --param l1-cache-size=32 |
| 60 |
--param l1-cache-line-size=64 --param l2-cache-size=3072 -mtune=generic" |
| 61 |
DISTDIR="/home/portage/distfiles" |
| 62 |
FCFLAGS="-O2 -pipe" |
| 63 |
FEATURES="assume-digests binpkg-logs config-protect-if-modified |
| 64 |
distlocks ebuild-locks fixlafiles news parallel-fetch |
| 65 |
parse-eapi-ebuild-head protect-owned sandbox selinux sesandbox sfperms |
| 66 |
strict unknown-features-warn unmerge-logs unmerge-orphans userfetch" |
| 67 |
FFLAGS="-O2 -pipe" |
| 68 |
GENTOO_MIRRORS="ftp://de-mirror.org/gentoo/" |
| 69 |
LANG="it_IT.UTF-8" |
| 70 |
LDFLAGS="-Wl,-O1 -Wl,--as-needed" |
| 71 |
LINGUAS="it" |
| 72 |
MAKEOPTS="-j3" |
| 73 |
PKGDIR="/usr/portage/packages" |
| 74 |
PORTAGE_CONFIGROOT="/" |
| 75 |
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times |
| 76 |
--compress --force --whole-file --delete --stats --human-readable |
| 77 |
--timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" |
| 78 |
PORTAGE_TMPDIR="/var/tmp" |
| 79 |
PORTDIR="/usr/portage" |
| 80 |
PORTDIR_OVERLAY="/var/lib/layman/mozilla |
| 81 |
/var/lib/layman/hardened-development /var/lib/layman/lcd-filtering" |
| 82 |
SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" |
| 83 |
USE="X a52 aac aac+ acl acpi alsa amd64 audit auto-hinter berkdb bzip2 |
| 84 |
cairo cdda cdio cdr cli consolekit corefonts cracklib crypt cups |
| 85 |
custom-cflags custom-optimization cxx dbus dirac dri dts dvd encode exif |
| 86 |
extras faac fam flac fortran g3dvl gdbm gif gles2 gpm gudev hwdb iconv |
| 87 |
jit jpeg kde keymap lcdfilter lcms libnotify lzma mad mmx mng modules |
| 88 |
mp3 mpeg mudflap multilib multimedia ncurses nls nptl ogg open_perms |
| 89 |
opengl openmp pam pcre pdf phonon pic png policykit pppd pulseaudio |
| 90 |
python qt3support qt4 readline schroedinger sdl selinux session sse sse2 |
| 91 |
sse3 sse4_1 ssl ssse3 startup-notification svg tcpd theora threads |
| 92 |
thumbnail tiff truetype type1 udev unicode usb v4l vorbis wavpack x264 |
| 93 |
xa xft xml xv xvid xvmc zlib" ALSA_CARDS="ali5451 als4000 atiixp |
| 94 |
atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 |
| 95 |
fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx |
| 96 |
via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare |
| 97 |
dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter |
| 98 |
mmap_emul mulaw multi null plug rate route share shm softvol" |
| 99 |
APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon |
| 100 |
authn_dbm authn_default authn_file authz_dbm authz_default |
| 101 |
authz_groupfile authz_host authz_owner authz_user autoindex cache cgi |
| 102 |
cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter |
| 103 |
file_cache filter headers include info log_config logio mem_cache mime |
| 104 |
mime_magic negotiation rewrite setenvif speling status unique_id userdir |
| 105 |
usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets |
| 106 |
stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df |
| 107 |
interface irq load memory rrdtool swap syslog" ELIBC="glibc" |
| 108 |
GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt |
| 109 |
gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore |
| 110 |
rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" |
| 111 |
INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad |
| 112 |
cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" |
| 113 |
LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" |
| 114 |
LINGUAS="it" PHP_TARGETS="php5-3" PYTHON_TARGETS="python3_2 python2_7" |
| 115 |
RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="radeon" |
| 116 |
XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p |
| 117 |
iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark |
| 118 |
dhcpmac delude chaos account" |
| 119 |
Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, |
| 120 |
PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, |
| 121 |
PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON |
| 122 |
|
| 123 |
|
| 124 |
|
| 125 |
This is my avc.log of the last boot up: |
| 126 |
|
| 127 |
Aug 21 08:45:49 dell-studio kernel: [ 7.848157] type=1400 |
| 128 |
audit(1345538717.847:3): avc: denied { search } for pid=1452 |
| 129 |
comm="alsactl" name="root" dev="sda5" ino=1308163 |
| 130 |
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:default_t |
| 131 |
tclass=dir |
| 132 |
Aug 21 08:45:49 dell-studio kernel: [ 8.588561] type=1400 |
| 133 |
audit(1345538718.587:4): avc: denied { read } for pid=1450 |
| 134 |
comm="alsactl" name="urandom" dev="tmpfs" ino=3255 |
| 135 |
scontext=system_u:system_r:alsa_t |
| 136 |
tcontext=system_u:object_r:urandom_device_t tclass=chr_file |
| 137 |
Aug 21 08:45:49 dell-studio kernel: [ 8.588576] type=1400 |
| 138 |
audit(1345538718.587:6): avc: denied { open } for pid=1450 |
| 139 |
comm="alsactl" name="urandom" dev="tmpfs" ino=3255 |
| 140 |
scontext=system_u:system_r:alsa_t |
| 141 |
tcontext=system_u:object_r:urandom_device_t tclass=chr_file |
| 142 |
Aug 21 08:45:49 dell-studio kernel: [ 8.588579] type=1400 |
| 143 |
audit(1345538718.587:7): avc: denied { open } for pid=1452 |
| 144 |
comm="alsactl" name="urandom" dev="tmpfs" ino=3255 |
| 145 |
scontext=system_u:system_r:alsa_t |
| 146 |
tcontext=system_u:object_r:urandom_device_t tclass=chr_file |
| 147 |
Aug 21 08:45:49 dell-studio kernel: [ 8.588621] type=1400 |
| 148 |
audit(1345538718.587:8): avc: denied { getattr } for pid=1450 |
| 149 |
comm="alsactl" name="/" dev="tmpfs" ino=2980 |
| 150 |
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:tmpfs_t |
| 151 |
tclass=filesystem |
| 152 |
Aug 21 08:45:49 dell-studio kernel: [ 8.588625] type=1400 |
| 153 |
audit(1345538718.587:9): avc: denied { getattr } for pid=1452 |
| 154 |
comm="alsactl" name="/" dev="tmpfs" ino=2980 |
| 155 |
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:tmpfs_t |
| 156 |
tclass=filesystem |
| 157 |
Aug 21 08:45:49 dell-studio kernel: [ 8.588644] type=1400 |
| 158 |
audit(1345538718.587:10): avc: denied { write } for pid=1452 |
| 159 |
comm="alsactl" name="shm" dev="tmpfs" ino=2984 |
| 160 |
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t |
| 161 |
tclass=dir |
| 162 |
Aug 21 08:45:49 dell-studio kernel: [ 8.588652] type=1400 |
| 163 |
audit(1345538718.587:11): avc: denied { add_name } for pid=1452 |
| 164 |
comm="alsactl" name="pulse-shm-1979112542" |
| 165 |
scontext=system_u:system_r:alsa_t tcontext=system_u:object_r:device_t |
| 166 |
tclass=dir |
| 167 |
Aug 21 08:45:49 dell-studio kernel: [ 28.881908] type=1400 |
| 168 |
audit(1345531540.026:21): avc: denied { module_request } for pid=1524 |
| 169 |
comm="cryptsetup" kmod="cbc(aes)" scontext=system_u:system_r:lvm_t |
| 170 |
tcontext=system_u:system_r:kernel_t tclass=system |
| 171 |
Aug 21 08:45:49 dell-studio kernel: [ 38.142682] type=1400 |
| 172 |
audit(1345531549.287:22): avc: denied { setrlimit } for pid=1983 |
| 173 |
comm="dbus-daemon" scontext=system_u:system_r:system_dbusd_t |
| 174 |
tcontext=system_u:system_r:system_dbusd_t tclass=process |
| 175 |
Aug 21 08:45:49 dell-studio kernel: [ 38.743819] type=1400 |
| 176 |
audit(1345531549.888:23): avc: denied { getattr } for pid=2013 |
| 177 |
comm="console-kit-dae" path="/run/ConsoleKit" dev="tmpfs" ino=5240 |
| 178 |
scontext=system_u:system_r:consolekit_t |
| 179 |
tcontext=system_u:object_r:initrc_var_run_t tclass=dir |
| 180 |
Aug 21 08:45:49 dell-studio kernel: [ 38.743833] type=1400 |
| 181 |
audit(1345531549.888:24): avc: denied { search } for pid=2013 |
| 182 |
comm="console-kit-dae" name="ConsoleKit" dev="tmpfs" ino=5240 |
| 183 |
scontext=system_u:system_r:consolekit_t |
| 184 |
tcontext=system_u:object_r:initrc_var_run_t tclass=dir |
| 185 |
Aug 21 08:45:49 dell-studio kernel: [ 38.743845] type=1400 |
| 186 |
audit(1345531549.888:25): avc: denied { write } for pid=2013 |
| 187 |
comm="console-kit-dae" name="ConsoleKit" dev="tmpfs" ino=5240 |
| 188 |
scontext=system_u:system_r:consolekit_t |
| 189 |
tcontext=system_u:object_r:initrc_var_run_t tclass=dir |
| 190 |
Aug 21 08:45:49 dell-studio kernel: [ 38.743854] type=1400 |
| 191 |
audit(1345531549.888:26): avc: denied { add_name } for pid=2013 |
| 192 |
comm="console-kit-dae" name="database~" |
| 193 |
scontext=system_u:system_r:consolekit_t |
| 194 |
tcontext=system_u:object_r:initrc_var_run_t tclass=dir |
| 195 |
Aug 21 08:45:49 dell-studio kernel: [ 38.743875] type=1400 |
| 196 |
audit(1345531549.888:27): avc: denied { create } for pid=2013 |
| 197 |
comm="console-kit-dae" name="database~" |
| 198 |
scontext=system_u:system_r:consolekit_t |
| 199 |
tcontext=system_u:object_r:initrc_var_run_t tclass=file |
| 200 |
Aug 21 08:45:49 dell-studio kernel: [ 38.743939] type=1400 |
| 201 |
audit(1345531549.888:28): avc: denied { remove_name } for pid=2013 |
| 202 |
comm="console-kit-dae" name="database~" dev="tmpfs" ino=5251 |
| 203 |
scontext=system_u:system_r:consolekit_t |
| 204 |
tcontext=system_u:object_r:initrc_var_run_t tclass=dir |
| 205 |
Aug 21 08:45:49 dell-studio kernel: [ 38.743948] type=1400 |
| 206 |
audit(1345531549.888:29): avc: denied { rename } for pid=2013 |
| 207 |
comm="console-kit-dae" name="database~" dev="tmpfs" ino=5251 |
| 208 |
scontext=system_u:system_r:consolekit_t |
| 209 |
tcontext=system_u:object_r:initrc_var_run_t tclass=file |
| 210 |
Aug 21 08:45:50 dell-studio kernel: [ 39.000295] type=1400 |
| 211 |
audit(1345531550.145:30): avc: denied { read } for pid=2089 |
| 212 |
comm="crond" name="root" dev="sda7" ino=12796 |
| 213 |
scontext=system_u:system_r:crond_t tcontext=system_u:object_r:file_t |
| 214 |
tclass=file |
| 215 |
Aug 21 08:45:55 dell-studio kernel: [ 44.775964] type=1400 |
| 216 |
audit(1345531555.920:51): avc: denied { read } for pid=2912 comm="sh" |
| 217 |
name="meminfo" dev="proc" ino=4026532031 |
| 218 |
scontext=system_u:system_r:wpa_cli_t tcontext=system_u:object_r:proc_t |
| 219 |
tclass=file |
| 220 |
Aug 21 08:45:55 dell-studio kernel: [ 44.775974] type=1400 |
| 221 |
audit(1345531555.920:52): avc: denied { open } for pid=2912 comm="sh" |
| 222 |
name="meminfo" dev="proc" ino=4026532031 |
| 223 |
scontext=system_u:system_r:wpa_cli_t tcontext=system_u:object_r:proc_t |
| 224 |
tclass=file |
| 225 |
Aug 21 08:45:55 dell-studio kernel: [ 44.775991] type=1400 |
| 226 |
audit(1345531555.920:53): avc: denied { getattr } for pid=2912 |
| 227 |
comm="sh" path="/proc/meminfo" dev="proc" ino=4026532031 |
| 228 |
scontext=system_u:system_r:wpa_cli_t tcontext=system_u:object_r:proc_t |
| 229 |
tclass=file |
| 230 |
Aug 21 08:45:56 dell-studio kernel: [ 44.975326] type=1400 |
| 231 |
audit(1345531556.120:54): avc: denied { read write } for pid=2956 |
| 232 |
comm="ifconfig" path="socket:[5638]" dev="sockfs" ino=5638 |
| 233 |
scontext=system_u:system_r:ifconfig_t |
| 234 |
tcontext=system_u:system_r:wpa_cli_t tclass=unix_dgram_socket |
| 235 |
Aug 21 08:45:56 dell-studio kernel: [ 45.229495] type=1400 |
| 236 |
audit(1345531556.374:55): avc: denied { use } for pid=3088 |
| 237 |
comm="mount" path="/dev/null" dev="tmpfs" ino=2982 |
| 238 |
scontext=system_u:system_r:mount_t tcontext=system_u:system_r:wpa_cli_t |
| 239 |
tclass=fd |
| 240 |
Aug 21 08:45:56 dell-studio kernel: [ 45.229516] type=1400 |
| 241 |
audit(1345531556.374:56): avc: denied { read write } for pid=3088 |
| 242 |
comm="mount" path="socket:[5638]" dev="sockfs" ino=5638 |
| 243 |
scontext=system_u:system_r:mount_t tcontext=system_u:system_r:wpa_cli_t |
| 244 |
tclass=unix_dgram_socket |
| 245 |
Aug 21 08:46:05 dell-studio kernel: [ 54.833228] type=1400 |
| 246 |
audit(1345531565.978:57): avc: denied { read } for pid=2013 |
| 247 |
comm="console-kit-dae" name="machine-id" dev="sda7" ino=184383 |
| 248 |
scontext=system_u:system_r:consolekit_t |
| 249 |
tcontext=system_u:object_r:system_dbusd_var_lib_t tclass=lnk_file |
| 250 |
Aug 21 08:46:06 dell-studio kernel: [ 54.866726] type=1400 |
| 251 |
audit(1345531566.011:58): avc: denied { create } for pid=2013 |
| 252 |
comm="console-kit-dae" name="database~" |
| 253 |
scontext=system_u:system_r:consolekit_t |
| 254 |
tcontext=system_u:object_r:initrc_var_run_t tclass=file |
| 255 |
Aug 21 08:46:06 dell-studio kernel: [ 54.866889] type=1400 |
| 256 |
audit(1345531566.011:59): avc: denied { remove_name } for pid=2013 |
| 257 |
comm="console-kit-dae" name="database~" dev="tmpfs" ino=6008 |
| 258 |
scontext=system_u:system_r:consolekit_t |
| 259 |
tcontext=system_u:object_r:initrc_var_run_t tclass=dir |
| 260 |
Aug 21 08:46:06 dell-studio kernel: [ 54.866898] type=1400 |
| 261 |
audit(1345531566.011:60): avc: denied { rename } for pid=2013 |
| 262 |
comm="console-kit-dae" name="database~" dev="tmpfs" ino=6008 |
| 263 |
scontext=system_u:system_r:consolekit_t |
| 264 |
tcontext=system_u:object_r:initrc_var_run_t tclass=file |
| 265 |
Aug 21 08:46:06 dell-studio kernel: [ 54.866907] type=1400 |
| 266 |
audit(1345531566.011:61): avc: denied { unlink } for pid=2013 |
| 267 |
comm="console-kit-dae" name="database" dev="tmpfs" ino=5251 |
| 268 |
scontext=system_u:system_r:consolekit_t |
| 269 |
tcontext=system_u:object_r:initrc_var_run_t tclass=file |
| 270 |
Aug 21 08:46:06 dell-studio kernel: [ 54.939435] type=1400 |
| 271 |
audit(1345531566.084:62): avc: denied { read } for pid=3111 |
| 272 |
comm="udev-acl.ck" name="udev-acl" dev="tmpfs" ino=3056 |
| 273 |
scontext=system_u:system_r:consolekit_t |
| 274 |
tcontext=system_u:object_r:udev_var_run_t tclass=dir |
| 275 |
Aug 21 08:46:06 dell-studio kernel: [ 54.939920] type=1400 |
| 276 |
audit(1345531566.084:63): avc: denied { getattr } for pid=3111 |
| 277 |
comm="udev-acl.ck" name="card0" dev="tmpfs" ino=3051 |
| 278 |
scontext=system_u:system_r:consolekit_t |
| 279 |
tcontext=system_u:object_r:dri_device_t tclass=chr_file |
| 280 |
Aug 21 08:46:06 dell-studio kernel: [ 54.939945] type=1400 |
| 281 |
audit(1345531566.084:64): avc: denied { setattr } for pid=3111 |
| 282 |
comm="udev-acl.ck" name="card0" dev="tmpfs" ino=3051 |
| 283 |
scontext=system_u:system_r:consolekit_t |
| 284 |
tcontext=system_u:object_r:dri_device_t tclass=chr_file |
| 285 |
Aug 21 08:46:06 dell-studio kernel: [ 54.940052] type=1400 |
| 286 |
audit(1345531566.085:65): avc: denied { getattr } for pid=3111 |
| 287 |
comm="udev-acl.ck" name="hwC1D0" dev="tmpfs" ino=3733 |
| 288 |
scontext=system_u:system_r:consolekit_t |
| 289 |
tcontext=system_u:object_r:sound_device_t tclass=chr_file |
| 290 |
Aug 21 08:46:06 dell-studio kernel: [ 54.940067] type=1400 |
| 291 |
audit(1345531566.085:66): avc: denied { setattr } for pid=3111 |
| 292 |
comm="udev-acl.ck" name="hwC1D0" dev="tmpfs" ino=3733 |
| 293 |
scontext=system_u:system_r:consolekit_t |
| 294 |
tcontext=system_u:object_r:sound_device_t tclass=chr_file |
| 295 |
Aug 21 08:46:11 dell-studio kernel: [ 60.117720] type=1400 |
| 296 |
audit(1345531571.262:74): avc: denied { execute } for pid=3184 |
| 297 |
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375 |
| 298 |
scontext=system_u:system_r:system_dbusd_t |
| 299 |
tcontext=system_u:object_r:bin_t tclass=file |
| 300 |
Aug 21 08:46:11 dell-studio kernel: [ 60.117729] type=1400 |
| 301 |
audit(1345531571.262:75): avc: denied { read open } for pid=3184 |
| 302 |
comm="dbus-daemon-lau" name="upowerd" dev="sda5" ino=939375 |
| 303 |
scontext=system_u:system_r:system_dbusd_t |
| 304 |
tcontext=system_u:object_r:bin_t tclass=file |
| 305 |
Aug 21 08:46:11 dell-studio kernel: [ 60.117750] type=1400 |
| 306 |
audit(1345531571.262:76): avc: denied { execute_no_trans } for |
| 307 |
pid=3184 comm="dbus-daemon-lau" path="/usr/libexec/upowerd" dev="sda5" |
| 308 |
ino=939375 scontext=system_u:system_r:system_dbusd_t |
| 309 |
tcontext=system_u:object_r:bin_t tclass=file |
| 310 |
Aug 21 08:46:11 dell-studio kernel: [ 60.184184] type=1400 |
| 311 |
audit(1345531571.329:77): avc: denied { write } for pid=3184 |
| 312 |
comm="upowerd" name="cpu_dma_latency" dev="tmpfs" ino=3263 |
| 313 |
scontext=system_u:system_r:system_dbusd_t |
| 314 |
tcontext=system_u:object_r:netcontrol_device_t tclass=chr_file |
| 315 |
Aug 21 08:46:11 dell-studio kernel: [ 60.184195] type=1400 |
| 316 |
audit(1345531571.329:78): avc: denied { open } for pid=3184 |
| 317 |
comm="upowerd" name="cpu_dma_latency" dev="tmpfs" ino=3263 |
| 318 |
scontext=system_u:system_r:system_dbusd_t |
| 319 |
tcontext=system_u:object_r:netcontrol_device_t tclass=chr_file |
| 320 |
Aug 21 08:46:11 dell-studio kernel: [ 60.223810] type=1400 |
| 321 |
audit(1345531571.368:79): avc: denied { read } for pid=3188 |
| 322 |
comm="upowerd" name="sh" dev="sda5" ino=1706629 |
| 323 |
scontext=system_u:system_r:system_dbusd_t |
| 324 |
tcontext=system_u:object_r:bin_t tclass=lnk_file |
| 325 |
Aug 21 08:46:11 dell-studio kernel: [ 60.223838] type=1400 |
| 326 |
audit(1345531571.368:80): avc: denied { execute } for pid=3188 |
| 327 |
comm="upowerd" name="bash" dev="sda5" ino=1700702 |
| 328 |
scontext=system_u:system_r:system_dbusd_t |
| 329 |
tcontext=system_u:object_r:shell_exec_t tclass=file |
| 330 |
Aug 21 08:46:11 dell-studio kernel: [ 60.223848] type=1400 |
| 331 |
audit(1345531571.368:81): avc: denied { read open } for pid=3188 |
| 332 |
comm="upowerd" name="bash" dev="sda5" ino=1700702 |
| 333 |
scontext=system_u:system_r:system_dbusd_t |
| 334 |
tcontext=system_u:object_r:shell_exec_t tclass=file |
| 335 |
Aug 21 08:46:11 dell-studio kernel: [ 60.225529] type=1400 |
| 336 |
audit(1345531571.370:82): avc: denied { ioctl } for pid=3188 |
| 337 |
comm="pm-is-supported" path="/usr/bin/pm-is-supported" dev="sda5" |
| 338 |
ino=815434 scontext=system_u:system_r:system_dbusd_t |
| 339 |
tcontext=system_u:object_r:bin_t tclass=file |
| 340 |
Aug 21 08:46:11 dell-studio kernel: [ 60.225555] type=1400 |
| 341 |
audit(1345531571.370:83): avc: denied { getattr } for pid=3188 |
| 342 |
comm="pm-is-supported" path="/usr/bin/pm-is-supported" dev="sda5" |
| 343 |
ino=815434 scontext=system_u:system_r:system_dbusd_t |
| 344 |
tcontext=system_u:object_r:bin_t tclass=file |
| 345 |
Aug 21 08:46:16 dell-studio kernel: [ 65.194471] type=1400 |
| 346 |
audit(1345531576.339:148): avc: denied { write } for pid=3260 |
| 347 |
comm="mount" name="/" dev="dm-1" ino=2 |
| 348 |
scontext=system_u:system_r:system_dbusd_t |
| 349 |
tcontext=system_u:object_r:home_root_t tclass=dir |
| 350 |
Aug 21 08:46:16 dell-studio kernel: [ 65.449862] type=1400 |
| 351 |
audit(1345531576.594:149): avc: denied { search } for pid=3268 |
| 352 |
comm="laptop-mode" name="vm" dev="proc" ino=5312 |
| 353 |
scontext=system_u:system_r:system_dbusd_t |
| 354 |
tcontext=system_u:object_r:sysctl_vm_t tclass=dir |
| 355 |
Aug 21 08:46:16 dell-studio kernel: [ 65.449879] type=1400 |
| 356 |
audit(1345531576.594:150): avc: denied { write } for pid=3268 |
| 357 |
comm="laptop-mode" name="laptop_mode" dev="proc" ino=5313 |
| 358 |
scontext=system_u:system_r:system_dbusd_t |
| 359 |
tcontext=system_u:object_r:sysctl_vm_t tclass=file |
| 360 |
Aug 21 08:46:16 dell-studio kernel: [ 65.450458] type=1400 |
| 361 |
audit(1345531576.595:151): avc: denied { read } for pid=3269 |
| 362 |
comm="laptop-mode" name="laptop_mode" dev="proc" ino=5313 |
| 363 |
scontext=system_u:system_r:system_dbusd_t |
| 364 |
tcontext=system_u:object_r:sysctl_vm_t tclass=file |
| 365 |
Aug 21 08:46:16 dell-studio kernel: [ 65.451314] type=1400 |
| 366 |
audit(1345531576.596:152): avc: denied { open } for pid=3271 |
| 367 |
comm="cat" name="laptop_mode" dev="proc" ino=5313 |
| 368 |
scontext=system_u:system_r:system_dbusd_t |
| 369 |
tcontext=system_u:object_r:sysctl_vm_t tclass=file |
| 370 |
Aug 21 08:46:16 dell-studio kernel: [ 65.451327] type=1400 |
| 371 |
audit(1345531576.596:153): avc: denied { getattr } for pid=3271 |
| 372 |
comm="cat" path="/proc/sys/vm/laptop_mode" dev="proc" ino=5313 |
| 373 |
scontext=system_u:system_r:system_dbusd_t |
| 374 |
tcontext=system_u:object_r:sysctl_vm_t tclass=file |
| 375 |
Aug 21 08:46:16 dell-studio kernel: [ 65.460034] type=1400 |
| 376 |
audit(1345531576.604:154): avc: denied { execute } for pid=3277 |
| 377 |
comm="readahead" name="blockdev" dev="sda5" ino=416349 |
| 378 |
scontext=system_u:system_r:system_dbusd_t |
| 379 |
tcontext=system_u:object_r:fsadm_exec_t tclass=file |
| 380 |
Aug 21 08:46:16 dell-studio kernel: [ 65.462069] type=1400 |
| 381 |
audit(1345531576.607:155): avc: denied { read open } for pid=3280 |
| 382 |
comm="readahead" name="blockdev" dev="sda5" ino=416349 |
| 383 |
scontext=system_u:system_r:system_dbusd_t |
| 384 |
tcontext=system_u:object_r:fsadm_exec_t tclass=file |
| 385 |
Aug 21 08:46:16 dell-studio kernel: [ 65.462103] type=1400 |
| 386 |
audit(1345531576.607:156): avc: denied { execute_no_trans } for |
| 387 |
pid=3280 comm="readahead" path="/sbin/blockdev" dev="sda5" ino=416349 |
| 388 |
scontext=system_u:system_r:system_dbusd_t |
| 389 |
tcontext=system_u:object_r:fsadm_exec_t tclass=file |
| 390 |
Aug 21 08:46:16 dell-studio kernel: [ 65.494153] type=1400 |
| 391 |
audit(1345531576.639:157): avc: denied { getattr } for pid=3287 |
| 392 |
comm="which" path="/sbin/iwconfig" dev="sda5" ino=416869 |
| 393 |
scontext=system_u:system_r:system_dbusd_t |
| 394 |
tcontext=system_u:object_r:ifconfig_exec_t tclass=file |
| 395 |
Aug 21 08:46:24 dell-studio kernel: [ 73.269671] type=1400 |
| 396 |
audit(1345531584.414:159): avc: denied { search } for pid=1983 |
| 397 |
comm="dbus-daemon" name="console" dev="tmpfs" ino=6011 |
| 398 |
scontext=system_u:system_r:system_dbusd_t |
| 399 |
tcontext=system_u:object_r:consolekit_var_run_t tclass=dir |
| 400 |
Aug 21 08:46:26 dell-studio kernel: [ 75.002090] type=1400 |
| 401 |
audit(1345531586.147:160): avc: denied { read } for pid=3238 |
| 402 |
comm="udisks-daemon" name="sr0" dev="tmpfs" ino=3539 |
| 403 |
scontext=system_u:system_r:system_dbusd_t |
| 404 |
tcontext=system_u:object_r:removable_device_t tclass=blk_file |
| 405 |
Aug 21 08:46:26 dell-studio kernel: [ 75.002101] type=1400 |
| 406 |
audit(1345531586.147:161): avc: denied { open } for pid=3238 |
| 407 |
comm="udisks-daemon" name="sr0" dev="tmpfs" ino=3539 |
| 408 |
scontext=system_u:system_r:system_dbusd_t |
| 409 |
tcontext=system_u:object_r:removable_device_t tclass=blk_file |
| 410 |
Aug 21 08:46:48 dell-studio kernel: [ 97.234376] type=1400 |
| 411 |
audit(1345531608.230:162): avc: denied { execstack } for pid=3659 |
| 412 |
comm="chrome" scontext=unconfined_u:unconfined_r:unconfined_t |
| 413 |
tcontext=unconfined_u:unconfined_r:unconfined_t tclass=process |
| 414 |
Aug 21 08:50:01 dell-studio kernel: [ 290.083336] type=1400 |
| 415 |
audit(1345531801.079:163): avc: denied { execute } for pid=4630 |
| 416 |
comm="sh" name="run-crons" dev="sda5" ino=922129 |
| 417 |
scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t |
| 418 |
tclass=file |
| 419 |
Aug 21 08:50:01 dell-studio kernel: [ 290.083888] type=1400 |
| 420 |
audit(1345531801.079:164): avc: denied { read open } for pid=4631 |
| 421 |
comm="sh" name="run-crons" dev="sda5" ino=922129 |
| 422 |
scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t |
| 423 |
tclass=file |
| 424 |
Aug 21 08:50:01 dell-studio kernel: [ 290.083965] type=1400 |
| 425 |
audit(1345531801.079:165): avc: denied { execute_no_trans } for |
| 426 |
pid=4631 comm="sh" path="/usr/sbin/run-crons" dev="sda5" ino=922129 |
| 427 |
scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t |
| 428 |
tclass=file |
| 429 |
Aug 21 08:50:01 dell-studio kernel: [ 290.110392] type=1400 |
| 430 |
audit(1345531801.106:166): avc: denied { ioctl } for pid=4631 |
| 431 |
comm="run-crons" path="/usr/sbin/run-crons" dev="sda5" ino=922129 |
| 432 |
scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t |
| 433 |
tclass=file |
| 434 |
Aug 21 08:50:01 dell-studio kernel: [ 290.110414] type=1400 |
| 435 |
audit(1345531801.106:167): avc: denied { getattr } for pid=4631 |
| 436 |
comm="run-crons" path="/usr/sbin/run-crons" dev="sda5" ino=922129 |
| 437 |
scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t |
| 438 |
tclass=file |
| 439 |
Aug 21 08:50:01 dell-studio kernel: [ 290.161144] type=1400 |
| 440 |
audit(1345531801.157:168): avc: denied { create } for pid=4633 |
| 441 |
comm="ln" name="lock" scontext=system_u:system_r:crond_t |
| 442 |
tcontext=system_u:object_r:crond_tmp_t tclass=lnk_file |
| 443 |
Aug 21 08:50:01 dell-studio kernel: [ 290.168642] type=1400 |
| 444 |
audit(1345531801.164:169): avc: denied { getattr } for pid=4631 |
| 445 |
comm="run-crons" path="/var/spool/cron/lastrun/lock" dev="sda7" |
| 446 |
ino=12547 scontext=system_u:system_r:crond_t |
| 447 |
tcontext=system_u:object_r:crond_tmp_t tclass=lnk_file |
| 448 |
Aug 21 08:50:01 dell-studio kernel: [ 290.170178] type=1400 |
| 449 |
audit(1345531801.166:170): avc: denied { read } for pid=4634 |
| 450 |
comm="find" name="root" dev="sda5" ino=1308163 |
| 451 |
scontext=system_u:system_r:crond_t tcontext=system_u:object_r:default_t |
| 452 |
tclass=dir |
| 453 |
Aug 21 08:50:01 dell-studio kernel: [ 290.180507] type=1400 |
| 454 |
audit(1345531801.176:171): avc: denied { getattr } for pid=4634 |
| 455 |
comm="find" path="/var/spool/cron/lastrun/.keep_sys-process_cronbase-0" |
| 456 |
dev="sda7" ino=45164 scontext=system_u:system_r:crond_t |
| 457 |
tcontext=system_u:object_r:file_t tclass=file |
| 458 |
Aug 21 08:50:09 dell-studio kernel: [ 298.361777] type=1400 |
| 459 |
audit(1345531809.356:173): avc: denied { unlink } for pid=4704 |
| 460 |
comm="rm" name="lock" dev="sda7" ino=12547 |
| 461 |
scontext=system_u:system_r:crond_t |
| 462 |
tcontext=system_u:object_r:crond_tmp_t tclass=lnk_file |
| 463 |
|
| 464 |
This is my /etc/fstab (I found that the /selinux mountpoint is no more |
| 465 |
needed): |
| 466 |
|
| 467 |
/dev/sda1 /boot ext2 noauto,noatime 1 2 |
| 468 |
/dev/sda5 / ext4 noatime 0 1 |
| 469 |
/dev/mapper/swap none swap sw 0 0 |
| 470 |
/dev/sda7 /var jfs |
| 471 |
defaults,rootcontext=system_u:object_r:var_t 0 1 |
| 472 |
/dev/mapper/home /home ext4 noatime 0 1 |
| 473 |
/dev/cdrom /mnt/cdrom auto noauto,ro 0 0 |
| 474 |
|
| 475 |
tmpfs /run tmpfs |
| 476 |
mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t 0 0 |
| 477 |
|
| 478 |
Lastly this is my sestatus -v: |
| 479 |
|
| 480 |
Password: |
| 481 |
SELinux status: enabled |
| 482 |
SELinuxfs mount: /sys/fs/selinux |
| 483 |
SELinux root directory: /etc/selinux |
| 484 |
Loaded policy name: targeted |
| 485 |
Current mode: permissive |
| 486 |
Mode from config file: permissive |
| 487 |
Policy MLS status: disabled |
| 488 |
Policy deny_unknown status: denied |
| 489 |
Max kernel policy version: 26 |
| 490 |
|
| 491 |
Process contexts: |
| 492 |
Current context: unconfined_u:unconfined_r:unconfined_t |
| 493 |
Init context: system_u:system_r:init_t |
| 494 |
/sbin/agetty system_u:system_r:getty_t |
| 495 |
|
| 496 |
File contexts: |
| 497 |
Controlling terminal: unconfined_u:object_r:user_devpts_t |
| 498 |
/sbin/init system_u:object_r:init_exec_t |
| 499 |
/sbin/agetty system_u:object_r:getty_exec_t |
| 500 |
/bin/login system_u:object_r:login_exec_t |
| 501 |
/sbin/rc system_u:object_r:rc_exec_t |
| 502 |
/usr/sbin/sshd system_u:object_r:sshd_exec_t |
| 503 |
/sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t |
| 504 |
/etc/passwd system_u:object_r:etc_t |
| 505 |
/etc/shadow system_u:object_r:shadow_t |
| 506 |
/bin/sh system_u:object_r:bin_t -> |
| 507 |
system_u:object_r:shell_exec_t |
| 508 |
/bin/bash system_u:object_r:shell_exec_t |
| 509 |
/usr/bin/newrole system_u:object_r:newrole_exec_t |
| 510 |
/lib/libc.so.6 system_u:object_r:lib_t -> |
| 511 |
system_u:object_r:lib_t |
| 512 |
/lib/ld-linux.so.2 system_u:object_r:lib_t -> |
| 513 |
system_u:object_r:ld_so_t |
Archives