| 1 |
On Tue, 2007-03-13 at 16:38 -0400, Mike Edenfield wrote: |
| 2 |
> Chris PeBenito wrote: |
| 3 |
> > On Tue, 2007-03-06 at 15:33 -0500, Mike Edenfield wrote: |
| 4 |
> |
| 5 |
> > Sorry for the slow response. These messages are likely due to the |
| 6 |
> > static device nodes under a udev /dev. |
| 7 |
[cut] |
| 8 |
> Thanks for this, and also to the person who wrote the |
| 9 |
> previous reply recommending a static /dev. (I meant to |
| 10 |
> reply sooner but have been on vacation). This actually |
| 11 |
> eliminated a big chunk of my problems. |
| 12 |
> |
| 13 |
> I'm still hoping someone can point me to a more general |
| 14 |
> tutorial on troubleshooting these types of errors. Now that |
| 15 |
> I'm trying to get actual services running on the system, I'm |
| 16 |
> obviously having more of them, and I don't want to waste |
| 17 |
> this list's time trying to explain every one of them to me |
| 18 |
> :x Things like this (two of which I assume are being |
| 19 |
> generated because I'm running dhcpcd on this machine at boot): |
| 20 |
> |
| 21 |
> Mar 13 06:39:09 [kernel] audit(1173782339.840:57): avc: |
| 22 |
> denied { write } for pid=2775 comm="runscript.sh" |
| 23 |
> name="resolv.conf" dev=hda3 ino=1556987 |
| 24 |
> scontext=system_u:system_r:initrc_t |
| 25 |
> tcontext=system_u:object_r:net_conf_t tclass=file |
| 26 |
> |
| 27 |
> Mar 13 06:39:09 [kernel] audit(1173782339.850:58): avc: |
| 28 |
> denied { setattr } for pid=2989 comm="chmod" |
| 29 |
> name="resolv.conf" dev=hda3 ino=1556987 |
| 30 |
> scontext=system_u:system_r:initrc_t |
| 31 |
> tcontext=system_u:object_r:net_conf_t tclass=file |
| 32 |
> |
| 33 |
> Mar 13 06:39:09 [kernel] audit(1173782348.950:59): avc: |
| 34 |
> denied { ptrace } for pid=4000 comm="pidof" |
| 35 |
> scontext=system_u:system_r:initrc_t |
| 36 |
> tcontext=system_u:system_r:init_t tclass=process |
| 37 |
> |
| 38 |
> Mar 13 06:39:09 [kernel] audit(1173782348.950:60): avc: |
| 39 |
> denied { ptrace } for pid=4000 comm="pidof" |
| 40 |
> scontext=system_u:system_r:initrc_t |
| 41 |
> tcontext=system_u:system_r:kernel_t tclass=process |
| 42 |
> |
| 43 |
> Obviously, I can get rid of these by adding rules like this: |
| 44 |
> |
| 45 |
> allow initrc_t init_t:process ptrace; |
| 46 |
> allow initrc_t kernel_t:process ptrace; |
| 47 |
> allow initrc_t net_conf_t:file { setattr write }; |
| 48 |
> |
| 49 |
> My question is more theoretical, that is, is there a reason |
| 50 |
> why those rules aren't *already* there? |
| 51 |
|
| 52 |
I can't really make general statements about this. It depends on many |
| 53 |
factors. Sometimes its a due to a new feature of a package that the |
| 54 |
policy does not yet account for. Sometimes checks are added/changed. |
| 55 |
Sometimes its simply a feature or error path that hasn't been covered |
| 56 |
yet. The pidof ptrace denials are an example of a check being added. |
| 57 |
|
| 58 |
> Is it normal to have to tweak the policy files right out of the box, |
| 59 |
> or after installing a new ebuild, and I should feel "ok" with doing |
| 60 |
> it? |
| 61 |
|
| 62 |
The hope is that it should work out of the box. Since its impossible |
| 63 |
for us to anticipate all possible conditions or maybe non-standard file |
| 64 |
locations, a couple may pop up. |
| 65 |
|
| 66 |
> Or does it point to a bigger problem with my install that I messed up |
| 67 |
> and need to fix? |
| 68 |
|
| 69 |
If those are the only denials you are receiving, I'd say you're in |
| 70 |
pretty good shape. |
| 71 |
|
| 72 |
I suspect that the ptrace denials can be dontaudited, i.e. |
| 73 |
|
| 74 |
dontaudit initrc_t init_t:process ptrace; |
| 75 |
dontaudit initrc_t kernel_t:process ptrace; |
| 76 |
|
| 77 |
It would be nice to find out more specifically what is going on with the |
| 78 |
other two denials, but I suspect that it will be ok to allow. I use |
| 79 |
dhcpcd on my server, but don't see this problem. |
| 80 |
|
| 81 |
-- |
| 82 |
Chris PeBenito |
| 83 |
<pebenito@g.o> |
| 84 |
Developer, |
| 85 |
Hardened Gentoo Linux |
| 86 |
|
| 87 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
| 88 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |
Archives