Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: Petre Rodan <kaiowas@g.o>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] selinux and aselayout2 ,selinux and games(games_exec_t)
Date: Sun, 10 Jun 2007 16:03:40
Message-Id: 20070610160125.GA30270@peter.simplex.ro
In Reply to: [gentoo-hardened] selinux and aselayout2 ,selinux and games(games_exec_t) by GNUtoo@no-log.org
1 Hi,
2
3 On Sun, Jun 10, 2007 at 05:13:29PM +0200, GNUtoo@××××××.org wrote:
4 > hello i just installed selinux and read the manual...i have some questions
5 > about selinux:
6 > *is there any tools compatible with the 2006.1 profile in portage that can
7 > make security policies for applications such as tremulous and nexuiz,i
8 > searched a bit on the net and i found a solution:
9 > http://www.nsa.gov/selinux/list-archive/0702/19543.cfm
10 > using runcon to change the context in wich the games are run but it's
11 > seems that it's not supported yet:
12 > # runcon -c -u system_u -r object_r -t games_exec_t ./nexuiz
13 > system_u:object_r:games_exec_t is not a valid context
14
15 because selinux-games does not exist yet. see my other mail for details on how to fix this.
16
17 > *how do i make boot possible with the enforcement mode on? i have some denys:
18 > audit(1181367493.741:3): avc: denied { read write } for pid=1231
19 > comm="hotplug" name="tty" dev=md3 ino=20710227
20 > scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:file_t
21 > tclass=chr_file
22 > audit(1181367495.241:4): avc: denied { read write } for pid=1267
23 > comm="mount" name="console" dev=md3 ino=20709389
24 > scontext=system_u:system_r:mount_t tcontext=system_u:object_r:file_t
25 > tclass=chr_file
26 > audit(1181367495.241:5): avc: denied { read write } for pid=1286
27 > comm="restorecon" name="console" dev=md3 ino=20709389
28 > scontext=system_u:system_r:restorecon_t tcontext=system_u:object_r:file_t
29 > tclass=chr_file
30 > audit(1181367501.240:6): avc: denied { read write } for pid=3414
31 > comm="dmsetup" name="console" dev=md3 ino=20709389
32 > scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:file_t
33 > tclass=chr_file
34
35 your (underlying) /dev was not labeled. this has been covered not so long ago on this list.
36 I recommend a static dev.
37
38
39 > audit(1181367501.240:7): avc: denied { mounton } for pid=3428
40 > comm="mount" name="tmp" dev=md3 ino=6668330
41 > scontext=system_u:system_r:mount_t tcontext=system_u:object_r:lib_t
42 > tclass=dir
43
44 not sure what you try to mount here
45
46 > audit(1181360304.943:8): avc: denied { getattr } for pid=3496
47 > comm="update-modules" name="rc" dev=md3 ino=19466647
48 > scontext=system_u:system_r:update_modules_t
49 > tcontext=system_u:object_r:initrc_exec_t tclass=file
50 > audit(1181360304.943:9): avc: denied { execute } for pid=3497
51 > comm="update-modules" name="rc" dev=md3 ino=19466647
52 > scontext=system_u:system_r:update_modules_t
53 > tcontext=system_u:object_r:initrc_exec_t tclass=file
54 > audit(1181360304.943:10): avc: denied { execute_no_trans } for pid=3497
55 > comm="update-modules" name="rc" dev=md3 ino=19466647
56 > scontext=system_u:system_r:update_modules_t
57 > tcontext=system_u:object_r:initrc_exec_t tclass=file
58 > audit(1181360304.943:11): avc: denied { read } for pid=3497
59 > comm="update-modules" name="rc" dev=md3 ino=19466647
60 > scontext=system_u:system_r:update_modules_t
61 > tcontext=system_u:object_r:initrc_exec_t tclass=file
62 > audit(1181360306.943:12): avc: denied { read } for pid=3495
63 > comm="update-modules" name="build" dev=md3 ino=7575114
64 > scontext=system_u:system_r:update_modules_t
65 > tcontext=system_u:object_r:modules_object_t tclass=lnk_file
66 > audit(1181360306.943:13): avc: denied { read } for pid=7144
67 > comm="update-modules" name="linux-2.6.21-rt2" dev=md3 ino=2539665
68 > scontext=system_u:system_r:update_modules_t
69 > tcontext=system_u:object_r:src_t tclass=dir
70
71 no servers here needing modules, sorry.
72
73
74 bye,
75 peter
76
77 --
78 petre rodan
79 <kaiowas@g.o>
80 Developer,
81 Hardened Gentoo Linux

Replies

Subject Author
Re: [gentoo-hardened] selinux and aselayout2 , selinux and games(games_exec_t) GNUtoo@××××××.org
Report Message
Find on MARC Find on Google Groups