1 |
As a followup to my initial message (thanks to everyone for the replies)... |
2 |
|
3 |
I realized that hotplug had been obsoleted by udev and unmerged both |
4 |
sys-apps/hotplug and sys-apps/hotplug-base. That got rid of the |
5 |
default.hotplug denials, but I was still getting the denials on /dev |
6 |
nodes labeled as file_t. |
7 |
|
8 |
Per Joern's comment I looked at the static /dev by doing the following |
9 |
|
10 |
# mkdir /mnt/rawroot |
11 |
# mount --bind / /mnt/rawroot |
12 |
# cd /mnt/rawroot/dev |
13 |
|
14 |
That showed me that indeed there were a mess of static nodes laying |
15 |
around in there with a file_t context. I used setfilecon to manually |
16 |
relabel the crucial ones such as console, tty0 and null. I'm still |
17 |
getting some denials on startup, but now they are real policy tweaks |
18 |
that need to happen. |
19 |
|
20 |
Bill Sharer wrote: |
21 |
> I'm on the 2006.1 unstable profile for selinux and think I may have a |
22 |
> race condition that results in avc denials before selinux has finished |
23 |
> labeling things like /dev. For example, the first denial below appears |
24 |
> to be where /etc/hotplug.d/default/default.hotplug is peeking and |
25 |
> poking around with /dev/null. The denial has it as a |
26 |
> system_u:object_r:file_t, but when I look at it from a running system |
27 |
> I see it as a system_u:object_r:null_device_t. Should I be messing |
28 |
> around in /etc/runlevels/boot to put dependencies in various scripts |
29 |
> (although selinux isn't a script so how would I make it a dependency?) |
30 |
> |
31 |
> snippet from a dmesg: |
32 |
> |
33 |
> security: 5 users, 5 roles, 1376 types, 81 bools |
34 |
> security: 59 classes, 61906 rules |
35 |
> security: class dccp_socket not defined in policy |
36 |
> security: permission dccp_recv in class node not defined in policy |
37 |
> security: permission dccp_send in class node not defined in policy |
38 |
> security: permission dccp_recv in class netif not defined in policy |
39 |
> security: permission dccp_send in class netif not defined in policy |
40 |
> SELinux: Completing initialization. |
41 |
> SELinux: Setting up existing superblocks. |
42 |
> SELinux: initialized (dev sda5, type ext3), uses xattr |
43 |
> inode_doinit_with_dentry: context_to_sid(unlabeled) returned 22 for |
44 |
> dev=sda5 ino=1938273 |
45 |
> audit(1182137416.171:2): avc: denied { ioctl } for pid=884 |
46 |
> comm="default.hotplug" name="null" dev=sda5 ino=733068 |
47 |
> scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t |
48 |
> tclass=chr_file |
49 |
> audit(1182137416.203:3): avc: denied { read } for pid=889 |
50 |
> comm="env" name="urandom" dev=sda5 ino=732962 |
51 |
> scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t |
52 |
> tclass=chr_file |
53 |
> audit(1182137416.204:4): avc: denied { read } for pid=884 |
54 |
> comm="default.hotplug" name="default.hotplug" dev=sda5 ino=1356280 |
55 |
> scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sbin_t |
56 |
> tclass=file |
57 |
> audit(1182137416.206:5): avc: denied { search } for pid=884 |
58 |
> comm="default.hotplug" name="var" dev=sda5 ino=1254177 |
59 |
> scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:var_t |
60 |
> tclass=dir |
61 |
> audit(1182137416.221:6): avc: denied { search } for pid=884 |
62 |
> comm="default.hotplug" name="log" dev=sda5 ino=1255669 |
63 |
> scontext=system_u:system_r:kernel_t |
64 |
> tcontext=system_u:object_r:var_log_t tclass=dir |
65 |
> SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts |
66 |
> SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts |
67 |
> SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs |
68 |
> SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts |
69 |
> SELinux: initialized (dev devpts, type devpts), uses transition SIDs |
70 |
> SELinux: initialized (dev eventpollfs, type eventpollfs), uses task SIDs |
71 |
> SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts |
72 |
> SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs |
73 |
> SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts |
74 |
> SELinux: initialized (dev pipefs, type pipefs), uses task SIDs |
75 |
> SELinux: initialized (dev sockfs, type sockfs), uses task SIDs |
76 |
> SELinux: initialized (dev proc, type proc), uses genfs_contexts |
77 |
> SELinux: initialized (dev bdev, type bdev), uses genfs_contexts |
78 |
> SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts |
79 |
> SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts |
80 |
> audit(1182137416.259:7): policy loaded auid=4294967295 |
81 |
> audit(1182137416.261:8): avc: denied { read write } for pid=1 |
82 |
> comm="init" name="console" dev=sda5 ino=734292 |
83 |
> scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t |
84 |
> tclass=chr_file |
85 |
> audit(1182137416.275:9): avc: denied { ioctl } for pid=1 |
86 |
> comm="init" name="tty0" dev=sda5 ino=735467 |
87 |
> scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t |
88 |
> tclass=chr_file |
89 |
> audit(1182137416.277:10): avc: denied { read } for pid=891 |
90 |
> comm="hotplug" name="urandom" dev=sda5 ino=732962 |
91 |
> scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:file_t |
92 |
> tclass=chr_file |
93 |
> audit(1182137416.279:11): avc: denied { write } for pid=891 |
94 |
> comm="hotplug" name="tty" dev=sda5 ino=734192 |
95 |
> scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:file_t |
96 |
> tclass=chr_file |
97 |
> audit(1182137416.296:12): avc: denied { ioctl } for pid=893 |
98 |
> comm="default.hotplug" name="null" dev=sda5 ino=733068 |
99 |
> scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:file_t |
100 |
> tclass=chr_file |
101 |
> audit(1182137416.758:13): avc: denied { read write } for pid=970 |
102 |
> comm="rc" name="console" dev=sda5 ino=734292 |
103 |
> scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t |
104 |
> tclass=chr_file |
105 |
> audit(1182137417.033:14): avc: denied { read write } for pid=994 |
106 |
> comm="consoletype" name="console" dev=sda5 ino=734292 |
107 |
> scontext=system_u:system_r:consoletype_t |
108 |
> tcontext=system_u:object_r:file_t tclass=chr_file |
109 |
> audit(1182137417.034:15): avc: denied { search } for pid=994 |
110 |
> comm="consoletype" name="dev" dev=sda5 ino=732961 |
111 |
> scontext=system_u:system_r:consoletype_t |
112 |
> tcontext=system_u:object_r:file_t tclass=dir |
113 |
> audit(1182137417.034:16): avc: denied { getattr } for pid=994 |
114 |
> comm="consoletype" name="console" dev=sda5 ino=734292 |
115 |
> scontext=system_u:system_r:consoletype_t |
116 |
> tcontext=system_u:object_r:file_t tclass=chr_file |
117 |
> audit(1182137417.035:17): avc: denied { ioctl } for pid=994 |
118 |
> comm="consoletype" name="console" dev=sda5 ino=734292 |
119 |
> scontext=system_u:system_r:consoletype_t |
120 |
> tcontext=system_u:object_r:file_t tclass=chr_file |
121 |
> audit(1182137417.082:18): avc: denied { ioctl } for pid=997 |
122 |
> comm="stty" name="console" dev=sda5 ino=734292 |
123 |
> scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t |
124 |
> tclass=chr_file |
125 |
> audit(1182137417.172:19): avc: denied { getattr } for pid=970 |
126 |
> comm="bash" name="null" dev=sda5 ino=733068 |
127 |
> scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t |
128 |
> tclass=chr_file |
129 |
> audit(1182137417.196:20): avc: denied { read write } for pid=1001 |
130 |
> comm="dmesg" name="console" dev=sda5 ino=734292 |
131 |
> scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:file_t |
132 |
> tclass=chr_file |
133 |
> audit(1182137417.220:21): avc: denied { read write } for pid=1004 |
134 |
> comm="mount" name="console" dev=sda5 ino=734292 |
135 |
> scontext=system_u:system_r:mount_t tcontext=system_u:object_r:file_t |
136 |
> tclass=chr_file |
137 |
> SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs |
138 |
> audit(1182137417.478:22): avc: denied { read write } for pid=1038 |
139 |
> comm="restorecon" name="console" dev=sda5 ino=734292 |
140 |
> scontext=system_u:system_r:restorecon_t |
141 |
> tcontext=system_u:object_r:file_t tclass=chr_file |
142 |
> audit(1182137417.716:23): avc: denied { write } for pid=1042 |
143 |
> comm="bash" name="null" dev=tmpfs ino=2106 |
144 |
> scontext=system_u:system_r:initrc_t |
145 |
> tcontext=system_u:object_r:device_t tclass=chr_file |
146 |
> audit(1182137417.875:24): avc: denied { read write } for pid=1062 |
147 |
> comm="udevd" name="console" dev=sda5 ino=734292 |
148 |
> scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_t |
149 |
> tclass=chr_file |
150 |
> audit(1182137418.770:25): avc: denied { read } for pid=1194 |
151 |
> comm="modprobe" name="console" dev=tmpfs ino=2100 |
152 |
> scontext=system_u:system_r:insmod_t |
153 |
> tcontext=system_u:object_r:device_t tclass=chr_file |
154 |
> audit(1182137424.374:26): avc: denied { getattr } for pid=2059 |
155 |
> comm="modprobe.sh" name="modprobe.conf" dev=sda5 ino=1515100 |
156 |
> scontext=system_u:system_r:udev_t |
157 |
> tcontext=root:object_r:modules_conf_t tclass=file |
158 |
> audit(1182137424.376:27): avc: denied { read } for pid=2112 |
159 |
> comm="grep" name="modprobe.conf" dev=sda5 ino=1515100 |
160 |
> scontext=system_u:system_r:udev_t |
161 |
> tcontext=root:object_r:modules_conf_t tclass=file |
162 |
|
163 |
-- |
164 |
gentoo-hardened@g.o mailing list |