| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
Jan, |
| 5 |
|
| 6 |
I've had the same problem. However, I get quite a few dmesg outputs. |
| 7 |
~From what I can tell SELinux caches the avc messages and only prints out |
| 8 |
unique ones. When I reload the policy it clears the cache and the |
| 9 |
messages are printed out again. |
| 10 |
|
| 11 |
I've been adding some policies to domains/misc/local.te to try and get |
| 12 |
it to work. With all the local.te policies removed these are the |
| 13 |
messages I get using these commands |
| 14 |
|
| 15 |
$ dmesg -c |
| 16 |
$ make reload |
| 17 |
$ run_init /etc/init.d/sshd restart |
| 18 |
|
| 19 |
(From remote machine) |
| 20 |
ssh <selinux_host> |
| 21 |
|
| 22 |
This was run in permissive mode so it did allow a log-in. I've added |
| 23 |
|
| 24 |
|
| 25 |
~Michael |
| 26 |
|
| 27 |
|
| 28 |
avc: denied { read } for pid=1215 exe=/usr/bin/checkpolicy |
| 29 |
name=urandom dev=03:47 ino=575343 scontext=root:sysadm_r:checkpolicy_t |
| 30 |
tcontext=system_u:object_r:random_device_t tclass=chr_file |
| 31 |
|
| 32 |
avc: denied { read } for pid=1229 exe=/usr/sbin/load_policy |
| 33 |
name=urandom dev=03:47 ino=575343 scontext=root:sysadm_r:load_policy_t |
| 34 |
tcontext=system_u:object_r:random_device_t tclass=chr_file |
| 35 |
|
| 36 |
avc: granted { load_policy } for pid=1229 exe=/usr/sbin/load_policy |
| 37 |
scontext=root:sysadm_r:load_policy_t |
| 38 |
tcontext=system_u:object_r:security_t tclass=security |
| 39 |
security: 3 users, 6 roles, 356 types |
| 40 |
security: 30 classes, 21122 rules |
| 41 |
|
| 42 |
avc: denied { append } for pid=839 exe=/usr/sbin/syslog-ng |
| 43 |
path=/dev/tty12 dev=03:47 ino=575428 |
| 44 |
scontext=system_u:system_r:syslogd_t |
| 45 |
tcontext=system_u:object_r:tty_device_t tclass=chr_file |
| 46 |
|
| 47 |
avc: denied { read } for pid=1232 exe=/usr/sbin/run_init name=urandom |
| 48 |
dev=03:47 ino=575343 scontext=root:sysadm_r:run_init_t |
| 49 |
tcontext=system_u:object_r:random_device_t tclass=chr_file |
| 50 |
|
| 51 |
avc: denied { read write } for pid=1281 exe=/usr/sbin/sshd |
| 52 |
path=/dev/tty1 dev=03:47 ino=575461 scontext=system_u:system_r:sshd_t |
| 53 |
tcontext=root:object_r:sysadm_tty_device_t tclass=chr_file |
| 54 |
|
| 55 |
avc: denied { read } for pid=1284 exe=/sbin/insmod name=urandom |
| 56 |
dev=03:47 ino=575343 scontext=system_u:system_r:insmod_t |
| 57 |
tcontext=system_u:object_r:random_device_t tclass=chr_file |
| 58 |
|
| 59 |
avc: denied { read write } for pid=1291 exe=/usr/sbin/sshd name=ptyp0 |
| 60 |
dev=03:47 ino=575701 scontext=system_u:system_r:sshd_t |
| 61 |
tcontext=system_u:object_r:device_t tclass=chr_file |
| 62 |
|
| 63 |
avc: denied { ioctl } for pid=1291 exe=/usr/sbin/sshd path=/dev/ptyp0 |
| 64 |
dev=03:47 ino=575701 scontext=system_u:system_r:sshd_t |
| 65 |
tcontext=system_u:object_r:device_t tclass=chr_file |
| 66 |
|
| 67 |
avc: denied { getattr } for pid=1291 exe=/usr/sbin/sshd name=ptyp0 |
| 68 |
dev=03:47 ino=575701 scontext=system_u:system_r:sshd_t |
| 69 |
tcontext=system_u:object_r:device_t tclass=chr_file |
| 70 |
|
| 71 |
avc: denied { getattr } for pid=1291 exe=/usr/sbin/sshd name=ttyp0 |
| 72 |
dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
| 73 |
tcontext=root:object_r:staff_tty_device_t tclass=chr_file |
| 74 |
|
| 75 |
avc: denied { setattr } for pid=1291 exe=/usr/sbin/sshd name=ttyp0 |
| 76 |
dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
| 77 |
tcontext=root:object_r:staff_tty_device_t tclass=chr_file |
| 78 |
|
| 79 |
avc: denied { read write } for pid=1291 exe=/usr/sbin/sshd name=ttyp0 |
| 80 |
dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
| 81 |
tcontext=root:object_r:staff_tty_device_t tclass=chr_file |
| 82 |
|
| 83 |
avc: denied { ioctl } for pid=1291 exe=/usr/sbin/sshd path=/dev/ttyp0 |
| 84 |
dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
| 85 |
tcontext=root:object_r:staff_tty_device_t tclass=chr_file |
| 86 |
|
| 87 |
avc: denied { relabelfrom } for pid=1291 exe=/usr/sbin/sshd |
| 88 |
name=ttyp0 dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
| 89 |
tcontext=root:object_r:staff_tty_device_t tclass=chr_file |
| 90 |
|
| 91 |
avc: denied { relabelto } for pid=1291 exe=/usr/sbin/sshd name=ttyp0 |
| 92 |
dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
| 93 |
tcontext=user_u:object_r:user_tty_device_t tclass=chr_file |
| 94 |
|
| 95 |
avc: denied { getattr } for pid=1291 exe=/usr/sbin/sshd name=ttyp0 |
| 96 |
dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
| 97 |
tcontext=user_u:object_r:user_tty_device_t tclass=chr_file |
| 98 |
|
| 99 |
avc: denied { setattr } for pid=1291 exe=/usr/sbin/sshd name=ttyp0 |
| 100 |
dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
| 101 |
tcontext=user_u:object_r:user_tty_device_t tclass=chr_file |
| 102 |
|
| 103 |
avc: denied { read write } for pid=1293 exe=/usr/sbin/sshd |
| 104 |
path=/dev/ttyp0 dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
| 105 |
tcontext=user_u:object_r:user_tty_device_t tclass=chr_file |
| 106 |
|
| 107 |
avc: denied { ioctl } for pid=1293 exe=/usr/sbin/sshd path=/dev/ttyp0 |
| 108 |
dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
| 109 |
tcontext=user_u:object_r:user_tty_device_t tclass=chr_file |
| 110 |
-----BEGIN PGP SIGNATURE----- |
| 111 |
Version: GnuPG v1.2.2 (Cygwin) |
| 112 |
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org |
| 113 |
|
| 114 |
iD8DBQFAOluz4u+TsXnyGiQRAkWzAJ0Z2JcdNcRZUI+QQElPq21Fmn+lGQCfRVtA |
| 115 |
dSLKiB+OtI58/UsrVdSLOUk= |
| 116 |
=XRub |
| 117 |
-----END PGP SIGNATURE----- |
| 118 |
|
| 119 |
-- |
| 120 |
gentoo-hardened@g.o mailing list |
Archives