1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
Jan, |
5 |
|
6 |
I've had the same problem. However, I get quite a few dmesg outputs. |
7 |
~From what I can tell SELinux caches the avc messages and only prints out |
8 |
unique ones. When I reload the policy it clears the cache and the |
9 |
messages are printed out again. |
10 |
|
11 |
I've been adding some policies to domains/misc/local.te to try and get |
12 |
it to work. With all the local.te policies removed these are the |
13 |
messages I get using these commands |
14 |
|
15 |
$ dmesg -c |
16 |
$ make reload |
17 |
$ run_init /etc/init.d/sshd restart |
18 |
|
19 |
(From remote machine) |
20 |
ssh <selinux_host> |
21 |
|
22 |
This was run in permissive mode so it did allow a log-in. I've added |
23 |
|
24 |
|
25 |
~Michael |
26 |
|
27 |
|
28 |
avc: denied { read } for pid=1215 exe=/usr/bin/checkpolicy |
29 |
name=urandom dev=03:47 ino=575343 scontext=root:sysadm_r:checkpolicy_t |
30 |
tcontext=system_u:object_r:random_device_t tclass=chr_file |
31 |
|
32 |
avc: denied { read } for pid=1229 exe=/usr/sbin/load_policy |
33 |
name=urandom dev=03:47 ino=575343 scontext=root:sysadm_r:load_policy_t |
34 |
tcontext=system_u:object_r:random_device_t tclass=chr_file |
35 |
|
36 |
avc: granted { load_policy } for pid=1229 exe=/usr/sbin/load_policy |
37 |
scontext=root:sysadm_r:load_policy_t |
38 |
tcontext=system_u:object_r:security_t tclass=security |
39 |
security: 3 users, 6 roles, 356 types |
40 |
security: 30 classes, 21122 rules |
41 |
|
42 |
avc: denied { append } for pid=839 exe=/usr/sbin/syslog-ng |
43 |
path=/dev/tty12 dev=03:47 ino=575428 |
44 |
scontext=system_u:system_r:syslogd_t |
45 |
tcontext=system_u:object_r:tty_device_t tclass=chr_file |
46 |
|
47 |
avc: denied { read } for pid=1232 exe=/usr/sbin/run_init name=urandom |
48 |
dev=03:47 ino=575343 scontext=root:sysadm_r:run_init_t |
49 |
tcontext=system_u:object_r:random_device_t tclass=chr_file |
50 |
|
51 |
avc: denied { read write } for pid=1281 exe=/usr/sbin/sshd |
52 |
path=/dev/tty1 dev=03:47 ino=575461 scontext=system_u:system_r:sshd_t |
53 |
tcontext=root:object_r:sysadm_tty_device_t tclass=chr_file |
54 |
|
55 |
avc: denied { read } for pid=1284 exe=/sbin/insmod name=urandom |
56 |
dev=03:47 ino=575343 scontext=system_u:system_r:insmod_t |
57 |
tcontext=system_u:object_r:random_device_t tclass=chr_file |
58 |
|
59 |
avc: denied { read write } for pid=1291 exe=/usr/sbin/sshd name=ptyp0 |
60 |
dev=03:47 ino=575701 scontext=system_u:system_r:sshd_t |
61 |
tcontext=system_u:object_r:device_t tclass=chr_file |
62 |
|
63 |
avc: denied { ioctl } for pid=1291 exe=/usr/sbin/sshd path=/dev/ptyp0 |
64 |
dev=03:47 ino=575701 scontext=system_u:system_r:sshd_t |
65 |
tcontext=system_u:object_r:device_t tclass=chr_file |
66 |
|
67 |
avc: denied { getattr } for pid=1291 exe=/usr/sbin/sshd name=ptyp0 |
68 |
dev=03:47 ino=575701 scontext=system_u:system_r:sshd_t |
69 |
tcontext=system_u:object_r:device_t tclass=chr_file |
70 |
|
71 |
avc: denied { getattr } for pid=1291 exe=/usr/sbin/sshd name=ttyp0 |
72 |
dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
73 |
tcontext=root:object_r:staff_tty_device_t tclass=chr_file |
74 |
|
75 |
avc: denied { setattr } for pid=1291 exe=/usr/sbin/sshd name=ttyp0 |
76 |
dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
77 |
tcontext=root:object_r:staff_tty_device_t tclass=chr_file |
78 |
|
79 |
avc: denied { read write } for pid=1291 exe=/usr/sbin/sshd name=ttyp0 |
80 |
dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
81 |
tcontext=root:object_r:staff_tty_device_t tclass=chr_file |
82 |
|
83 |
avc: denied { ioctl } for pid=1291 exe=/usr/sbin/sshd path=/dev/ttyp0 |
84 |
dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
85 |
tcontext=root:object_r:staff_tty_device_t tclass=chr_file |
86 |
|
87 |
avc: denied { relabelfrom } for pid=1291 exe=/usr/sbin/sshd |
88 |
name=ttyp0 dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
89 |
tcontext=root:object_r:staff_tty_device_t tclass=chr_file |
90 |
|
91 |
avc: denied { relabelto } for pid=1291 exe=/usr/sbin/sshd name=ttyp0 |
92 |
dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
93 |
tcontext=user_u:object_r:user_tty_device_t tclass=chr_file |
94 |
|
95 |
avc: denied { getattr } for pid=1291 exe=/usr/sbin/sshd name=ttyp0 |
96 |
dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
97 |
tcontext=user_u:object_r:user_tty_device_t tclass=chr_file |
98 |
|
99 |
avc: denied { setattr } for pid=1291 exe=/usr/sbin/sshd name=ttyp0 |
100 |
dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
101 |
tcontext=user_u:object_r:user_tty_device_t tclass=chr_file |
102 |
|
103 |
avc: denied { read write } for pid=1293 exe=/usr/sbin/sshd |
104 |
path=/dev/ttyp0 dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
105 |
tcontext=user_u:object_r:user_tty_device_t tclass=chr_file |
106 |
|
107 |
avc: denied { ioctl } for pid=1293 exe=/usr/sbin/sshd path=/dev/ttyp0 |
108 |
dev=03:47 ino=575939 scontext=system_u:system_r:sshd_t |
109 |
tcontext=user_u:object_r:user_tty_device_t tclass=chr_file |
110 |
-----BEGIN PGP SIGNATURE----- |
111 |
Version: GnuPG v1.2.2 (Cygwin) |
112 |
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org |
113 |
|
114 |
iD8DBQFAOluz4u+TsXnyGiQRAkWzAJ0Z2JcdNcRZUI+QQElPq21Fmn+lGQCfRVtA |
115 |
dSLKiB+OtI58/UsrVdSLOUk= |
116 |
=XRub |
117 |
-----END PGP SIGNATURE----- |
118 |
|
119 |
-- |
120 |
gentoo-hardened@g.o mailing list |