1 |
Hi. |
2 |
|
3 |
Thanks for the tip with ssh. This work really well now. |
4 |
|
5 |
Unefortunately, it is not the only error I got with SELinux. |
6 |
Some files were not correctly labelled (though I don't know how many |
7 |
rlpkg -ar were done ...) |
8 |
|
9 |
For example here is a result of audit2allow. But the most important |
10 |
problem, I think, is the networks error with for example allow |
11 |
kernel_t lo_node_t:node udp_recv. |
12 |
|
13 |
For a full example, I have added the kernel messages |
14 |
(/var/log/kern.log | grep portmap) produced by the portmap daemon. I |
15 |
think that it s a recurrent error that is not produced by the daemon |
16 |
but more by a network/kernel wrong labelling/policy. |
17 |
|
18 |
If someone has any clue about this, I will take it as I cannot find |
19 |
any relevant information on the web. |
20 |
|
21 |
Julien. |
22 |
|
23 |
--- audit2allow ---- |
24 |
allow consoletype_t etc_t:file { getattr read }; |
25 |
allow dhcpc_t self:netlink_route_socket nlmsg_write; |
26 |
allow dhcpc_t var_lib_t:file { getattr write }; |
27 |
allow dmesg_t etc_t:file { getattr read }; |
28 |
allow initrc_t device_t:chr_file write; |
29 |
allow initrc_t inaddr_any_node_t:tcp_socket node_bind; |
30 |
allow initrc_t pop_port_t:tcp_socket name_bind; |
31 |
allow initrc_t unspec_node_t:tcp_socket node_bind; |
32 |
allow initrc_t var_lib_t:sock_file { create rename setattr unlink }; |
33 |
allow insmod_t device_t:chr_file { getattr read write }; |
34 |
allow kernel_t lo_node_t:node udp_recv; |
35 |
allow kernel_t netif_t:netif udp_recv; |
36 |
allow kernel_t node_t:node udp_recv; |
37 |
allow kernel_t port_t:udp_socket recv_msg; |
38 |
allow kernel_t portmap_port_t:udp_socket recv_msg; |
39 |
allow mount_t inaddr_any_node_t:tcp_socket node_bind; |
40 |
allow mount_t inaddr_any_node_t:udp_socket node_bind; |
41 |
allow mount_t self:capability net_bind_service; |
42 |
allow mount_t reserved_port_t:udp_socket { name_bind recv_msg }; |
43 |
allow mount_t user_home_dir_t:dir mounton; |
44 |
allow udev_t lib_t:file { execute execute_no_trans }; |
45 |
|
46 |
---- kern.log for portmap ---- |
47 |
Aug 1 11:51:50 mv2 EXT3-fs: mounted filesystem with ordered data mode. |
48 |
Aug 1 11:52:19 mv2 audit(1185961939.858:23): avc: denied { |
49 |
node_bind } for pid=4735 comm="mount" |
50 |
scontext=system_u:system_r:mount_t |
51 |
tcontext=system_u:object_r:inaddr_any_node_t tclass=tcp_socket |
52 |
Aug 1 11:52:19 mv2 audit(1185961939.954:24): avc: denied { |
53 |
name_bind } for pid=4735 comm="mount" src=671 |
54 |
scontext=system_u:system_r:mount_t |
55 |
tcontext=system_u:object_r:reserved_port_t tclass=udp_socket |
56 |
Aug 1 11:52:19 mv2 audit(1185961939.954:25): avc: denied { |
57 |
node_bind } for pid=4735 comm="mount" src=671 |
58 |
scontext=system_u:system_r:mount_t |
59 |
tcontext=system_u:object_r:inaddr_any_node_t tclass=udp_socket |
60 |
Aug 1 11:52:19 mv2 audit(1185961939.958:26): avc: denied { |
61 |
net_bind_service } for pid=4735 comm="mount" capability=10 |
62 |
scontext=system_u:system_r:mount_t tcontext=system_u:system_r:mount_t |
63 |
tclass=capability |
64 |
Aug 1 11:52:20 mv2 audit(1185961940.026:27): avc: denied { recv_msg |
65 |
} for saddr=10.133.14.1 src=838 daddr=10.133.14.12 dest=671 |
66 |
netif=lanhost scontext=system_u:system_r:mount_t |
67 |
tcontext=system_u:object_r:reserved_port_t tclass=udp_socket |
68 |
Aug 1 11:52:20 mv2 audit(1185961940.042:28): avc: denied { mounton |
69 |
} for pid=4735 comm="mount" name="nfs" dev=sda3 ino=410427 |
70 |
scontext=system_u:system_r:mount_t |
71 |
tcontext=root:object_r:user_home_dir_t tclass=dir |
72 |
Aug 1 11:52:20 mv2 audit(1185961940.110:29): avc: denied { udp_recv |
73 |
} for pid=4735 comm="mount" saddr=10.133.14.1 src=2049 |
74 |
daddr=10.133.14.12 dest=824 netif=lanhost |
75 |
scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:netif_t |
76 |
tclass=netif |
77 |
Aug 1 11:52:20 mv2 audit(1185961940.110:30): avc: denied { udp_recv |
78 |
} for pid=4735 comm="mount" saddr=10.133.14.1 src=2049 |
79 |
daddr=10.133.14.12 dest=824 netif=lanhost |
80 |
scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:node_t |
81 |
tclass=node |
82 |
Aug 1 11:52:20 mv2 audit(1185961940.110:31): avc: denied { recv_msg |
83 |
} for pid=4735 comm="mount" saddr=10.133.14.1 src=2049 |
84 |
daddr=10.133.14.12 dest=824 netif=lanhost |
85 |
scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:port_t |
86 |
tclass=udp_socket |
87 |
|
88 |
-- |
89 |
gentoo-hardened@g.o mailing list |