| 1 |
Hi. |
| 2 |
|
| 3 |
Thanks for the tip with ssh. This work really well now. |
| 4 |
|
| 5 |
Unefortunately, it is not the only error I got with SELinux. |
| 6 |
Some files were not correctly labelled (though I don't know how many |
| 7 |
rlpkg -ar were done ...) |
| 8 |
|
| 9 |
For example here is a result of audit2allow. But the most important |
| 10 |
problem, I think, is the networks error with for example allow |
| 11 |
kernel_t lo_node_t:node udp_recv. |
| 12 |
|
| 13 |
For a full example, I have added the kernel messages |
| 14 |
(/var/log/kern.log | grep portmap) produced by the portmap daemon. I |
| 15 |
think that it s a recurrent error that is not produced by the daemon |
| 16 |
but more by a network/kernel wrong labelling/policy. |
| 17 |
|
| 18 |
If someone has any clue about this, I will take it as I cannot find |
| 19 |
any relevant information on the web. |
| 20 |
|
| 21 |
Julien. |
| 22 |
|
| 23 |
--- audit2allow ---- |
| 24 |
allow consoletype_t etc_t:file { getattr read }; |
| 25 |
allow dhcpc_t self:netlink_route_socket nlmsg_write; |
| 26 |
allow dhcpc_t var_lib_t:file { getattr write }; |
| 27 |
allow dmesg_t etc_t:file { getattr read }; |
| 28 |
allow initrc_t device_t:chr_file write; |
| 29 |
allow initrc_t inaddr_any_node_t:tcp_socket node_bind; |
| 30 |
allow initrc_t pop_port_t:tcp_socket name_bind; |
| 31 |
allow initrc_t unspec_node_t:tcp_socket node_bind; |
| 32 |
allow initrc_t var_lib_t:sock_file { create rename setattr unlink }; |
| 33 |
allow insmod_t device_t:chr_file { getattr read write }; |
| 34 |
allow kernel_t lo_node_t:node udp_recv; |
| 35 |
allow kernel_t netif_t:netif udp_recv; |
| 36 |
allow kernel_t node_t:node udp_recv; |
| 37 |
allow kernel_t port_t:udp_socket recv_msg; |
| 38 |
allow kernel_t portmap_port_t:udp_socket recv_msg; |
| 39 |
allow mount_t inaddr_any_node_t:tcp_socket node_bind; |
| 40 |
allow mount_t inaddr_any_node_t:udp_socket node_bind; |
| 41 |
allow mount_t self:capability net_bind_service; |
| 42 |
allow mount_t reserved_port_t:udp_socket { name_bind recv_msg }; |
| 43 |
allow mount_t user_home_dir_t:dir mounton; |
| 44 |
allow udev_t lib_t:file { execute execute_no_trans }; |
| 45 |
|
| 46 |
---- kern.log for portmap ---- |
| 47 |
Aug 1 11:51:50 mv2 EXT3-fs: mounted filesystem with ordered data mode. |
| 48 |
Aug 1 11:52:19 mv2 audit(1185961939.858:23): avc: denied { |
| 49 |
node_bind } for pid=4735 comm="mount" |
| 50 |
scontext=system_u:system_r:mount_t |
| 51 |
tcontext=system_u:object_r:inaddr_any_node_t tclass=tcp_socket |
| 52 |
Aug 1 11:52:19 mv2 audit(1185961939.954:24): avc: denied { |
| 53 |
name_bind } for pid=4735 comm="mount" src=671 |
| 54 |
scontext=system_u:system_r:mount_t |
| 55 |
tcontext=system_u:object_r:reserved_port_t tclass=udp_socket |
| 56 |
Aug 1 11:52:19 mv2 audit(1185961939.954:25): avc: denied { |
| 57 |
node_bind } for pid=4735 comm="mount" src=671 |
| 58 |
scontext=system_u:system_r:mount_t |
| 59 |
tcontext=system_u:object_r:inaddr_any_node_t tclass=udp_socket |
| 60 |
Aug 1 11:52:19 mv2 audit(1185961939.958:26): avc: denied { |
| 61 |
net_bind_service } for pid=4735 comm="mount" capability=10 |
| 62 |
scontext=system_u:system_r:mount_t tcontext=system_u:system_r:mount_t |
| 63 |
tclass=capability |
| 64 |
Aug 1 11:52:20 mv2 audit(1185961940.026:27): avc: denied { recv_msg |
| 65 |
} for saddr=10.133.14.1 src=838 daddr=10.133.14.12 dest=671 |
| 66 |
netif=lanhost scontext=system_u:system_r:mount_t |
| 67 |
tcontext=system_u:object_r:reserved_port_t tclass=udp_socket |
| 68 |
Aug 1 11:52:20 mv2 audit(1185961940.042:28): avc: denied { mounton |
| 69 |
} for pid=4735 comm="mount" name="nfs" dev=sda3 ino=410427 |
| 70 |
scontext=system_u:system_r:mount_t |
| 71 |
tcontext=root:object_r:user_home_dir_t tclass=dir |
| 72 |
Aug 1 11:52:20 mv2 audit(1185961940.110:29): avc: denied { udp_recv |
| 73 |
} for pid=4735 comm="mount" saddr=10.133.14.1 src=2049 |
| 74 |
daddr=10.133.14.12 dest=824 netif=lanhost |
| 75 |
scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:netif_t |
| 76 |
tclass=netif |
| 77 |
Aug 1 11:52:20 mv2 audit(1185961940.110:30): avc: denied { udp_recv |
| 78 |
} for pid=4735 comm="mount" saddr=10.133.14.1 src=2049 |
| 79 |
daddr=10.133.14.12 dest=824 netif=lanhost |
| 80 |
scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:node_t |
| 81 |
tclass=node |
| 82 |
Aug 1 11:52:20 mv2 audit(1185961940.110:31): avc: denied { recv_msg |
| 83 |
} for pid=4735 comm="mount" saddr=10.133.14.1 src=2049 |
| 84 |
daddr=10.133.14.12 dest=824 netif=lanhost |
| 85 |
scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:port_t |
| 86 |
tclass=udp_socket |
| 87 |
|
| 88 |
-- |
| 89 |
gentoo-hardened@g.o mailing list |
Archives