Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: Torsten Krah <Neo_0815@×××.net>
To: gentoo-hardened@l.g.o
Subject: [gentoo-hardened] heavy problems installing SELinux on new system
Date: Tue, 10 Aug 2004 00:05:39
Message-Id: 1092096299.5314.50.camel@www.gentoo-fundgrube.info
1 Hello.
2
3 I want to setup a new test server using gentoo's hardened project
4 including SELinux, trying it the first time so i am a n00b ;) at this
5 topic, hope u can help me.
6
7 I read the basics about and tried out the installing hotwo at:
8
9 http://www.gentoo.org/proj/en/hardened/selinux/selinux-x86-install.xml
10
11 In favour of stability i am using the selinux-2.4.26-r2 sources instead
12 of 2.6.x Kernels, using policy version 15.
13 I configured kernel and it compiles fine. XFS Support including security
14 lables are working.
15
16 I installed the base system up to the end, chroot_relabled all and
17 rebootet.
18
19 Now the first error happened - it boots, but many avc errors appeared
20 and i doesnt get a login after last service has startet ... without
21 login, no chance to do anything.
22
23 Luckily i can boot from network, so i configured system to start sshd
24 daemon.
25
26 So i relabeld system again like guide said and rebootet second time, all
27 errors still exists - however policy making/loading and relabeling
28 executes fine without erors.
29
30 Login via ssh works fine - dmesg output shows some errors - its still
31 basic installation, nothing changed and so i thought it should work
32 without any modifications for user root ... still it doesnt and i dont
33 know what to look for or whats wrong.
34
35 Well, theres another Problem.
36
37 The command "ls -Z" dumps very often with "segmantation fault",
38 espacially if i am doing it in "/selinux" or at "/dev" or in "/" for
39 example, perhaps also at other positions - suggestions?
40
41 dmesg output shows this after reboot ( only relevant infos ) :
42
43 #############################################################################################
44
45 security: 3 users, 5 roles, 378 types
46 security: 31 classes, 23076 rules
47 SELinux: Completing initialization.
48 SELinux: Setting up existing superblocks.
49 SELinux: initialized (dev 03:01, type xfs), uses xattr
50 SELinux: initialized (dev 00:07, type selinuxfs), uses genfs_contexts
51 SELinux: initialized (dev 00:06, type devpts), uses transition SIDs
52 SELinux: initialized (dev 00:05, type pipefs), uses task SIDs
53 SELinux: initialized (dev 00:04, type tmpfs), uses transition SIDs
54 SELinux: initialized (dev 00:03, type sockfs), uses task SIDs
55 SELinux: initialized (dev 00:02, type proc), uses genfs_contexts
56 SELinux: initialized (dev 00:01, type bdev), uses genfs_contexts
57 SELinux: initialized (dev 00:00, type rootfs), uses genfs_contexts
58
59 avc: denied { search } for pid=280 exe=/bin/bash name=run dev=03:01
60 ino=639641 scontext=system_u:system_r:update_modules_t
61 tcontext=system_u:object_r:var_run_t tclass=dir
62 eth0: no IPv6 routers present
63
64 avc: denied { search } for pid=280 exe=/bin/bash name=src dev=03:01
65 ino=1888663 scontext=system_u:system_r:update_modules_t
66 tcontext=system_u:object_r:src_t tclass=dir
67
68 avc: denied { read } for pid=280 exe=/bin/bash name=linux dev=03:01
69 ino=1888665 scontext=system_u:system_r:update_modules_t
70 tcontext=system_u:object_r:src_t tclass=lnk_file
71 SELinux: initialized (dev 00:08, type tmpfs), uses transition SIDs
72
73 avc: denied { read } for pid=711 exe=/sbin/hwclock name=ld.so.cache
74 dev=03:01 ino=1156263 scontext=system_u:system_r:hwclock_t
75 tcontext=root:object_r:etc_t tclass=file
76
77 avc: denied { getattr } for pid=711 exe=/sbin/hwclock
78 name=ld.so.cache dev=03:01 ino=1156263
79 scontext=system_u:system_r:hwclock_t tcontext=root:object_r:etc_t
80 tclass=file
81 Real Time Clock Driver v1.10f
82
83 avc: denied { name_bind } for pid=2951 exe=/sbin/portmap port=1007
84 scontext=system_u:system_r:portmap_t tcontext=system_u:object_r:port_t
85 tclass=udp_socket
86
87 avc: denied { name_bind } for pid=2951 exe=/sbin/portmap port=1008
88 scontext=system_u:system_r:portmap_t tcontext=system_u:object_r:port_t
89 tclass=tcp_socket
90
91 avc: denied { create } for pid=2951 exe=/sbin/portmap
92 scontext=system_u:system_r:portmap_t
93 tcontext=system_u:system_r:portmap_t tclass=unix_stream_socket
94
95 avc: denied { connect } for pid=2951 exe=/sbin/portmap
96 scontext=system_u:system_r:portmap_t
97 tcontext=system_u:system_r:portmap_t tclass=unix_stream_socket
98
99 avc: denied { name_bind } for pid=3159 exe=/sbin/rpc.statd port=791
100 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:port_t
101 tclass=udp_socket
102
103 avc: denied { read write } for pid=3159 exe=/sbin/rpc.statd
104 name=state dev=03:01 ino=668844 scontext=system_u:system_r:initrc_t
105 tcontext=system_u:object_r:var_lib_nfs_t tclass=file
106
107 avc: denied { read } for pid=3159 exe=/sbin/rpc.statd name=sm
108 dev=03:01 ino=668842 scontext=system_u:system_r:initrc_t
109 tcontext=system_u:object_r:var_lib_nfs_t tclass=dir
110
111 avc: denied { create } for pid=3159 exe=/sbin/rpc.statd
112 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t
113 tclass=tcp_socket
114 avc: denied { setopt } for pid=3159 exe=/sbin/rpc.statd
115 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t
116 tclass=tcp_socket
117 avc: denied { bind } for pid=3159 exe=/sbin/rpc.statd
118 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t
119 tclass=tcp_socket
120
121 avc: denied { name_bind } for pid=3159 exe=/sbin/rpc.statd port=797
122 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:port_t
123 tclass=tcp_socket
124
125 avc: denied { listen } for pid=3159 exe=/sbin/rpc.statd lport=32768
126 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t
127 tclass=tcp_socket
128
129 avc: denied { lock } for pid=3302 exe=/usr/sbin/rpc.mountd
130 path=/var/lib/nfs/etab dev=03:01 ino=668840
131 scontext=system_u:system_r:initrc_t
132 tcontext=system_u:object_r:var_lib_nfs_t tclass=file
133
134 avc: denied { write } for pid=3302 exe=/usr/sbin/rpc.mountd name=nfs
135 dev=03:01 ino=668838 scontext=system_u:system_r:initrc_t
136 tcontext=system_u:object_r:var_lib_nfs_t tclass=dir
137 avc: denied { add_name } for pid=3302 exe=/usr/sbin/rpc.mountd
138 name=xtab.tmp scontext=system_u:system_r:initrc_t
139 tcontext=system_u:object_r:var_lib_nfs_t tclass=dir
140
141 avc: denied { create } for pid=3302 exe=/usr/sbin/rpc.mountd
142 name=xtab.tmp scontext=system_u:system_r:initrc_t
143 tcontext=system_u:object_r:var_lib_nfs_t tclass=file
144
145 avc: denied { remove_name } for pid=3302 exe=/usr/sbin/rpc.mountd
146 name=xtab.tmp dev=03:01 ino=668851 scontext=system_u:system_r:initrc_t
147 tcontext=system_u:object_r:var_lib_nfs_t tclass=dir
148
149 avc: denied { unlink } for pid=3302 exe=/usr/sbin/rpc.mountd
150 name=xtab.tmp dev=03:01 ino=668851 scontext=system_u:system_r:initrc_t
151 tcontext=system_u:object_r:var_lib_nfs_t tclass=file
152
153 avc: denied { append } for pid=3578 exe=/usr/sbin/syslog-ng
154 name=tty12 dev=03:01 ino=1058672 scontext=system_u:system_r:syslogd_t
155 tcontext=system_u:object_r:tty_device_t tclass=chr_file
156
157 avc: denied { setattr } for pid=3578 exe=/usr/sbin/syslog-ng
158 name=tty12 dev=03:01 ino=1058672 scontext=system_u:system_r:syslogd_t
159 tcontext=system_u:object_r:tty_device_t tclass=chr_file
160
161 avc: denied { append } for pid=3578 exe=/usr/sbin/syslog-ng
162 path=/dev/tty12 dev=03:01 ino=1058672
163 scontext=system_u:system_r:syslogd_t
164 tcontext=system_u:object_r:tty_device_t tclass=chr_file
165
166 avc: denied { read } for pid=3817 exe=/sbin/agetty name=resolv.conf
167 dev=03:01 ino=1059627 scontext=system_u:system_r:getty_t
168 tcontext=system_u:object_r:net_conf_t tclass=file
169
170 avc: denied { getattr } for pid=3817 exe=/sbin/agetty
171 name=resolv.conf dev=03:01 ino=1059627
172 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:net_conf_t
173 tclass=file
174
175 avc: denied { write } for pid=3830 exe=/bin/bash name=root dev=03:01
176 ino=1311495 scontext=root:staff_r:staff_t
177 tcontext=root:object_r:sysadm_home_dir_t tclass=dir
178
179 avc: denied { add_name } for pid=3830 exe=/bin/bash name=dmesg.out
180 scontext=root:staff_r:staff_t tcontext=root:object_r:sysadm_home_dir_t
181 tclass=dir
182
183 avc: denied { create } for pid=3830 exe=/bin/bash name=dmesg.out
184 scontext=root:staff_r:staff_t tcontext=root:object_r:sysadm_home_dir_t
185 tclass=file
186
187 avc: denied { getattr } for pid=3830 exe=/bin/dmesg name=dmesg.out
188 dev=03:01 ino=1398031 scontext=root:staff_r:staff_t
189 tcontext=root:object_r:sysadm_home_dir_t tclass=file
190
191 avc: denied { write } for pid=3830 exe=/bin/dmesg
192 path=/root/dmesg.out dev=03:01 ino=1398031 scontext=root:staff_r:staff_t
193 tcontext=root:object_r:sysadm_home_dir_t tclass=file
194
195
196 #############################################################################################
197
198 syslog-ng, portmap polycies are installed. i dont have any idea why it
199 doesnt work like exspected, i cant do a local login, bad for searching
200 errors because network boot / ssh is not avaiable all the time, i am
201 going to read more stuff about it - but i hope u can help me and can me
202 give some hints or advices where to look for mistakes.
203
204
205 best regards
206
207
208 Torsten Krah
209
210
211 --
212 gentoo-hardened@g.o mailing list
Report Message
Find on MARC Find on Google Groups