Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: Michael Metsger <themixa@×××××.com>
To: gentoo-hardened@l.g.o
Subject: [gentoo-hardened] Problem with SELinux policy
Date: Fri, 29 Feb 2008 15:20:51
Message-Id: 621c17e70802290712sb216bfbt684ff194be9988da@mail.gmail.com
1 I'm trying to use "selinux/2007.0/hardened/amd64" to make
2 gentoo-hardened with selinux. I started from
3 stage3-amd64-hardened-multilib-2007.0. After update, switch to new
4 profile and agin update, booting selinux kernel and relabeling I got
5 worked system with many "avc: denied" messages. Some of them I
6 solved.
7 At this time I don't know how to solve this "avc: denied" correct:
8
9 audit(1204309161.976:3): avc: denied { write } for pid=1062
10 comm="bash" name="null" dev=tmpfs ino=1312
11 scontext=system_u:system_r:initrc_t
12 tcontext=system_u:object_r:device_t tclass=chr_file
13 audit(1204309162.296:4): avc: denied { read } for pid=1070
14 comm="write_root_link" name="console" dev=tmpfs ino=1306
15 scontext=system_u:system_r:initrc_t
16 tcontext=system_u:object_r:device_t tclass=chr_file
17 audit(1204309162.436:5): avc: denied { execute } for pid=1117
18 comm="udevd" name="usb_id" dev=sda5 ino=117936
19 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t
20 tclass=file
21 audit(1204309162.448:6): avc: denied { execute_no_trans } for
22 pid=1117 comm="udevd" path="/lib64/udev/usb_id" dev=sda5 ino=117936
23 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t
24 tclass=file
25 audit(1204309162.640:7): avc: denied { read } for pid=1178
26 comm="modprobe" path="/dev/console" dev=tmpfs ino=1306
27 scontext=system_u:system_r:insmod_t
28 tcontext=system_u:object_r:device_t tclass=chr_file
29 audit(1204309162.640:8): avc: denied { write } for pid=1178
30 comm="modprobe" path="/dev/null" dev=tmpfs ino=1312
31 scontext=system_u:system_r:insmod_t
32 tcontext=system_u:object_r:device_t tclass=chr_file
33 audit(1204309162.708:9): avc: denied { getattr } for pid=1178
34 comm="modprobe" path="/dev/null" dev=tmpfs ino=1312
35 scontext=system_u:system_r:insmod_t
36 tcontext=system_u:object_r:device_t tclass=chr_file
37 audit(1204309162.900:10): avc: denied { getattr } for pid=1157
38 comm="modprobe.sh" path="/etc/modprobe.conf" dev=sda5 ino=749327
39 scontext=system_u:system_r:udev_t
40 tcontext=system_u:object_r:modules_conf_t tclass=file
41 audit(1204309162.900:11): avc: denied { read } for pid=1526
42 comm="grep" name="modprobe.conf" dev=sda5 ino=749327
43 scontext=system_u:system_r:udev_t
44 tcontext=system_u:object_r:modules_conf_t tclass=file
45 audit(1204309163.008:12): avc: denied { sys_nice } for pid=1592
46 comm="modprobe" capability=23 scontext=system_u:system_r:insmod_t
47 tcontext=system_u:system_r:insmod_t tclass=capability
48 audit(1204309163.008:13): avc: denied { setsched } for pid=1592
49 comm="modprobe" scontext=system_u:system_r:insmod_t
50 tcontext=system_u:system_r:kernel_t tclass=process
51
52 Can anybody help me or advice?
53 --
54 gentoo-hardened@l.g.o mailing list

Replies

Subject Author
Re: [gentoo-hardened] Problem with SELinux policy Chris PeBenito <pebenito@g.o>
Report Message
Find on MARC Find on Google Groups