1 |
On Fri, 2008-02-29 at 22:12 +0700, Michael Metsger wrote: |
2 |
> I'm trying to use "selinux/2007.0/hardened/amd64" to make |
3 |
> gentoo-hardened with selinux. I started from |
4 |
> stage3-amd64-hardened-multilib-2007.0. After update, switch to new |
5 |
> profile and agin update, booting selinux kernel and relabeling I got |
6 |
> worked system with many "avc: denied" messages. Some of them I |
7 |
> solved. |
8 |
> At this time I don't know how to solve this "avc: denied" correct: |
9 |
|
10 |
Did you remerge udev? Most of this is device nodes in udev /dev are |
11 |
mislabeled. |
12 |
|
13 |
|
14 |
> audit(1204309161.976:3): avc: denied { write } for pid=1062 |
15 |
> comm="bash" name="null" dev=tmpfs ino=1312 |
16 |
> scontext=system_u:system_r:initrc_t |
17 |
> tcontext=system_u:object_r:device_t tclass=chr_file |
18 |
> audit(1204309162.296:4): avc: denied { read } for pid=1070 |
19 |
> comm="write_root_link" name="console" dev=tmpfs ino=1306 |
20 |
> scontext=system_u:system_r:initrc_t |
21 |
> tcontext=system_u:object_r:device_t tclass=chr_file |
22 |
> audit(1204309162.436:5): avc: denied { execute } for pid=1117 |
23 |
> comm="udevd" name="usb_id" dev=sda5 ino=117936 |
24 |
> scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t |
25 |
> tclass=file |
26 |
> audit(1204309162.448:6): avc: denied { execute_no_trans } for |
27 |
> pid=1117 comm="udevd" path="/lib64/udev/usb_id" dev=sda5 ino=117936 |
28 |
> scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t |
29 |
> tclass=file |
30 |
> audit(1204309162.640:7): avc: denied { read } for pid=1178 |
31 |
> comm="modprobe" path="/dev/console" dev=tmpfs ino=1306 |
32 |
> scontext=system_u:system_r:insmod_t |
33 |
> tcontext=system_u:object_r:device_t tclass=chr_file |
34 |
> audit(1204309162.640:8): avc: denied { write } for pid=1178 |
35 |
> comm="modprobe" path="/dev/null" dev=tmpfs ino=1312 |
36 |
> scontext=system_u:system_r:insmod_t |
37 |
> tcontext=system_u:object_r:device_t tclass=chr_file |
38 |
> audit(1204309162.708:9): avc: denied { getattr } for pid=1178 |
39 |
> comm="modprobe" path="/dev/null" dev=tmpfs ino=1312 |
40 |
> scontext=system_u:system_r:insmod_t |
41 |
> tcontext=system_u:object_r:device_t tclass=chr_file |
42 |
> audit(1204309162.900:10): avc: denied { getattr } for pid=1157 |
43 |
> comm="modprobe.sh" path="/etc/modprobe.conf" dev=sda5 ino=749327 |
44 |
> scontext=system_u:system_r:udev_t |
45 |
> tcontext=system_u:object_r:modules_conf_t tclass=file |
46 |
> audit(1204309162.900:11): avc: denied { read } for pid=1526 |
47 |
> comm="grep" name="modprobe.conf" dev=sda5 ino=749327 |
48 |
> scontext=system_u:system_r:udev_t |
49 |
> tcontext=system_u:object_r:modules_conf_t tclass=file |
50 |
> audit(1204309163.008:12): avc: denied { sys_nice } for pid=1592 |
51 |
> comm="modprobe" capability=23 scontext=system_u:system_r:insmod_t |
52 |
> tcontext=system_u:system_r:insmod_t tclass=capability |
53 |
> audit(1204309163.008:13): avc: denied { setsched } for pid=1592 |
54 |
> comm="modprobe" scontext=system_u:system_r:insmod_t |
55 |
> tcontext=system_u:system_r:kernel_t tclass=process |
56 |
> |
57 |
> Can anybody help me or advice? |
58 |
-- |
59 |
Chris PeBenito |
60 |
<pebenito@g.o> |
61 |
Developer, |
62 |
Hardened Gentoo Linux |
63 |
|
64 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
65 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |