| 1 |
On Fri, 2008-02-29 at 22:12 +0700, Michael Metsger wrote: |
| 2 |
> I'm trying to use "selinux/2007.0/hardened/amd64" to make |
| 3 |
> gentoo-hardened with selinux. I started from |
| 4 |
> stage3-amd64-hardened-multilib-2007.0. After update, switch to new |
| 5 |
> profile and agin update, booting selinux kernel and relabeling I got |
| 6 |
> worked system with many "avc: denied" messages. Some of them I |
| 7 |
> solved. |
| 8 |
> At this time I don't know how to solve this "avc: denied" correct: |
| 9 |
|
| 10 |
Did you remerge udev? Most of this is device nodes in udev /dev are |
| 11 |
mislabeled. |
| 12 |
|
| 13 |
|
| 14 |
> audit(1204309161.976:3): avc: denied { write } for pid=1062 |
| 15 |
> comm="bash" name="null" dev=tmpfs ino=1312 |
| 16 |
> scontext=system_u:system_r:initrc_t |
| 17 |
> tcontext=system_u:object_r:device_t tclass=chr_file |
| 18 |
> audit(1204309162.296:4): avc: denied { read } for pid=1070 |
| 19 |
> comm="write_root_link" name="console" dev=tmpfs ino=1306 |
| 20 |
> scontext=system_u:system_r:initrc_t |
| 21 |
> tcontext=system_u:object_r:device_t tclass=chr_file |
| 22 |
> audit(1204309162.436:5): avc: denied { execute } for pid=1117 |
| 23 |
> comm="udevd" name="usb_id" dev=sda5 ino=117936 |
| 24 |
> scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t |
| 25 |
> tclass=file |
| 26 |
> audit(1204309162.448:6): avc: denied { execute_no_trans } for |
| 27 |
> pid=1117 comm="udevd" path="/lib64/udev/usb_id" dev=sda5 ino=117936 |
| 28 |
> scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t |
| 29 |
> tclass=file |
| 30 |
> audit(1204309162.640:7): avc: denied { read } for pid=1178 |
| 31 |
> comm="modprobe" path="/dev/console" dev=tmpfs ino=1306 |
| 32 |
> scontext=system_u:system_r:insmod_t |
| 33 |
> tcontext=system_u:object_r:device_t tclass=chr_file |
| 34 |
> audit(1204309162.640:8): avc: denied { write } for pid=1178 |
| 35 |
> comm="modprobe" path="/dev/null" dev=tmpfs ino=1312 |
| 36 |
> scontext=system_u:system_r:insmod_t |
| 37 |
> tcontext=system_u:object_r:device_t tclass=chr_file |
| 38 |
> audit(1204309162.708:9): avc: denied { getattr } for pid=1178 |
| 39 |
> comm="modprobe" path="/dev/null" dev=tmpfs ino=1312 |
| 40 |
> scontext=system_u:system_r:insmod_t |
| 41 |
> tcontext=system_u:object_r:device_t tclass=chr_file |
| 42 |
> audit(1204309162.900:10): avc: denied { getattr } for pid=1157 |
| 43 |
> comm="modprobe.sh" path="/etc/modprobe.conf" dev=sda5 ino=749327 |
| 44 |
> scontext=system_u:system_r:udev_t |
| 45 |
> tcontext=system_u:object_r:modules_conf_t tclass=file |
| 46 |
> audit(1204309162.900:11): avc: denied { read } for pid=1526 |
| 47 |
> comm="grep" name="modprobe.conf" dev=sda5 ino=749327 |
| 48 |
> scontext=system_u:system_r:udev_t |
| 49 |
> tcontext=system_u:object_r:modules_conf_t tclass=file |
| 50 |
> audit(1204309163.008:12): avc: denied { sys_nice } for pid=1592 |
| 51 |
> comm="modprobe" capability=23 scontext=system_u:system_r:insmod_t |
| 52 |
> tcontext=system_u:system_r:insmod_t tclass=capability |
| 53 |
> audit(1204309163.008:13): avc: denied { setsched } for pid=1592 |
| 54 |
> comm="modprobe" scontext=system_u:system_r:insmod_t |
| 55 |
> tcontext=system_u:system_r:kernel_t tclass=process |
| 56 |
> |
| 57 |
> Can anybody help me or advice? |
| 58 |
-- |
| 59 |
Chris PeBenito |
| 60 |
<pebenito@g.o> |
| 61 |
Developer, |
| 62 |
Hardened Gentoo Linux |
| 63 |
|
| 64 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
| 65 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |
Archives