1 |
On Sun, 2007-04-29 at 14:07 +0200, Jens Neuhalfen wrote: |
2 |
> Hello everyone, |
3 |
|
4 |
Theres a lot of details in here, hopefully I can digest and answer all |
5 |
of these :) |
6 |
|
7 |
> Using targeted, I get the following from audit2allow -d (booting in |
8 |
> enforcing mode): |
9 |
> |
10 |
> allow httpd_t var_run_t:sock_file unlink; |
11 |
|
12 |
Now that httpd is running in the right domain, it should be creating new |
13 |
sockets with the right type, so this was probably just an old one. |
14 |
Should be ok to be left denied, and you shouldn't see it anymore anyway. |
15 |
|
16 |
> DHCP did not work, though. So, "seteforce 0", "dhcpcd -n eth0" and - it |
17 |
> works. |
18 |
[...] |
19 |
|
20 |
which version of dhcpcd? It works fine for me from the regular init |
21 |
scripts. |
22 |
|
23 |
> My results of 'upgrading' the dhcp-policy to unstable follow below. |
24 |
> |
25 |
> |
26 |
> Still using the stable policy: |
27 |
> |
28 |
> Another vexing thing is that "seinfo" fails: |
29 |
> # seinfo |
30 |
> Could not open policy /etc/selinux/targeted/policy/policy.21! |
31 |
> |
32 |
> Although a policy.20 file exists. To get around that I |
33 |
> switched from policy-version = 20 to |
34 |
> policy-version = 21 |
35 |
> in semanage.conf and called semodule -B, semodule -R to build and load |
36 |
> the policy.21 file. seinfo now gives no error, but no output too. |
37 |
|
38 |
You should leave this option commented out. The semanage/semodule |
39 |
should now be building the newest policy version that the compiler |
40 |
supports. If the kernel is older, it will downgrade the policy. 2.6.19 |
41 |
should be a v21 policy, so I'm not sure what the problem is. What |
42 |
version does `sestatus` say? |
43 |
|
44 |
> # seinfo /etc/selinux/targeted/policy/policy.21 |
45 |
> # |
46 |
> |
47 |
> compared to |
48 |
> |
49 |
> # seinfo /etc/selinux/targeted/policy/policy.20 |
50 |
> |
51 |
> Statistics for policy file: /etc/selinux/targeted/policy/policy.20 |
52 |
> Policy Version & Type: v.20 (binary, non-MLS) |
53 |
|
54 |
|
55 |
|
56 |
> Booting and calling audit2allow -d gives me a much longer list: |
57 |
> allow dhcpc_t self:netlink_route_socket nlmsg_write; |
58 |
|
59 |
I'll have to do some looking on that one, its not in the upstream policy |
60 |
at the moment. |
61 |
|
62 |
> allow gssd_t etc_t:file write; |
63 |
|
64 |
The actual denial message would be helpful in this case. |
65 |
|
66 |
> allow getty_t urandom_device_t:chr_file read; |
67 |
> allow hostname_t urandom_device_t:chr_file read; |
68 |
> allow iptables_t urandom_device_t:chr_file read; |
69 |
> allow mount_t urandom_device_t:chr_file read; |
70 |
> allow mysqld_t urandom_device_t:chr_file read; |
71 |
> allow nfsd_t selinux_config_t:dir getattr; |
72 |
> allow portmap_t urandom_device_t:chr_file read; |
73 |
> allow restorecon_t urandom_device_t:chr_file read; |
74 |
> allow syslogd_t urandom_device_t:chr_file read; |
75 |
|
76 |
Normally I would say these are from the hardened gcc __guard (or |
77 |
whatever it is named lately), but I thought that wasn't available with |
78 |
gcc 4.1+/glibc 2.4+. I suspect that I should dontaudit this anyway. |
79 |
|
80 |
> emerge sec-policy/selinux-base-policy -1 -pv |
81 |
> |
82 |
> Will emerge sec-policy/selinux-base-policy-20070329 which will fail at |
83 |
> installation time with |
84 |
> |
85 |
> ... |
86 |
> * Inserting base module into targeted module store. |
87 |
> libsepol.print_missing_requirements: apache's global requirements were |
88 |
> not met: bool httpd_enable_ftp_server |
89 |
> libsemanage.semanage_link_sandbox: Link packages failed |
90 |
> semodule: Failed! |
91 |
[more similar errors] |
92 |
|
93 |
Make sure you have all the 20070329 policies merged (ignore the above |
94 |
error message), and then use the script in this [1] to reinstall all the |
95 |
policies in one shot. |
96 |
|
97 |
[1] http://marc.info/?l=gentoo-hardened&m=117573233110226&w=2 |
98 |
|
99 |
-- |
100 |
Chris PeBenito |
101 |
<pebenito@g.o> |
102 |
Developer, |
103 |
Hardened Gentoo Linux |
104 |
|
105 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
106 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |