| 1 |
On Sun, 2007-04-29 at 14:07 +0200, Jens Neuhalfen wrote: |
| 2 |
> Hello everyone, |
| 3 |
|
| 4 |
Theres a lot of details in here, hopefully I can digest and answer all |
| 5 |
of these :) |
| 6 |
|
| 7 |
> Using targeted, I get the following from audit2allow -d (booting in |
| 8 |
> enforcing mode): |
| 9 |
> |
| 10 |
> allow httpd_t var_run_t:sock_file unlink; |
| 11 |
|
| 12 |
Now that httpd is running in the right domain, it should be creating new |
| 13 |
sockets with the right type, so this was probably just an old one. |
| 14 |
Should be ok to be left denied, and you shouldn't see it anymore anyway. |
| 15 |
|
| 16 |
> DHCP did not work, though. So, "seteforce 0", "dhcpcd -n eth0" and - it |
| 17 |
> works. |
| 18 |
[...] |
| 19 |
|
| 20 |
which version of dhcpcd? It works fine for me from the regular init |
| 21 |
scripts. |
| 22 |
|
| 23 |
> My results of 'upgrading' the dhcp-policy to unstable follow below. |
| 24 |
> |
| 25 |
> |
| 26 |
> Still using the stable policy: |
| 27 |
> |
| 28 |
> Another vexing thing is that "seinfo" fails: |
| 29 |
> # seinfo |
| 30 |
> Could not open policy /etc/selinux/targeted/policy/policy.21! |
| 31 |
> |
| 32 |
> Although a policy.20 file exists. To get around that I |
| 33 |
> switched from policy-version = 20 to |
| 34 |
> policy-version = 21 |
| 35 |
> in semanage.conf and called semodule -B, semodule -R to build and load |
| 36 |
> the policy.21 file. seinfo now gives no error, but no output too. |
| 37 |
|
| 38 |
You should leave this option commented out. The semanage/semodule |
| 39 |
should now be building the newest policy version that the compiler |
| 40 |
supports. If the kernel is older, it will downgrade the policy. 2.6.19 |
| 41 |
should be a v21 policy, so I'm not sure what the problem is. What |
| 42 |
version does `sestatus` say? |
| 43 |
|
| 44 |
> # seinfo /etc/selinux/targeted/policy/policy.21 |
| 45 |
> # |
| 46 |
> |
| 47 |
> compared to |
| 48 |
> |
| 49 |
> # seinfo /etc/selinux/targeted/policy/policy.20 |
| 50 |
> |
| 51 |
> Statistics for policy file: /etc/selinux/targeted/policy/policy.20 |
| 52 |
> Policy Version & Type: v.20 (binary, non-MLS) |
| 53 |
|
| 54 |
|
| 55 |
|
| 56 |
> Booting and calling audit2allow -d gives me a much longer list: |
| 57 |
> allow dhcpc_t self:netlink_route_socket nlmsg_write; |
| 58 |
|
| 59 |
I'll have to do some looking on that one, its not in the upstream policy |
| 60 |
at the moment. |
| 61 |
|
| 62 |
> allow gssd_t etc_t:file write; |
| 63 |
|
| 64 |
The actual denial message would be helpful in this case. |
| 65 |
|
| 66 |
> allow getty_t urandom_device_t:chr_file read; |
| 67 |
> allow hostname_t urandom_device_t:chr_file read; |
| 68 |
> allow iptables_t urandom_device_t:chr_file read; |
| 69 |
> allow mount_t urandom_device_t:chr_file read; |
| 70 |
> allow mysqld_t urandom_device_t:chr_file read; |
| 71 |
> allow nfsd_t selinux_config_t:dir getattr; |
| 72 |
> allow portmap_t urandom_device_t:chr_file read; |
| 73 |
> allow restorecon_t urandom_device_t:chr_file read; |
| 74 |
> allow syslogd_t urandom_device_t:chr_file read; |
| 75 |
|
| 76 |
Normally I would say these are from the hardened gcc __guard (or |
| 77 |
whatever it is named lately), but I thought that wasn't available with |
| 78 |
gcc 4.1+/glibc 2.4+. I suspect that I should dontaudit this anyway. |
| 79 |
|
| 80 |
> emerge sec-policy/selinux-base-policy -1 -pv |
| 81 |
> |
| 82 |
> Will emerge sec-policy/selinux-base-policy-20070329 which will fail at |
| 83 |
> installation time with |
| 84 |
> |
| 85 |
> ... |
| 86 |
> * Inserting base module into targeted module store. |
| 87 |
> libsepol.print_missing_requirements: apache's global requirements were |
| 88 |
> not met: bool httpd_enable_ftp_server |
| 89 |
> libsemanage.semanage_link_sandbox: Link packages failed |
| 90 |
> semodule: Failed! |
| 91 |
[more similar errors] |
| 92 |
|
| 93 |
Make sure you have all the 20070329 policies merged (ignore the above |
| 94 |
error message), and then use the script in this [1] to reinstall all the |
| 95 |
policies in one shot. |
| 96 |
|
| 97 |
[1] http://marc.info/?l=gentoo-hardened&m=117573233110226&w=2 |
| 98 |
|
| 99 |
-- |
| 100 |
Chris PeBenito |
| 101 |
<pebenito@g.o> |
| 102 |
Developer, |
| 103 |
Hardened Gentoo Linux |
| 104 |
|
| 105 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
| 106 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |
Archives