1 |
Hello, |
2 |
I'm a SELinux newbie and I have some problems with denials. |
3 |
It seems that SELinux would deny almost everything, including system |
4 |
tasks: |
5 |
|
6 |
audit(1094916629.677:0): avc: denied { search } for pid=18204 |
7 |
exe=/bin/dmesg dev=ramfs ino=774 scontext=system_u:system_r:d |
8 |
mesg_t tcontext=system_u:object_r:ramfs_t tclass=dir |
9 |
audit(1094916629.677:0): avc: denied { read } for pid=18204 |
10 |
exe=/bin/dmesg name=urandom dev=ramfs ino=5629 scontext=system_ |
11 |
u:system_r:dmesg_t tcontext=system_u:object_r:ramfs_t tclass=chr_file |
12 |
audit(1094916630.023:0): avc: denied { getattr } for pid=9704 |
13 |
exe=/sbin/e2fsck path=/dev/hda1 dev=ramfs ino=1729 scontext=s |
14 |
ystem_u:system_r:fsadm_t tcontext=system_u:object_r:ramfs_t |
15 |
tclass=blk_file |
16 |
audit(1094916630.024:0): avc: denied { read write } for pid=9704 |
17 |
exe=/sbin/e2fsck name=hda1 dev=ramfs ino=1729 scontext=sys |
18 |
tem_u:system_r:fsadm_t tcontext=system_u:object_r:ramfs_t tclass=blk_file |
19 |
audit(1094916630.067:0): avc: denied { ioctl } for pid=9704 |
20 |
exe=/sbin/e2fsck path=/dev/hda1 dev=ramfs ino=1729 scontext=sys |
21 |
tem_u:system_r:fsadm_t tcontext=system_u:object_r:ramfs_t tclass=blk_file |
22 |
EXT3 FS on hda1, internal journal |
23 |
audit(1094916630.393:0): avc: denied { search } for pid=16474 |
24 |
exe=/bin/hostname dev=ramfs ino=774 scontext=system_u:system_ |
25 |
r:hostname_t tcontext=system_u:object_r:ramfs_t tclass=dir |
26 |
audit(1094916630.393:0): avc: denied { read } for pid=16474 |
27 |
exe=/bin/hostname name=urandom dev=ramfs ino=5629 scontext=syst |
28 |
em_u:system_r:hostname_t tcontext=system_u:object_r:ramfs_t |
29 |
tclass=chr_file |
30 |
audit(1094916630.496:0): avc: denied { write } for pid=19589 |
31 |
exe=/bin/bash path=/dev/null dev=ramfs ino=2761 scontext=syste |
32 |
m_u:system_r:update_modules_t tcontext=system_u:object_r:ramfs_t |
33 |
tclass=chr_file |
34 |
audit(1094916630.504:0): avc: denied { search } for pid=19589 |
35 |
exe=/bin/bash dev=ramfs ino=774 scontext=system_u:system_r:up |
36 |
date_modules_t tcontext=system_u:object_r:ramfs_t tclass=dir |
37 |
audit(1094916630.504:0): avc: denied { read } for pid=19589 |
38 |
exe=/bin/bash name=urandom dev=ramfs ino=5629 scontext=system_u |
39 |
:system_r:update_modules_t tcontext=system_u:object_r:ramfs_t |
40 |
tclass=chr_file |
41 |
audit(1094916630.506:0): avc: denied { search } for pid=19589 |
42 |
exe=/bin/bash name=run dev=hda1 ino=1909442 scontext=system_u |
43 |
:system_r:update_modules_t tcontext=system_u:object_r:var_run_t tclass=dir |
44 |
audit(1094916630.604:0): avc: denied { getattr } for pid=3014 |
45 |
exe=/bin/gawk-3.1.3 path=/dev/null dev=ramfs ino=2761 scontex |
46 |
t=system_u:system_r:update_modules_t tcontext=system_u:object_r:ramfs_t |
47 |
tclass=chr_file |
48 |
audit(1094916630.887:0): avc: denied { search } for pid=1 |
49 |
exe=/sbin/init dev=ramfs ino=774 scontext=system_u:system_r:init_ |
50 |
t tcontext=system_u:object_r:ramfs_t tclass=dir |
51 |
audit(1094916630.887:0): avc: denied { getattr } for pid=1 |
52 |
exe=/sbin/init path=/dev/initctl dev=ramfs ino=2672 scontext=sys |
53 |
tem_u:system_r:init_t tcontext=system_u:object_r:ramfs_t tclass=fifo_file |
54 |
audit(1094916630.887:0): avc: denied { read write } for pid=1 |
55 |
exe=/sbin/init name=initctl dev=ramfs ino=2672 scontext=syste |
56 |
m_u:system_r:init_t tcontext=system_u:object_r:ramfs_t tclass=fifo_file |
57 |
|
58 |
and the list goes on. |
59 |
|
60 |
The system is running in permissive mode and I've reloaded the policy and |
61 |
relabeled the filesystem. |
62 |
|
63 |
/dev/hda1 on / type ext3 (rw,noatime) |
64 |
none on /selinux type selinuxfs (rw) |
65 |
none on /proc type proc (rw) |
66 |
none on /sys type sysfs (rw) |
67 |
none on /dev type ramfs (rw) |
68 |
none on /dev/pts type devpts (rw,gid=5,mode=620) |
69 |
none on /dev/shm type tmpfs (rw) |
70 |
|
71 |
|
72 |
Portage 2.0.50-r11 (x86, gcc-3.3.4, glibc-2.3.4.20040808-r0, |
73 |
2.6.7-hardened-r8) |
74 |
================================================================= |
75 |
System uname: 2.6.7-hardened-r8 i686 Celeron (Mendocino) |
76 |
Gentoo Base System version 1.5.3 |
77 |
Autoconf: sys-devel/autoconf-2.59-r4 |
78 |
Automake: sys-devel/automake-1.8.5-r1 |
79 |
ACCEPT_KEYWORDS="x86 ~x86" |
80 |
AUTOCLEAN="yes" |
81 |
CFLAGS="-march=pentium2 -O3 -pipe -fomit-frame-pointer -ffast-math |
82 |
-fforce-addr -falign-functions=4 -ftracer -fstack-protector-all" |
83 |
CHOST="i686-pc-linux-gnu" |
84 |
COMPILER="" |
85 |
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config |
86 |
/usr/share/config /var/qmail/alias /var/qmail/control" |
87 |
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" |
88 |
CXXFLAGS="-march=pentium2 -O3 -pipe -fomit-frame-pointer -ffast-math |
89 |
-fforce-addr -falign-functions=4 -ftracer -fstack-protector-all" |
90 |
DISTDIR="/usr/portage/distfiles" |
91 |
FEATURES="autoaddcvs autoload ccache sandbox sfperms strict" |
92 |
GENTOO_MIRRORS="http://ftp.lug.ro/gentoo" |
93 |
MAKEOPTS="-j2" |
94 |
PKGDIR="/usr/portage/packages" |
95 |
PORTAGE_TMPDIR="/var/tmp" |
96 |
PORTDIR="/usr/portage" |
97 |
PORTDIR_OVERLAY="" |
98 |
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" |
99 |
USE="3dnow aalib acl acpi adns apache2 berkdb bzlib caps crypt curl |
100 |
curlwrappers dio exif fam flac ftp gd gmp gnutls hardened imagemagick imap |
101 |
java junit ldap mad maildir mailwrapper memlimit mhash mmap mmx ncurses |
102 |
nls nptl offensive oggvorbis pam pcntl pcre pic pie png posix readline |
103 |
samba selinux session shared sharedmem slang soap sockets socks5 speex |
104 |
sqlite sse ssl svg sysvipc tcpd theora tiff unicode usb vhosts wmf x86 xml |
105 |
xmlrpc zlib" |
106 |
|
107 |
|
108 |
Btw, if I type echo 1 > /selinux/enforce the system locks up instantly :( |
109 |
|
110 |
I've installed the distribution using the SELinux handbook, but it seems |
111 |
that I didn't do something the right way. |
112 |
|
113 |
Please help. |
114 |
|
115 |
-- |
116 |
gentoo-hardened@g.o mailing list |