[gentoo-hardened] [SELinux] denials and lock up - gentoo-hardened

From:	Andrei Ivanov <andrei.ivanov@××××.ro>
To:	gentoo-hardened@l.g.o
Subject:	[gentoo-hardened] [SELinux] denials and lock up
Date:	Sat, 11 Sep 2004 13:47:36
Message-Id:	`Pine.LNX.4.61.0409111638560.25509@webdev.ines.ro`

1

Hello,

2

I'm a SELinux newbie and I have some problems with denials.

3

It seems that SELinux would deny almost everything, including system 

4

tasks:

5

6

audit(1094916629.677:0): avc:  denied  { search } for  pid=18204 

7

exe=/bin/dmesg dev=ramfs ino=774 scontext=system_u:system_r:d

8

mesg_t tcontext=system_u:object_r:ramfs_t tclass=dir

9

audit(1094916629.677:0): avc:  denied  { read } for  pid=18204 

10

exe=/bin/dmesg name=urandom dev=ramfs ino=5629 scontext=system_

11

u:system_r:dmesg_t tcontext=system_u:object_r:ramfs_t tclass=chr_file

12

audit(1094916630.023:0): avc:  denied  { getattr } for  pid=9704 

13

exe=/sbin/e2fsck path=/dev/hda1 dev=ramfs ino=1729 scontext=s

14

ystem_u:system_r:fsadm_t tcontext=system_u:object_r:ramfs_t 

15

tclass=blk_file

16

audit(1094916630.024:0): avc:  denied  { read write } for  pid=9704 

17

exe=/sbin/e2fsck name=hda1 dev=ramfs ino=1729 scontext=sys

18

tem_u:system_r:fsadm_t tcontext=system_u:object_r:ramfs_t tclass=blk_file

19

audit(1094916630.067:0): avc:  denied  { ioctl } for  pid=9704 

20

exe=/sbin/e2fsck path=/dev/hda1 dev=ramfs ino=1729 scontext=sys

21

tem_u:system_r:fsadm_t tcontext=system_u:object_r:ramfs_t tclass=blk_file

22

EXT3 FS on hda1, internal journal

23

audit(1094916630.393:0): avc:  denied  { search } for  pid=16474 

24

exe=/bin/hostname dev=ramfs ino=774 scontext=system_u:system_

25

r:hostname_t tcontext=system_u:object_r:ramfs_t tclass=dir

26

audit(1094916630.393:0): avc:  denied  { read } for  pid=16474 

27

exe=/bin/hostname name=urandom dev=ramfs ino=5629 scontext=syst

28

em_u:system_r:hostname_t tcontext=system_u:object_r:ramfs_t 

29

tclass=chr_file

30

audit(1094916630.496:0): avc:  denied  { write } for  pid=19589 

31

exe=/bin/bash path=/dev/null dev=ramfs ino=2761 scontext=syste

32

m_u:system_r:update_modules_t tcontext=system_u:object_r:ramfs_t 

33

tclass=chr_file

34

audit(1094916630.504:0): avc:  denied  { search } for  pid=19589 

35

exe=/bin/bash dev=ramfs ino=774 scontext=system_u:system_r:up

36

date_modules_t tcontext=system_u:object_r:ramfs_t tclass=dir

37

audit(1094916630.504:0): avc:  denied  { read } for  pid=19589 

38

exe=/bin/bash name=urandom dev=ramfs ino=5629 scontext=system_u

39

:system_r:update_modules_t tcontext=system_u:object_r:ramfs_t 

40

tclass=chr_file

41

audit(1094916630.506:0): avc:  denied  { search } for  pid=19589 

42

exe=/bin/bash name=run dev=hda1 ino=1909442 scontext=system_u

43

:system_r:update_modules_t tcontext=system_u:object_r:var_run_t tclass=dir

44

audit(1094916630.604:0): avc:  denied  { getattr } for  pid=3014 

45

exe=/bin/gawk-3.1.3 path=/dev/null dev=ramfs ino=2761 scontex

46

t=system_u:system_r:update_modules_t tcontext=system_u:object_r:ramfs_t 

47

tclass=chr_file

48

audit(1094916630.887:0): avc:  denied  { search } for  pid=1 

49

exe=/sbin/init dev=ramfs ino=774 scontext=system_u:system_r:init_

50

t tcontext=system_u:object_r:ramfs_t tclass=dir

51

audit(1094916630.887:0): avc:  denied  { getattr } for  pid=1 

52

exe=/sbin/init path=/dev/initctl dev=ramfs ino=2672 scontext=sys

53

tem_u:system_r:init_t tcontext=system_u:object_r:ramfs_t tclass=fifo_file

54

audit(1094916630.887:0): avc:  denied  { read write } for  pid=1 

55

exe=/sbin/init name=initctl dev=ramfs ino=2672 scontext=syste

56

m_u:system_r:init_t tcontext=system_u:object_r:ramfs_t tclass=fifo_file

57

58

and the list goes on.

59

60

The system is running in permissive mode and I've reloaded the policy and 

61

relabeled the filesystem.

62

63

/dev/hda1 on / type ext3 (rw,noatime)

64

none on /selinux type selinuxfs (rw)

65

none on /proc type proc (rw)

66

none on /sys type sysfs (rw)

67

none on /dev type ramfs (rw)

68

none on /dev/pts type devpts (rw,gid=5,mode=620)

69

none on /dev/shm type tmpfs (rw)

70

71

72

Portage 2.0.50-r11 (x86, gcc-3.3.4, glibc-2.3.4.20040808-r0, 

73

2.6.7-hardened-r8)

74

=================================================================

75

System uname: 2.6.7-hardened-r8 i686 Celeron (Mendocino)

76

Gentoo Base System version 1.5.3

77

Autoconf: sys-devel/autoconf-2.59-r4

78

Automake: sys-devel/automake-1.8.5-r1

79

ACCEPT_KEYWORDS="x86 ~x86"

80

AUTOCLEAN="yes"

81

CFLAGS="-march=pentium2 -O3 -pipe -fomit-frame-pointer -ffast-math 

82

-fforce-addr -falign-functions=4 -ftracer -fstack-protector-all"

83

CHOST="i686-pc-linux-gnu"

84

COMPILER=""

85

CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config 

86

/usr/share/config /var/qmail/alias /var/qmail/control"

87

CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"

88

CXXFLAGS="-march=pentium2 -O3 -pipe -fomit-frame-pointer -ffast-math 

89

-fforce-addr -falign-functions=4 -ftracer -fstack-protector-all"

90

DISTDIR="/usr/portage/distfiles"

91

FEATURES="autoaddcvs autoload ccache sandbox sfperms strict"

92

GENTOO_MIRRORS="http://ftp.lug.ro/gentoo"

93

MAKEOPTS="-j2"

94

PKGDIR="/usr/portage/packages"

95

PORTAGE_TMPDIR="/var/tmp"

96

PORTDIR="/usr/portage"

97

PORTDIR_OVERLAY=""

98

SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"

99

USE="3dnow aalib acl acpi adns apache2 berkdb bzlib caps crypt curl 

100

curlwrappers dio exif fam flac ftp gd gmp gnutls hardened imagemagick imap 

101

java junit ldap mad maildir mailwrapper memlimit mhash mmap mmx ncurses 

102

nls nptl offensive oggvorbis pam pcntl pcre pic pie png posix readline 

103

samba selinux session shared sharedmem slang soap sockets socks5 speex 

104

sqlite sse ssl svg sysvipc tcpd theora tiff unicode usb vhosts wmf x86 xml 

105

xmlrpc zlib"

106

107

108

Btw, if I type echo 1 > /selinux/enforce the system locks up instantly :(

109

110

I've installed the distribution using the SELinux handbook, but it seems 

111

that I didn't do something the right way.

112

113

Please help.

114

115

--

116

gentoo-hardened@g.o mailing list

Gentoo Archives: gentoo-hardened

Replies

1	Hello,
2	I'm a SELinux newbie and I have some problems with denials.
3	It seems that SELinux would deny almost everything, including system
4	tasks:
5
6	audit(1094916629.677:0): avc: denied { search } for pid=18204
7	exe=/bin/dmesg dev=ramfs ino=774 scontext=system_u:system_r:d
8	mesg_t tcontext=system_u:object_r:ramfs_t tclass=dir
9	audit(1094916629.677:0): avc: denied { read } for pid=18204
10	exe=/bin/dmesg name=urandom dev=ramfs ino=5629 scontext=system_
11	u:system_r:dmesg_t tcontext=system_u:object_r:ramfs_t tclass=chr_file
12	audit(1094916630.023:0): avc: denied { getattr } for pid=9704
13	exe=/sbin/e2fsck path=/dev/hda1 dev=ramfs ino=1729 scontext=s
14	ystem_u:system_r:fsadm_t tcontext=system_u:object_r:ramfs_t
15	tclass=blk_file
16	audit(1094916630.024:0): avc: denied { read write } for pid=9704
17	exe=/sbin/e2fsck name=hda1 dev=ramfs ino=1729 scontext=sys
18	tem_u:system_r:fsadm_t tcontext=system_u:object_r:ramfs_t tclass=blk_file
19	audit(1094916630.067:0): avc: denied { ioctl } for pid=9704
20	exe=/sbin/e2fsck path=/dev/hda1 dev=ramfs ino=1729 scontext=sys
21	tem_u:system_r:fsadm_t tcontext=system_u:object_r:ramfs_t tclass=blk_file
22	EXT3 FS on hda1, internal journal
23	audit(1094916630.393:0): avc: denied { search } for pid=16474
24	exe=/bin/hostname dev=ramfs ino=774 scontext=system_u:system_
25	r:hostname_t tcontext=system_u:object_r:ramfs_t tclass=dir
26	audit(1094916630.393:0): avc: denied { read } for pid=16474
27	exe=/bin/hostname name=urandom dev=ramfs ino=5629 scontext=syst
28	em_u:system_r:hostname_t tcontext=system_u:object_r:ramfs_t
29	tclass=chr_file
30	audit(1094916630.496:0): avc: denied { write } for pid=19589
31	exe=/bin/bash path=/dev/null dev=ramfs ino=2761 scontext=syste
32	m_u:system_r:update_modules_t tcontext=system_u:object_r:ramfs_t
33	tclass=chr_file
34	audit(1094916630.504:0): avc: denied { search } for pid=19589
35	exe=/bin/bash dev=ramfs ino=774 scontext=system_u:system_r:up
36	date_modules_t tcontext=system_u:object_r:ramfs_t tclass=dir
37	audit(1094916630.504:0): avc: denied { read } for pid=19589
38	exe=/bin/bash name=urandom dev=ramfs ino=5629 scontext=system_u
39	:system_r:update_modules_t tcontext=system_u:object_r:ramfs_t
40	tclass=chr_file
41	audit(1094916630.506:0): avc: denied { search } for pid=19589
42	exe=/bin/bash name=run dev=hda1 ino=1909442 scontext=system_u
43	:system_r:update_modules_t tcontext=system_u:object_r:var_run_t tclass=dir
44	audit(1094916630.604:0): avc: denied { getattr } for pid=3014
45	exe=/bin/gawk-3.1.3 path=/dev/null dev=ramfs ino=2761 scontex
46	t=system_u:system_r:update_modules_t tcontext=system_u:object_r:ramfs_t
47	tclass=chr_file
48	audit(1094916630.887:0): avc: denied { search } for pid=1
49	exe=/sbin/init dev=ramfs ino=774 scontext=system_u:system_r:init_
50	t tcontext=system_u:object_r:ramfs_t tclass=dir
51	audit(1094916630.887:0): avc: denied { getattr } for pid=1
52	exe=/sbin/init path=/dev/initctl dev=ramfs ino=2672 scontext=sys
53	tem_u:system_r:init_t tcontext=system_u:object_r:ramfs_t tclass=fifo_file
54	audit(1094916630.887:0): avc: denied { read write } for pid=1
55	exe=/sbin/init name=initctl dev=ramfs ino=2672 scontext=syste
56	m_u:system_r:init_t tcontext=system_u:object_r:ramfs_t tclass=fifo_file
57
58	and the list goes on.
59
60	The system is running in permissive mode and I've reloaded the policy and
61	relabeled the filesystem.
62
63	/dev/hda1 on / type ext3 (rw,noatime)
64	none on /selinux type selinuxfs (rw)
65	none on /proc type proc (rw)
66	none on /sys type sysfs (rw)
67	none on /dev type ramfs (rw)
68	none on /dev/pts type devpts (rw,gid=5,mode=620)
69	none on /dev/shm type tmpfs (rw)
70
71
72	Portage 2.0.50-r11 (x86, gcc-3.3.4, glibc-2.3.4.20040808-r0,
73	2.6.7-hardened-r8)
74	=================================================================
75	System uname: 2.6.7-hardened-r8 i686 Celeron (Mendocino)
76	Gentoo Base System version 1.5.3
77	Autoconf: sys-devel/autoconf-2.59-r4
78	Automake: sys-devel/automake-1.8.5-r1
79	ACCEPT_KEYWORDS="x86 ~x86"
80	AUTOCLEAN="yes"
81	CFLAGS="-march=pentium2 -O3 -pipe -fomit-frame-pointer -ffast-math
82	-fforce-addr -falign-functions=4 -ftracer -fstack-protector-all"
83	CHOST="i686-pc-linux-gnu"
84	COMPILER=""
85	CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config
86	/usr/share/config /var/qmail/alias /var/qmail/control"
87	CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
88	CXXFLAGS="-march=pentium2 -O3 -pipe -fomit-frame-pointer -ffast-math
89	-fforce-addr -falign-functions=4 -ftracer -fstack-protector-all"
90	DISTDIR="/usr/portage/distfiles"
91	FEATURES="autoaddcvs autoload ccache sandbox sfperms strict"
92	GENTOO_MIRRORS="http://ftp.lug.ro/gentoo"
93	MAKEOPTS="-j2"
94	PKGDIR="/usr/portage/packages"
95	PORTAGE_TMPDIR="/var/tmp"
96	PORTDIR="/usr/portage"
97	PORTDIR_OVERLAY=""
98	SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
99	USE="3dnow aalib acl acpi adns apache2 berkdb bzlib caps crypt curl
100	curlwrappers dio exif fam flac ftp gd gmp gnutls hardened imagemagick imap
101	java junit ldap mad maildir mailwrapper memlimit mhash mmap mmx ncurses
102	nls nptl offensive oggvorbis pam pcntl pcre pic pie png posix readline
103	samba selinux session shared sharedmem slang soap sockets socks5 speex
104	sqlite sse ssl svg sysvipc tcpd theora tiff unicode usb vhosts wmf x86 xml
105	xmlrpc zlib"
106
107
108	Btw, if I type echo 1 > /selinux/enforce the system locks up instantly :(
109
110	I've installed the distribution using the SELinux handbook, but it seems
111	that I didn't do something the right way.
112
113	Please help.
114
115	--
116	gentoo-hardened@g.o mailing list