1 |
hi Chris, |
2 |
|
3 |
Saturday, August 16, 2003, 8:49:41 PM, you wrote: |
4 |
> Did you remember to load the policy after changing the .te files? (cd |
5 |
> /etc/security/selinux/src/policy ; make load) I still see file_t files. |
6 |
|
7 |
no I didn't. |
8 |
but I did now. still errors in dmesg output.. |
9 |
|
10 |
so this is what I did: |
11 |
- removing network hacks from kernel |
12 |
- added the following lines to fsadm.te |
13 |
"dontaudit fsadm_t random_device_t:chr_file getattr;" |
14 |
"dontaudit fsadm_t ppp_device_t:chr_file getattr;" |
15 |
- make load |
16 |
- make relabel |
17 |
|
18 |
<current dmesg output> |
19 |
Linux version 2.4.20-hardened-r4 (root@r00t) (gcc version 3.2.3 20030422 (Gentoo Linux 1.4 3.2.3-r1, propolice)) #3 SMP Sat Aug 16 18:14:40 CEST 2003 |
20 |
BIOS-provided physical RAM map: |
21 |
BIOS-e820: 0000000000000000 - 00000000000a0000 (usable) |
22 |
BIOS-e820: 00000000000f0000 - 0000000000100000 (reserved) |
23 |
BIOS-e820: 0000000000100000 - 0000000008000000 (usable) |
24 |
BIOS-e820: 00000000ffff0000 - 0000000100000000 (reserved) |
25 |
128MB LOWMEM available. |
26 |
On node 0 totalpages: 32768 |
27 |
zone(0): 4096 pages. |
28 |
zone(1): 28672 pages. |
29 |
zone(2): 0 pages. |
30 |
Kernel command line: root=/dev/hda2 vga=791 |
31 |
No local APIC present or hardware disabled |
32 |
Initializing CPU#0 |
33 |
Detected 233.868 MHz processor. |
34 |
Console: colour VGA+ 80x25 |
35 |
Calibrating delay loop... 465.30 BogoMIPS |
36 |
Memory: 126464k/131072k available (1596k kernel code, 4224k reserved, -2208k data, 264k init, 0k highmem) |
37 |
Security Scaffold v1.0.0 initialized |
38 |
SELinux: Initializing. |
39 |
SELinux: Starting in permissive mode |
40 |
Dentry cache hash table entries: 16384 (order: 5, 131072 bytes) |
41 |
Inode cache hash table entries: 8192 (order: 4, 65536 bytes) |
42 |
Mount-cache hash table entries: 2048 (order: 2, 16384 bytes) |
43 |
Buffer-cache hash table entries: 8192 (order: 3, 32768 bytes) |
44 |
Page-cache hash table entries: 32768 (order: 5, 131072 bytes) |
45 |
Intel Pentium with F0 0F bug - workaround enabled. |
46 |
CPU: After generic, caps: 008001bf 00000000 00000000 00000000 |
47 |
CPU: Common caps: 008001bf 00000000 00000000 00000000 |
48 |
Checking 'hlt' instruction... OK. |
49 |
POSIX conformance testing by UNIFIX |
50 |
CPU: After generic, caps: 008001bf 00000000 00000000 00000000 |
51 |
CPU: Common caps: 008001bf 00000000 00000000 00000000 |
52 |
CPU0: Intel Pentium MMX stepping 03 |
53 |
per-CPU timeslice cutoff: 160.32 usecs. |
54 |
task migration cache decay timeout: 10 msecs. |
55 |
SMP motherboard not detected. |
56 |
Local APIC not detected. Using dummy APIC emulation. |
57 |
migration_task 0 on cpu=0 |
58 |
PCI: PCI BIOS revision 2.10 entry at 0xfb550, last bus=0 |
59 |
PCI: Using configuration type 1 |
60 |
PCI: Probing PCI hardware |
61 |
Limiting direct PCI/PCI transfers. |
62 |
Linux NET4.0 for Linux 2.4 |
63 |
Based upon Swansea University Computer Society NET3.039 |
64 |
Initializing RT netlink socket |
65 |
Starting kswapd |
66 |
devfs: v1.12c (20020818) Richard Gooch (rgooch@××××××××××.au) |
67 |
devfs: boot_options: 0x1 |
68 |
Installing knfsd (copyright (C) 1996 okir@×××××××××.de). |
69 |
There is already a security framework initialized, register_security failed. |
70 |
Failure registering capabilities with the kernel |
71 |
selinux_register_security: Registering secondary module capability |
72 |
Capability LSM initialized |
73 |
pty: 256 Unix98 ptys configured |
74 |
Serial driver version 5.05c (2001-07-08) with MANY_PORTS SHARE_IRQ SERIAL_PCI enabled |
75 |
ttyS00 at 0x03f8 (irq = 4) is a 16550A |
76 |
ttyS01 at 0x02f8 (irq = 3) is a 16550A |
77 |
Uniform Multi-Platform E-IDE driver Revision: 6.31 |
78 |
ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx |
79 |
PIIX4: IDE controller on PCI bus 00 dev 39 |
80 |
PIIX4: chipset revision 1 |
81 |
PIIX4: not 100% native mode: will probe irqs later |
82 |
ide0: BM-DMA at 0xf000-0xf007, BIOS settings: hda:pio, hdb:pio |
83 |
ide1: BM-DMA at 0xf008-0xf00f, BIOS settings: hdc:pio, hdd:pio |
84 |
hda: ST3630A, ATA DISK drive |
85 |
hdb: ATAPI CDROM, ATAPI CD/DVD-ROM drive |
86 |
hdc: ST34321A, ATA DISK drive |
87 |
ide0 at 0x1f0-0x1f7,0x3f6 on irq 14 |
88 |
ide1 at 0x170-0x177,0x376 on irq 15 |
89 |
blk: queue c01876c4, I/O limit 4095Mb (mask 0xffffffff) |
90 |
hda: 1232784 sectors (631 MB) w/120KiB Cache, CHS=611/32/63, DMA |
91 |
blk: queue c0187a28, I/O limit 4095Mb (mask 0xffffffff) |
92 |
hdc: 8404830 sectors (4303 MB) w/128KiB Cache, CHS=8894/15/63, UDMA(33) |
93 |
hdb: ATAPI 40X CD-ROM drive, 128kB Cache, UDMA(33) |
94 |
Uniform CD-ROM driver Revision: 3.12 |
95 |
Partition check: |
96 |
/dev/ide/host0/bus0/target0/lun0: p1 p2 |
97 |
/dev/ide/host0/bus1/target0/lun0: p1 p2 p3 p4 < p5 p6 > |
98 |
Floppy drive(s): fd0 is 1.44M |
99 |
FDC 0 is a post-1991 82077 |
100 |
loop: loaded (max 8 devices) |
101 |
PPP generic driver version 2.4.2 |
102 |
8139too Fast Ethernet driver 0.9.26 |
103 |
eth0: RealTek RTL8139 Fast Ethernet at 0xc8804000, 00:30:84:28:e3:12, IRQ 9 |
104 |
eth0: Identified 8139 chip type 'RTL-8139C' |
105 |
eth1: RealTek RTL8139 Fast Ethernet at 0xc8806000, 00:e0:7d:82:48:3c, IRQ 12 |
106 |
eth1: Identified 8139 chip type 'RTL-8139B' |
107 |
Linux agpgart interface v0.99 (c) Jeff Hartmann |
108 |
agpgart: Maximum main memory to use for agp memory: 96M |
109 |
agpgart: no supported devices found. |
110 |
SCSI subsystem driver Revision: 1.00 |
111 |
scsi0 : AM53/79C974 PCscsi driver rev. 0.5; host I/O address: 0x6700; irq: 11 |
112 |
|
113 |
NET4: Linux TCP/IP 1.0 for NET4.0 |
114 |
IP Protocols: ICMP, UDP, TCP, IGMP |
115 |
IP: routing cache hash table of 1024 buckets, 8Kbytes |
116 |
TCP: Hash tables configured (established 8192 bind 8192) |
117 |
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0. |
118 |
reiserfs: checking transaction log (device 03:02) ... |
119 |
Using r5 hash to sort names |
120 |
ReiserFS version 3.6.25 |
121 |
VFS: Mounted root (reiserfs filesystem) readonly. |
122 |
SELinux: Completing initialization. |
123 |
security: loading policy configuration from /etc/security/selinux/policy.12 |
124 |
security: 3 users, 6 roles, 338 types |
125 |
security: 29 classes, 22777 rules |
126 |
SELinux: initialized (dev 03:02, type reiserfs), uses PSIDs |
127 |
SELinux: initialized (dev 00:08, type devpts), uses transition SIDs |
128 |
SELinux: initialized (dev 00:07, type devfs), uses genfs_contexts |
129 |
SELinux: initialized (dev 00:06, type binfmt_misc), not configured for labeling |
130 |
SELinux: initialized (dev 00:05, type pipefs), uses task SIDs |
131 |
SELinux: initialized (dev 00:04, type tmpfs), uses transition SIDs |
132 |
SELinux: initialized (dev 00:03, type sockfs), uses task SIDs |
133 |
SELinux: initialized (dev 00:02, type proc), uses genfs_contexts |
134 |
SELinux: initialized (dev 00:01, type bdev), not configured for labeling |
135 |
SELinux: initialized (dev 00:00, type rootfs), not configured for labeling |
136 |
Mounted devfs on /dev |
137 |
Freeing unused kernel memory: 264k freed |
138 |
Adding Swap: 499864k swap-space (priority -1) |
139 |
|
140 |
avc: denied { add_name } for pid=181 exe=/bin/bash path=/tmp/sh-thd-1061096098 scontext=system_u:system_r:update_modules_t tcontext=system_u:object_r:file_t tclass=dir |
141 |
|
142 |
avc: denied { create } for pid=181 exe=/bin/bash path=/tmp/sh-thd-1061096098 scontext=system_u:system_r:update_modules_t tcontext=system_u:object_r:file_t tclass=file |
143 |
|
144 |
avc: denied { getattr } for pid=181 exe=/bin/bash path=/tmp/sh-thd-1061096098 dev=03:02 ino=40072 scontext=system_u:system_r:update_modules_t tcontext=system_u:object_r:file_t tclass=file |
145 |
|
146 |
avc: denied { write } for pid=181 exe=/bin/bash path=/tmp/sh-thd-1061096098 dev=03:02 ino=40072 scontext=system_u:system_r:update_modules_t tcontext=system_u:object_r:file_t tclass=file |
147 |
|
148 |
avc: denied { read } for pid=181 exe=/bin/bash path=/tmp/sh-thd-1061096098 dev=03:02 ino=40072 scontext=system_u:system_r:update_modules_t tcontext=system_u:object_r:file_t tclass=file |
149 |
|
150 |
avc: denied { remove_name } for pid=181 exe=/bin/bash path=/tmp/sh-thd-1061096098 dev=03:02 ino=40072 scontext=system_u:system_r:update_modules_t tcontext=system_u:object_r:file_t tclass=dir |
151 |
|
152 |
avc: denied { unlink } for pid=181 exe=/bin/bash path=/tmp/sh-thd-1061096098 dev=03:02 ino=40072 scontext=system_u:system_r:update_modules_t tcontext=system_u:object_r:file_t tclass=file |
153 |
|
154 |
avc: denied { getattr } for pid=263 exe=/sbin/reiserfsck scontext=system_u:system_r:fsadm_t tcontext=system_u:object_r:proc_t tclass=filesystem |
155 |
reiserfs: checking transaction log (device 16:01) ... |
156 |
Using r5 hash to sort names |
157 |
ReiserFS version 3.6.25 |
158 |
SELinux: initialized (dev 16:01, type reiserfs), uses PSIDs |
159 |
reiserfs: checking transaction log (device 16:02) ... |
160 |
Using r5 hash to sort names |
161 |
ReiserFS version 3.6.25 |
162 |
SELinux: initialized (dev 16:02, type reiserfs), uses PSIDs |
163 |
reiserfs: checking transaction log (device 16:03) ... |
164 |
Using r5 hash to sort names |
165 |
ReiserFS version 3.6.25 |
166 |
SELinux: initialized (dev 16:03, type reiserfs), uses PSIDs |
167 |
reiserfs: checking transaction log (device 16:06) ... |
168 |
Using r5 hash to sort names |
169 |
ReiserFS version 3.6.25 |
170 |
SELinux: initialized (dev 16:06, type reiserfs), uses PSIDs |
171 |
SELinux: initialized (dev 00:09, type tmpfs), uses transition SIDs |
172 |
eth0: Setting 100mbps full-duplex based on auto-negotiated partner ability 45e1. |
173 |
|
174 |
avc: denied { read } for pid=815 exe=/bin/bash path=/root dev=03:02 ino=3872 scontext=root:staff_r:staff_t tcontext=system_u:object_r:sysadm_home_dir_t tclass=dir |
175 |
|
176 |
avc: denied { write } for pid=820 exe=/bin/bash path=/root/dmesg.txt dev=03:02 ino=39881 scontext=root:staff_r:staff_t tcontext=system_u:object_r:sysadm_home_t tclass=file |
177 |
|
178 |
avc: denied { setattr } for pid=820 exe=/bin/bash path=/root/dmesg.txt dev=03:02 ino=39881 scontext=root:staff_r:staff_t tcontext=system_u:object_r:sysadm_home_t tclass=file |
179 |
</current dmesg output> |
180 |
|
181 |
|
182 |
gruss |
183 |
/Christian mailto:caefer@××××××××××.net |
184 |
|
185 |
--- |
186 |
|
187 |
|
188 |
I propose that the following character sequence for joke markers: |
189 |
|
190 |
:-) |
191 |
|
192 |
19-Sep-82 11:44 Scott E Fahlman |
193 |
|
194 |
|
195 |
-- |
196 |
gentoo-hardened@g.o mailing list |