Re: [gentoo-hardened] conversion to selinux fails - gentoo-hardened

From:	Joshua Brindle <method@g.o>
To:	Julien Mercay <jmercay@××××××.com>
Cc:	gentoo-hardened@l.g.o
Subject:	Re: [gentoo-hardened] conversion to selinux fails
Date:	Fri, 14 May 2004 19:06:58
Message-Id:	`40A518C5.6040202@gentoo.org`
In Reply to:	[gentoo-hardened] conversion to selinux fails by Julien Mercay

1

It seems like your fstab is not correct, can you check that?

2

3

Joshua Brindle

4

5

Julien Mercay wrote:

6

> All,

7

>

8

> I converted my Gentoo X86 to selinux, using the QuickStart guide, but

9

> have the following problems when booting with the policies enabled. The

10

> init script can only mount my root filesystem, and drop my to a shell.

11

> Even more strange, my root fs is wrong on the mount table:

12

>

13

> # mount

14

> /dev/ROOT on / type xfs (rw,noatime)

15

> none on /selinux type selinuxfs (rw)

16

> none on /proc type proc (rw)

17

>

18

> But my root fs is ext3 on /dev/md0 !

19

>

20

> I can then mount the other fs manually and start a few services. Looking

21

> a the logs, I see a lot a access denied, but don't understand why they

22

> are not part of the default policies. Here are a few lines of my logs:

23

>

24

> May 13 11:20:39 fez avc:  denied  { getattr } for  pid=1 exe=/sbin/init

25

> name=initctl dev=09:00 ino=23257 scontext=system_u:system_r:kernel_t

26

> tcontext=system_u:object_r:file_t tclass=fifo_file

27

> May 13 11:21:24 fez avc:  denied  { getattr } for  pid=1 exe=/sbin/init

28

> name=initctl dev=09:00 ino=23257 scontext=system_u:system_r:kernel_t

29

> tcontext=system_u:object_r:file_t tclass=fifo_file

30

> May 13 11:21:44 fez avc:  denied  { read } for  pid=1 exe=/sbin/init

31

> path=/dev/initctl dev=09:00 ino=23257

32

> scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t

33

> tclass=fifo_file

34

> May 13 11:21:44 fez avc:  denied  { write } for  pid=1 exe=/sbin/init

35

> name=log dev=09:00 ino=23258 scontext=system_u:system_r:kernel_t

36

> tcontext=system_u:object_r:unlabeled_t tclass=sock_file

37

> May 13 11:33:39 fez avc:  denied  { getattr } for  pid=1 exe=/sbin/init

38

> name=initctl dev=09:00 ino=23257 scontext=system_u:system_r:kernel_t

39

> tcontext=system_u:object_r:file_t tclass=fifo_file

40

> May 13 11:33:49 fez avc:  denied  { getattr } for  pid=1 exe=/sbin/init

41

> name=initctl dev=09:00 ino=23257 scontext=system_u:system_r:kernel_t

42

> tcontext=system_u:object_r:initctl_t tclass=fifo_file

43

> May 13 11:38:21 fez avc:  denied  { read } for  pid=1 exe=/sbin/init

44

> path=/dev/initctl dev=09:00 ino=23257

45

> scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:initctl_t

46

> tclass=fifo_file

47

> May 13 11:38:21 fez avc:  denied  { append } for  pid=1 exe=/sbin/init

48

> name=wtmp dev=09:03 ino=466844 scontext=system_u:system_r:kernel_t

49

> tcontext=system_u:object_r:wtmp_t tclass=file

50

> May 13 11:38:21 fez avc:  denied  { write } for  pid=1 exe=/sbin/init

51

> name=wtmp dev=09:03 ino=466844 scontext=system_u:system_r:kernel_t

52

> tcontext=system_u:object_r:wtmp_t tclass=file

53

> May 13 11:38:21 fez avc:  denied  { lock } for  pid=1 exe=/sbin/init

54

> path=/var/log/wtmp dev=09:03 ino=466844

55

> scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:wtmp_t

56

> tclass=file

57

> May 13 11:31:01 fez avc:  denied  { relabelto } for  pid=2714

58

> exe=/usr/sbin/setfiles name=mount dev=09:03 ino=305931

59

> scontext=system_u:system_r:kernel_t

60

> tcontext=system_u:object_r:mount_exec_t tclass=file

61

> May 13 11:31:01 fez avc:  denied  { getattr } for  pid=3966

62

> exe=/usr/bin/python2.3 name=mount dev=09:03 ino=305931

63

> scontext=system_u:system_r:kernel_t

64

> tcontext=system_u:object_r:mount_exec_t tclass=file

65

> May 13 11:31:01 fez avc:  denied  { read } for  pid=3966

66

> exe=/usr/bin/python2.3 name=mount dev=09:03 ino=305931

67

> scontext=system_u:system_r:kernel_t

68

> tcontext=system_u:object_r:mount_exec_t tclass=file

69

> May 13 11:31:01 fez avc:  denied  { unlink } for  pid=3966

70

> exe=/usr/bin/python2.3 name=mount dev=09:03 ino=305931

71

> scontext=system_u:system_r:kernel_t

72

> tcontext=system_u:object_r:mount_exec_t tclass=file

73

> May 13 11:33:47 fez avc:  denied  { relabelto } for  pid=6300

74

> exe=/usr/sbin/setfiles name=mount dev=09:00 ino=20095

75

> scontext=system_u:system_r:kernel_t

76

> tcontext=system_u:object_r:mount_exec_t tclass=file

77

>

78

> And my emerge info for good measure:

79

>

80

> Portage 2.0.50-r6 (x86, gcc-3.3.2, glibc-2.3.2-r9, 2.4.25-selinux-r2)

81

> =================================================================

82

> System uname: 2.4.25-selinux-r2 i686 Intel(R) Pentium(R) 4 CPU 3.20GHz

83

> Gentoo Base System version 1.4.10

84

> Autoconf: sys-devel/autoconf-2.58-r1

85

> Automake: sys-devel/automake-1.8.3

86

> ACCEPT_KEYWORDS="x86"

87

> AUTOCLEAN="yes"

88

> CFLAGS="-O2 -march=pentium4 -pipe -fomit-frame-pointer"

89

> CHOST="i686-pc-linux-gnu"

90

> COMPILER="gcc3"

91

> CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config

92

> /usr/share/config /var/qmail/control"

93

> CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"

94

> CXXFLAGS="-O2 -march=pentium4 -pipe -fomit-frame-pointer"

95

> DISTDIR="/usr/portage/distfiles"

96

> FEATURES="autoaddcvs ccache loadpolicy sandbox sfperms strict"

97

> GENTOO_MIRRORS="ftp://ftp.ucsb.edu/pub/mirrors/linux/gentoo/"

98

> MAKEOPTS="-j 3"

99

> PKGDIR="/usr/portage/packages"

100

> PORTAGE_TMPDIR="/var/tmp"

101

> PORTDIR="/usr/portage"

102

> PORTDIR_OVERLAY=""

103

> SYNC="rsync://rsync.gentoo.org/gentoo-portage"

104

> USE="apache2 berkdb crypt cups ldap ncurses pam python readline selinux

105

> slpi ssl tcpd x86 zlib"

106

>

107

>

108

>

109

> Thanks a lot!

110

> Julien

111

>

112

> --

113

> gentoo-hardened@g.o mailing list

114

>

115

>

116

117

118

--

119

gentoo-hardened@g.o mailing list

1	It seems like your fstab is not correct, can you check that?
2
3	Joshua Brindle
4
5	Julien Mercay wrote:
6	> All,
7	>
8	> I converted my Gentoo X86 to selinux, using the QuickStart guide, but
9	> have the following problems when booting with the policies enabled. The
10	> init script can only mount my root filesystem, and drop my to a shell.
11	> Even more strange, my root fs is wrong on the mount table:
12	>
13	> # mount
14	> /dev/ROOT on / type xfs (rw,noatime)
15	> none on /selinux type selinuxfs (rw)
16	> none on /proc type proc (rw)
17	>
18	> But my root fs is ext3 on /dev/md0 !
19	>
20	> I can then mount the other fs manually and start a few services. Looking
21	> a the logs, I see a lot a access denied, but don't understand why they
22	> are not part of the default policies. Here are a few lines of my logs:
23	>
24	> May 13 11:20:39 fez avc: denied { getattr } for pid=1 exe=/sbin/init
25	> name=initctl dev=09:00 ino=23257 scontext=system_u:system_r:kernel_t
26	> tcontext=system_u:object_r:file_t tclass=fifo_file
27	> May 13 11:21:24 fez avc: denied { getattr } for pid=1 exe=/sbin/init
28	> name=initctl dev=09:00 ino=23257 scontext=system_u:system_r:kernel_t
29	> tcontext=system_u:object_r:file_t tclass=fifo_file
30	> May 13 11:21:44 fez avc: denied { read } for pid=1 exe=/sbin/init
31	> path=/dev/initctl dev=09:00 ino=23257
32	> scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t
33	> tclass=fifo_file
34	> May 13 11:21:44 fez avc: denied { write } for pid=1 exe=/sbin/init
35	> name=log dev=09:00 ino=23258 scontext=system_u:system_r:kernel_t
36	> tcontext=system_u:object_r:unlabeled_t tclass=sock_file
37	> May 13 11:33:39 fez avc: denied { getattr } for pid=1 exe=/sbin/init
38	> name=initctl dev=09:00 ino=23257 scontext=system_u:system_r:kernel_t
39	> tcontext=system_u:object_r:file_t tclass=fifo_file
40	> May 13 11:33:49 fez avc: denied { getattr } for pid=1 exe=/sbin/init
41	> name=initctl dev=09:00 ino=23257 scontext=system_u:system_r:kernel_t
42	> tcontext=system_u:object_r:initctl_t tclass=fifo_file
43	> May 13 11:38:21 fez avc: denied { read } for pid=1 exe=/sbin/init
44	> path=/dev/initctl dev=09:00 ino=23257
45	> scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:initctl_t
46	> tclass=fifo_file
47	> May 13 11:38:21 fez avc: denied { append } for pid=1 exe=/sbin/init
48	> name=wtmp dev=09:03 ino=466844 scontext=system_u:system_r:kernel_t
49	> tcontext=system_u:object_r:wtmp_t tclass=file
50	> May 13 11:38:21 fez avc: denied { write } for pid=1 exe=/sbin/init
51	> name=wtmp dev=09:03 ino=466844 scontext=system_u:system_r:kernel_t
52	> tcontext=system_u:object_r:wtmp_t tclass=file
53	> May 13 11:38:21 fez avc: denied { lock } for pid=1 exe=/sbin/init
54	> path=/var/log/wtmp dev=09:03 ino=466844
55	> scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:wtmp_t
56	> tclass=file
57	> May 13 11:31:01 fez avc: denied { relabelto } for pid=2714
58	> exe=/usr/sbin/setfiles name=mount dev=09:03 ino=305931
59	> scontext=system_u:system_r:kernel_t
60	> tcontext=system_u:object_r:mount_exec_t tclass=file
61	> May 13 11:31:01 fez avc: denied { getattr } for pid=3966
62	> exe=/usr/bin/python2.3 name=mount dev=09:03 ino=305931
63	> scontext=system_u:system_r:kernel_t
64	> tcontext=system_u:object_r:mount_exec_t tclass=file
65	> May 13 11:31:01 fez avc: denied { read } for pid=3966
66	> exe=/usr/bin/python2.3 name=mount dev=09:03 ino=305931
67	> scontext=system_u:system_r:kernel_t
68	> tcontext=system_u:object_r:mount_exec_t tclass=file
69	> May 13 11:31:01 fez avc: denied { unlink } for pid=3966
70	> exe=/usr/bin/python2.3 name=mount dev=09:03 ino=305931
71	> scontext=system_u:system_r:kernel_t
72	> tcontext=system_u:object_r:mount_exec_t tclass=file
73	> May 13 11:33:47 fez avc: denied { relabelto } for pid=6300
74	> exe=/usr/sbin/setfiles name=mount dev=09:00 ino=20095
75	> scontext=system_u:system_r:kernel_t
76	> tcontext=system_u:object_r:mount_exec_t tclass=file
77	>
78	> And my emerge info for good measure:
79	>
80	> Portage 2.0.50-r6 (x86, gcc-3.3.2, glibc-2.3.2-r9, 2.4.25-selinux-r2)
81	> =================================================================
82	> System uname: 2.4.25-selinux-r2 i686 Intel(R) Pentium(R) 4 CPU 3.20GHz
83	> Gentoo Base System version 1.4.10
84	> Autoconf: sys-devel/autoconf-2.58-r1
85	> Automake: sys-devel/automake-1.8.3
86	> ACCEPT_KEYWORDS="x86"
87	> AUTOCLEAN="yes"
88	> CFLAGS="-O2 -march=pentium4 -pipe -fomit-frame-pointer"
89	> CHOST="i686-pc-linux-gnu"
90	> COMPILER="gcc3"
91	> CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config
92	> /usr/share/config /var/qmail/control"
93	> CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
94	> CXXFLAGS="-O2 -march=pentium4 -pipe -fomit-frame-pointer"
95	> DISTDIR="/usr/portage/distfiles"
96	> FEATURES="autoaddcvs ccache loadpolicy sandbox sfperms strict"
97	> GENTOO_MIRRORS="ftp://ftp.ucsb.edu/pub/mirrors/linux/gentoo/"
98	> MAKEOPTS="-j 3"
99	> PKGDIR="/usr/portage/packages"
100	> PORTAGE_TMPDIR="/var/tmp"
101	> PORTDIR="/usr/portage"
102	> PORTDIR_OVERLAY=""
103	> SYNC="rsync://rsync.gentoo.org/gentoo-portage"
104	> USE="apache2 berkdb crypt cups ldap ncurses pam python readline selinux
105	> slpi ssl tcpd x86 zlib"
106	>
107	>
108	>
109	> Thanks a lot!
110	> Julien
111	>
112	> --
113	> gentoo-hardened@g.o mailing list
114	>
115	>
116
117
118	--
119	gentoo-hardened@g.o mailing list

Gentoo Archives: gentoo-hardened