1 |
I'm on the 2006.1 unstable profile for selinux and think I may have a |
2 |
race condition that results in avc denials before selinux has finished |
3 |
labeling things like /dev. For example, the first denial below appears |
4 |
to be where /etc/hotplug.d/default/default.hotplug is peeking and poking |
5 |
around with /dev/null. The denial has it as a system_u:object_r:file_t, |
6 |
but when I look at it from a running system I see it as a |
7 |
system_u:object_r:null_device_t. Should I be messing around in |
8 |
/etc/runlevels/boot to put dependencies in various scripts (although |
9 |
selinux isn't a script so how would I make it a dependency?) |
10 |
|
11 |
snippet from a dmesg: |
12 |
|
13 |
security: 5 users, 5 roles, 1376 types, 81 bools |
14 |
security: 59 classes, 61906 rules |
15 |
security: class dccp_socket not defined in policy |
16 |
security: permission dccp_recv in class node not defined in policy |
17 |
security: permission dccp_send in class node not defined in policy |
18 |
security: permission dccp_recv in class netif not defined in policy |
19 |
security: permission dccp_send in class netif not defined in policy |
20 |
SELinux: Completing initialization. |
21 |
SELinux: Setting up existing superblocks. |
22 |
SELinux: initialized (dev sda5, type ext3), uses xattr |
23 |
inode_doinit_with_dentry: context_to_sid(unlabeled) returned 22 for |
24 |
dev=sda5 ino=1938273 |
25 |
audit(1182137416.171:2): avc: denied { ioctl } for pid=884 |
26 |
comm="default.hotplug" name="null" dev=sda5 ino=733068 |
27 |
scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t |
28 |
tclass=chr_file |
29 |
audit(1182137416.203:3): avc: denied { read } for pid=889 comm="env" |
30 |
name="urandom" dev=sda5 ino=732962 scontext=system_u:system_r:kernel_t |
31 |
tcontext=system_u:object_r:file_t tclass=chr_file |
32 |
audit(1182137416.204:4): avc: denied { read } for pid=884 |
33 |
comm="default.hotplug" name="default.hotplug" dev=sda5 ino=1356280 |
34 |
scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sbin_t |
35 |
tclass=file |
36 |
audit(1182137416.206:5): avc: denied { search } for pid=884 |
37 |
comm="default.hotplug" name="var" dev=sda5 ino=1254177 |
38 |
scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:var_t |
39 |
tclass=dir |
40 |
audit(1182137416.221:6): avc: denied { search } for pid=884 |
41 |
comm="default.hotplug" name="log" dev=sda5 ino=1255669 |
42 |
scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:var_log_t |
43 |
tclass=dir |
44 |
SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts |
45 |
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts |
46 |
SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs |
47 |
SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts |
48 |
SELinux: initialized (dev devpts, type devpts), uses transition SIDs |
49 |
SELinux: initialized (dev eventpollfs, type eventpollfs), uses task SIDs |
50 |
SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts |
51 |
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs |
52 |
SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts |
53 |
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs |
54 |
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs |
55 |
SELinux: initialized (dev proc, type proc), uses genfs_contexts |
56 |
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts |
57 |
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts |
58 |
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts |
59 |
audit(1182137416.259:7): policy loaded auid=4294967295 |
60 |
audit(1182137416.261:8): avc: denied { read write } for pid=1 |
61 |
comm="init" name="console" dev=sda5 ino=734292 |
62 |
scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t |
63 |
tclass=chr_file |
64 |
audit(1182137416.275:9): avc: denied { ioctl } for pid=1 comm="init" |
65 |
name="tty0" dev=sda5 ino=735467 scontext=system_u:system_r:init_t |
66 |
tcontext=system_u:object_r:file_t tclass=chr_file |
67 |
audit(1182137416.277:10): avc: denied { read } for pid=891 |
68 |
comm="hotplug" name="urandom" dev=sda5 ino=732962 |
69 |
scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:file_t |
70 |
tclass=chr_file |
71 |
audit(1182137416.279:11): avc: denied { write } for pid=891 |
72 |
comm="hotplug" name="tty" dev=sda5 ino=734192 |
73 |
scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:file_t |
74 |
tclass=chr_file |
75 |
audit(1182137416.296:12): avc: denied { ioctl } for pid=893 |
76 |
comm="default.hotplug" name="null" dev=sda5 ino=733068 |
77 |
scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:file_t |
78 |
tclass=chr_file |
79 |
audit(1182137416.758:13): avc: denied { read write } for pid=970 |
80 |
comm="rc" name="console" dev=sda5 ino=734292 |
81 |
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t |
82 |
tclass=chr_file |
83 |
audit(1182137417.033:14): avc: denied { read write } for pid=994 |
84 |
comm="consoletype" name="console" dev=sda5 ino=734292 |
85 |
scontext=system_u:system_r:consoletype_t |
86 |
tcontext=system_u:object_r:file_t tclass=chr_file |
87 |
audit(1182137417.034:15): avc: denied { search } for pid=994 |
88 |
comm="consoletype" name="dev" dev=sda5 ino=732961 |
89 |
scontext=system_u:system_r:consoletype_t |
90 |
tcontext=system_u:object_r:file_t tclass=dir |
91 |
audit(1182137417.034:16): avc: denied { getattr } for pid=994 |
92 |
comm="consoletype" name="console" dev=sda5 ino=734292 |
93 |
scontext=system_u:system_r:consoletype_t |
94 |
tcontext=system_u:object_r:file_t tclass=chr_file |
95 |
audit(1182137417.035:17): avc: denied { ioctl } for pid=994 |
96 |
comm="consoletype" name="console" dev=sda5 ino=734292 |
97 |
scontext=system_u:system_r:consoletype_t |
98 |
tcontext=system_u:object_r:file_t tclass=chr_file |
99 |
audit(1182137417.082:18): avc: denied { ioctl } for pid=997 |
100 |
comm="stty" name="console" dev=sda5 ino=734292 |
101 |
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t |
102 |
tclass=chr_file |
103 |
audit(1182137417.172:19): avc: denied { getattr } for pid=970 |
104 |
comm="bash" name="null" dev=sda5 ino=733068 |
105 |
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t |
106 |
tclass=chr_file |
107 |
audit(1182137417.196:20): avc: denied { read write } for pid=1001 |
108 |
comm="dmesg" name="console" dev=sda5 ino=734292 |
109 |
scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:file_t |
110 |
tclass=chr_file |
111 |
audit(1182137417.220:21): avc: denied { read write } for pid=1004 |
112 |
comm="mount" name="console" dev=sda5 ino=734292 |
113 |
scontext=system_u:system_r:mount_t tcontext=system_u:object_r:file_t |
114 |
tclass=chr_file |
115 |
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs |
116 |
audit(1182137417.478:22): avc: denied { read write } for pid=1038 |
117 |
comm="restorecon" name="console" dev=sda5 ino=734292 |
118 |
scontext=system_u:system_r:restorecon_t |
119 |
tcontext=system_u:object_r:file_t tclass=chr_file |
120 |
audit(1182137417.716:23): avc: denied { write } for pid=1042 |
121 |
comm="bash" name="null" dev=tmpfs ino=2106 |
122 |
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t |
123 |
tclass=chr_file |
124 |
audit(1182137417.875:24): avc: denied { read write } for pid=1062 |
125 |
comm="udevd" name="console" dev=sda5 ino=734292 |
126 |
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_t |
127 |
tclass=chr_file |
128 |
audit(1182137418.770:25): avc: denied { read } for pid=1194 |
129 |
comm="modprobe" name="console" dev=tmpfs ino=2100 |
130 |
scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:device_t |
131 |
tclass=chr_file |
132 |
audit(1182137424.374:26): avc: denied { getattr } for pid=2059 |
133 |
comm="modprobe.sh" name="modprobe.conf" dev=sda5 ino=1515100 |
134 |
scontext=system_u:system_r:udev_t tcontext=root:object_r:modules_conf_t |
135 |
tclass=file |
136 |
audit(1182137424.376:27): avc: denied { read } for pid=2112 |
137 |
comm="grep" name="modprobe.conf" dev=sda5 ino=1515100 |
138 |
scontext=system_u:system_r:udev_t tcontext=root:object_r:modules_conf_t |
139 |
tclass=file |
140 |
-- |
141 |
gentoo-hardened@g.o mailing list |