| 1 |
I'm on the 2006.1 unstable profile for selinux and think I may have a |
| 2 |
race condition that results in avc denials before selinux has finished |
| 3 |
labeling things like /dev. For example, the first denial below appears |
| 4 |
to be where /etc/hotplug.d/default/default.hotplug is peeking and poking |
| 5 |
around with /dev/null. The denial has it as a system_u:object_r:file_t, |
| 6 |
but when I look at it from a running system I see it as a |
| 7 |
system_u:object_r:null_device_t. Should I be messing around in |
| 8 |
/etc/runlevels/boot to put dependencies in various scripts (although |
| 9 |
selinux isn't a script so how would I make it a dependency?) |
| 10 |
|
| 11 |
snippet from a dmesg: |
| 12 |
|
| 13 |
security: 5 users, 5 roles, 1376 types, 81 bools |
| 14 |
security: 59 classes, 61906 rules |
| 15 |
security: class dccp_socket not defined in policy |
| 16 |
security: permission dccp_recv in class node not defined in policy |
| 17 |
security: permission dccp_send in class node not defined in policy |
| 18 |
security: permission dccp_recv in class netif not defined in policy |
| 19 |
security: permission dccp_send in class netif not defined in policy |
| 20 |
SELinux: Completing initialization. |
| 21 |
SELinux: Setting up existing superblocks. |
| 22 |
SELinux: initialized (dev sda5, type ext3), uses xattr |
| 23 |
inode_doinit_with_dentry: context_to_sid(unlabeled) returned 22 for |
| 24 |
dev=sda5 ino=1938273 |
| 25 |
audit(1182137416.171:2): avc: denied { ioctl } for pid=884 |
| 26 |
comm="default.hotplug" name="null" dev=sda5 ino=733068 |
| 27 |
scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t |
| 28 |
tclass=chr_file |
| 29 |
audit(1182137416.203:3): avc: denied { read } for pid=889 comm="env" |
| 30 |
name="urandom" dev=sda5 ino=732962 scontext=system_u:system_r:kernel_t |
| 31 |
tcontext=system_u:object_r:file_t tclass=chr_file |
| 32 |
audit(1182137416.204:4): avc: denied { read } for pid=884 |
| 33 |
comm="default.hotplug" name="default.hotplug" dev=sda5 ino=1356280 |
| 34 |
scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sbin_t |
| 35 |
tclass=file |
| 36 |
audit(1182137416.206:5): avc: denied { search } for pid=884 |
| 37 |
comm="default.hotplug" name="var" dev=sda5 ino=1254177 |
| 38 |
scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:var_t |
| 39 |
tclass=dir |
| 40 |
audit(1182137416.221:6): avc: denied { search } for pid=884 |
| 41 |
comm="default.hotplug" name="log" dev=sda5 ino=1255669 |
| 42 |
scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:var_log_t |
| 43 |
tclass=dir |
| 44 |
SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts |
| 45 |
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts |
| 46 |
SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs |
| 47 |
SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts |
| 48 |
SELinux: initialized (dev devpts, type devpts), uses transition SIDs |
| 49 |
SELinux: initialized (dev eventpollfs, type eventpollfs), uses task SIDs |
| 50 |
SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts |
| 51 |
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs |
| 52 |
SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts |
| 53 |
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs |
| 54 |
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs |
| 55 |
SELinux: initialized (dev proc, type proc), uses genfs_contexts |
| 56 |
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts |
| 57 |
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts |
| 58 |
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts |
| 59 |
audit(1182137416.259:7): policy loaded auid=4294967295 |
| 60 |
audit(1182137416.261:8): avc: denied { read write } for pid=1 |
| 61 |
comm="init" name="console" dev=sda5 ino=734292 |
| 62 |
scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t |
| 63 |
tclass=chr_file |
| 64 |
audit(1182137416.275:9): avc: denied { ioctl } for pid=1 comm="init" |
| 65 |
name="tty0" dev=sda5 ino=735467 scontext=system_u:system_r:init_t |
| 66 |
tcontext=system_u:object_r:file_t tclass=chr_file |
| 67 |
audit(1182137416.277:10): avc: denied { read } for pid=891 |
| 68 |
comm="hotplug" name="urandom" dev=sda5 ino=732962 |
| 69 |
scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:file_t |
| 70 |
tclass=chr_file |
| 71 |
audit(1182137416.279:11): avc: denied { write } for pid=891 |
| 72 |
comm="hotplug" name="tty" dev=sda5 ino=734192 |
| 73 |
scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:file_t |
| 74 |
tclass=chr_file |
| 75 |
audit(1182137416.296:12): avc: denied { ioctl } for pid=893 |
| 76 |
comm="default.hotplug" name="null" dev=sda5 ino=733068 |
| 77 |
scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:file_t |
| 78 |
tclass=chr_file |
| 79 |
audit(1182137416.758:13): avc: denied { read write } for pid=970 |
| 80 |
comm="rc" name="console" dev=sda5 ino=734292 |
| 81 |
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t |
| 82 |
tclass=chr_file |
| 83 |
audit(1182137417.033:14): avc: denied { read write } for pid=994 |
| 84 |
comm="consoletype" name="console" dev=sda5 ino=734292 |
| 85 |
scontext=system_u:system_r:consoletype_t |
| 86 |
tcontext=system_u:object_r:file_t tclass=chr_file |
| 87 |
audit(1182137417.034:15): avc: denied { search } for pid=994 |
| 88 |
comm="consoletype" name="dev" dev=sda5 ino=732961 |
| 89 |
scontext=system_u:system_r:consoletype_t |
| 90 |
tcontext=system_u:object_r:file_t tclass=dir |
| 91 |
audit(1182137417.034:16): avc: denied { getattr } for pid=994 |
| 92 |
comm="consoletype" name="console" dev=sda5 ino=734292 |
| 93 |
scontext=system_u:system_r:consoletype_t |
| 94 |
tcontext=system_u:object_r:file_t tclass=chr_file |
| 95 |
audit(1182137417.035:17): avc: denied { ioctl } for pid=994 |
| 96 |
comm="consoletype" name="console" dev=sda5 ino=734292 |
| 97 |
scontext=system_u:system_r:consoletype_t |
| 98 |
tcontext=system_u:object_r:file_t tclass=chr_file |
| 99 |
audit(1182137417.082:18): avc: denied { ioctl } for pid=997 |
| 100 |
comm="stty" name="console" dev=sda5 ino=734292 |
| 101 |
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t |
| 102 |
tclass=chr_file |
| 103 |
audit(1182137417.172:19): avc: denied { getattr } for pid=970 |
| 104 |
comm="bash" name="null" dev=sda5 ino=733068 |
| 105 |
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t |
| 106 |
tclass=chr_file |
| 107 |
audit(1182137417.196:20): avc: denied { read write } for pid=1001 |
| 108 |
comm="dmesg" name="console" dev=sda5 ino=734292 |
| 109 |
scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:file_t |
| 110 |
tclass=chr_file |
| 111 |
audit(1182137417.220:21): avc: denied { read write } for pid=1004 |
| 112 |
comm="mount" name="console" dev=sda5 ino=734292 |
| 113 |
scontext=system_u:system_r:mount_t tcontext=system_u:object_r:file_t |
| 114 |
tclass=chr_file |
| 115 |
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs |
| 116 |
audit(1182137417.478:22): avc: denied { read write } for pid=1038 |
| 117 |
comm="restorecon" name="console" dev=sda5 ino=734292 |
| 118 |
scontext=system_u:system_r:restorecon_t |
| 119 |
tcontext=system_u:object_r:file_t tclass=chr_file |
| 120 |
audit(1182137417.716:23): avc: denied { write } for pid=1042 |
| 121 |
comm="bash" name="null" dev=tmpfs ino=2106 |
| 122 |
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t |
| 123 |
tclass=chr_file |
| 124 |
audit(1182137417.875:24): avc: denied { read write } for pid=1062 |
| 125 |
comm="udevd" name="console" dev=sda5 ino=734292 |
| 126 |
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_t |
| 127 |
tclass=chr_file |
| 128 |
audit(1182137418.770:25): avc: denied { read } for pid=1194 |
| 129 |
comm="modprobe" name="console" dev=tmpfs ino=2100 |
| 130 |
scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:device_t |
| 131 |
tclass=chr_file |
| 132 |
audit(1182137424.374:26): avc: denied { getattr } for pid=2059 |
| 133 |
comm="modprobe.sh" name="modprobe.conf" dev=sda5 ino=1515100 |
| 134 |
scontext=system_u:system_r:udev_t tcontext=root:object_r:modules_conf_t |
| 135 |
tclass=file |
| 136 |
audit(1182137424.376:27): avc: denied { read } for pid=2112 |
| 137 |
comm="grep" name="modprobe.conf" dev=sda5 ino=1515100 |
| 138 |
scontext=system_u:system_r:udev_t tcontext=root:object_r:modules_conf_t |
| 139 |
tclass=file |
| 140 |
-- |
| 141 |
gentoo-hardened@g.o mailing list |
Archives