1 |
Dear list, |
2 |
|
3 |
I am trying to implement SELinux strict policy on a fresh gentoo |
4 |
hardened system. |
5 |
Versions: |
6 |
sec-policy/selinux-base-policy 20070928 |
7 |
|
8 |
Obviously, the SELinux base policy even does not provide rules for those |
9 |
devices initialized at bootup. |
10 |
|
11 |
When doing "dmesg | grep avc" I see lots of access denials |
12 |
|
13 |
[ 5.227966] type=1400 audit(1238350085.227:3): avc: denied { read |
14 |
write } for pid=1 comm="init" path="/dev/console" dev=sda4 ino=426558 |
15 |
scontext=system_u:system_r:init_t tcontext=root:object_r:file_t |
16 |
tclass=chr_file |
17 |
[ 5.233747] type=1400 audit(1238350085.233:4): avc: denied |
18 |
{ ioctl } for pid=1 comm="init" path="/dev/tty0" dev=sda4 ino=413527 |
19 |
scontext=system_u:system_r:init_t tcontext=root:object_r:file_t |
20 |
tclass=chr_file |
21 |
[ 5.308967] type=1400 audit(1238350085.308:5): avc: denied { read |
22 |
write } for pid=806 comm="rc" name="console" dev=sda4 ino=426558 |
23 |
scontext=system_u:system_r:initrc_t tcontext=root:object_r:file_t |
24 |
tclass=chr_file |
25 |
[ 5.716816] type=1400 audit(1238350085.716:6): avc: denied { read |
26 |
write } for pid=808 comm="consoletype" name="console" dev=sda4 |
27 |
ino=426558 scontext=system_u:system_r:consoletype_t |
28 |
tcontext=root:object_r:file_t tclass=chr_file |
29 |
[ 5.718371] type=1400 audit(1238350085.718:7): avc: denied |
30 |
{ search } for pid=808 comm="consoletype" name="dev" dev=sda4 |
31 |
ino=337142 scontext=system_u:system_r:consoletype_t |
32 |
tcontext=root:object_r:file_t tclass=dir |
33 |
[ 5.719875] type=1400 audit(1238350085.719:8): avc: denied |
34 |
{ getattr } for pid=808 comm="consoletype" path="/dev/console" dev=sda4 |
35 |
ino=426558 scontext=system_u:system_r:consoletype_t |
36 |
tcontext=root:object_r:file_t tclass=chr_file |
37 |
[ 5.720133] type=1400 audit(1238350085.719:9): avc: denied |
38 |
{ ioctl } for pid=808 comm="consoletype" path="/dev/console" dev=sda4 |
39 |
ino=426558 scontext=system_u:system_r:consoletype_t |
40 |
tcontext=root:object_r:file_t tclass=chr_file |
41 |
[ 5.786111] type=1400 audit(1238350085.785:10): avc: denied |
42 |
{ ioctl } for pid=811 comm="stty" path="/dev/console" dev=sda4 |
43 |
ino=426558 scontext=system_u:system_r:initrc_t |
44 |
tcontext=root:object_r:file_t tclass=chr_file |
45 |
[ 5.840322] type=1400 audit(1238350085.840:11): avc: denied |
46 |
{ getattr } for pid=806 comm="bash" path="/dev/null" dev=sda4 |
47 |
ino=415908 scontext=system_u:system_r:initrc_t |
48 |
tcontext=root:object_r:file_t tclass=chr_file |
49 |
[ 5.872433] type=1400 audit(1238350085.872:12): avc: denied { read |
50 |
write } for pid=815 comm="dmesg" name="console" dev=sda4 ino=426558 |
51 |
scontext=system_u:system_r:dmesg_t tcontext=root:object_r:file_t |
52 |
tclass=chr_file |
53 |
[ 5.886838] type=1400 audit(1238350085.886:13): avc: denied { read |
54 |
write } for pid=818 comm="mount" name="console" dev=sda4 ino=426558 |
55 |
scontext=system_u:system_r:mount_t tcontext=root:object_r:file_t |
56 |
tclass=chr_file |
57 |
|
58 |
|
59 |
1. What am I doing wrong? Does a policy exist for those cases and I did |
60 |
not install it? |
61 |
2. If not so, how can I get rid of these since I understand that these |
62 |
denials would prevent my system from booting once the audit mode is |
63 |
left? |
64 |
|
65 |
box ~ # sestatus -v |
66 |
SELinux status: enabled |
67 |
SELinuxfs mount: /selinux |
68 |
Current mode: permissive |
69 |
Mode from config file: permissive |
70 |
Policy version: 24 |
71 |
Policy from config file: strict |
72 |
|
73 |
Process contexts: |
74 |
Current context: root:sysadm_r:sysadm_t |
75 |
Init context: system_u:system_r:init_t |
76 |
/sbin/agetty system_u:system_r:getty_t |
77 |
/usr/sbin/sshd system_u:system_r:sshd_t |
78 |
|
79 |
File contexts: |
80 |
Controlling term: root:object_r:sysadm_devpts_t |
81 |
/sbin/init system_u:object_r:init_exec_t |
82 |
/sbin/agetty system_u:object_r:getty_exec_t |
83 |
/bin/login system_u:object_r:login_exec_t |
84 |
/sbin/rc system_u:object_r:initrc_exec_t |
85 |
/sbin/runscript.sh system_u:object_r:initrc_exec_t |
86 |
/usr/sbin/sshd system_u:object_r:sshd_exec_t |
87 |
/sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t |
88 |
/etc/passwd system_u:object_r:etc_t |
89 |
/etc/shadow system_u:object_r:shadow_t |
90 |
/bin/sh system_u:object_r:bin_t -> |
91 |
system_u:object_r:shell_exec_t |
92 |
/bin/bash system_u:object_r:shell_exec_t |
93 |
/usr/bin/newrole system_u:object_r:newrole_exec_t |
94 |
/lib/libc.so.6 system_u:object_r:lib_t -> |
95 |
system_u:object_r:shlib_t |
96 |
/lib/ld-linux.so.2 system_u:object_r:lib_t -> |
97 |
system_u:object_r:ld_so_t |
98 |
|
99 |
|
100 |
|
101 |
Thanks in advance! |
102 |
|
103 |
Dominik |