Strict policy test, 1.13.7-1, denies: lvm.static, klogd, udev, httpd, xfs, xorg, dmesg

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi, these are the results of running strict policy selinux.
Kernel: 2.6.7-1.448
Selinux-strict: 1.13.7-1
Filesystems: / is xfs, /tmp is tmpfs (is that a problem? xattrs?), 
	     /boot is ext3

I relabeled prior to running this test.
I know there's a new version released today and I'll try that soon.
I'm sorry if any of this are duplicates or have been fixed.
==================================================================
audit2allow:

allow dmesg_t staff_home_t:file { write };
allow dmesg_t user_home_t:file { write };
allow httpd_t bin_t:dir { getattr };
allow httpd_t httpd_log_t:file { write };
allow httpd_t sbin_t:dir { getattr };
allow httpd_t snmpd_var_lib_t:file { getattr write };
allow klogd_t boot_t:lnk_file { read };
allow lvm_t device_t:file { getattr };
allow lvm_t selinux_config_t:dir { search };
allow udev_t var_lock_t:dir { search };
allow xdm_xserver_t xdm_tmpfs_t:dir { getattr };
allow xfs_t tmpfs_t:dir { search };
====================================================================
Denies summary - all of those occur during normal startup, 
and the dmesg ones are me trying to pipe dmesg to a log file in my home
folder as root.

LVM.STATIC
1)
   name = selinux
   tclass = dir
   denied { search } exe=lvm.static
   scontext = system_u:system_r:lvm_t
   tcontext = system_u:object_r:selinux_config_t
                                                                                
2)
   path = /dev/vcsa01 or /dev/vcsa05
   tclass = file
   denied { getattr } exe=lvm.static
   scontext = system_u:system_r:lvm_t
   tcontext = system_u:object_r:device_t

KLOGD
3)
     name = System.map
     tclass = lnk_file
     denied { read } exe=/sbin/klogd
     scontext = system_u:system_r:klog_t
     tcontext = system_u:object_r:boot_t
                                                                                
UDEV
4)
     name = lock
     tclass = dir
     denied { search } exe=/bin/bash
     scontext = system_u:system_r:udev_t
     tcontext = system_u:object_r:var_lock_t
HTTPD
5)
     name = /sbin or /usr/sbin
     tclass = dir
     denied { getattr } exe = /usr/sbin/httpd
     scontext = system_u:system_r:httpd_t
     tcontext = system_u:object_r:sbin_t
                                                                                
6)   name = /bin or /usr/bin or /usr/X11R6/bin
     tclass = dir
     denied { getattr } exe = /usr/sbin/httpd
     scontext = system_u:system_r:httpd_t
     tcontext = system_u:object_r:bin_t
                                                                                
7)   name = jk2.shm
     tclass = file      
     denied { write } exe = /usr/sbin/httpd
     scontext = system_u:system_r:httpd_t
     tcontext = system_u:object_r:httpd_log_t

                                                                  
8)   path = /usr/share/snmp/mibs/.index
     tclass = file
     denied { getattr } exe = /usr/sbin/httpd
     scontext = system_u:system_r:httpd_t
     tcontext = system_u:object_r:snmpd_var_lib_t
                                                                                
     name = .index
     tclass = file
     denied { write } exe = /usr/sbin/httpd
     scontext = system_u:system_r:httpd_t
     tcontext = system_u:object_r:snmpd_var_lib_t
                                                                                                                                                                
XFS
9)
     dev = tmpfs
     tclass = dir
     denied { search } exe = /usr/X11R6/bin/xfs
     scontext = system_u:system_r:xfs_t
     tcontext = system_u:object_r:tmpfs_t
                                                                                
Xorg
10)
     dev = tmpfs
     path = /tmp/.X11-unix
     tclass = dir
     denied { getattr } exe = /usr/X11R6/bin/Xorg
     scontext = system_u:system_r:xdm_xserver_t
     tcontext = system_u:object_r:xdm_tmpfs_t

Dmesg
11)
     path = /home/-username-/log
     tclass = file
     denied { write } exe = /bin/dmesg
     scontext = root:system_r:dmesg_t
     tcontext = root:object_r:user_home_t



Attachment: signature.asc
Description: This is a digitally signed message part


[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux