Test Results: selinux-policy-strict-1.13.9-1
Kernel: 2.6.7-1.456
I relabeled in permissive mode prior to running in enforcing mode.
However, I notice things that didn't get labeled.
I've been running the targeted policy prior to this - perhaps that's a
factor. Also I use tmpfs, which I think causes some of the issues (but
def. not all).
In /var/log/dmesg (early before init):
UNLABELED:
path = /initrd/dev/root
dev = ram0
tclass = blk_file
denied { getattr } exe = /bin/bash
scontext = system_u:system_r:initrc_t
tcontext = system_u:object_r:unabeled_t
HOTPLUG:
path = /etc/hotplug.d/default/udev.hotplug
tclass = file
denied { getattr } exe = /bin/bash
scontext = system_u:system_r:hotplug_t
tcontext = system_u:object_r:udev_helper_exec_t
name = dbus
tclass = dir
denied { search } exe = /usr/libexec/hal.hotplug
scontext = system_u:system_r:hotplug_t
tcontext = system_u:object_r:dbus_var_run_t
LVM:
name = control
tclass = chr_file
denied { unlink } exe = /bin/rm
scontext = system_u:system_r:initrc_t
tcontext = system_u:object_r:lvm_control_t
name = selinux or var
tclass = dir
denied { search } exe = /sbin/lvm.static
scontext = system_u:system_r:lvm_t
tcontext = system_u:object_r:selinux_config_t (for selinux)
tcontext = system_u:object_r:var_t (for var)
Others:
name = config
tclass = file
denied { read } exe = /usr/bin/id
scontext = system_u:system_r:initrc_t
tcontext = system_u:object_r:selinux_config_t
tmpfs being a problem?
======================
dev = tmpfs
tclass = dir
denied { read } exe = /bin/bash
scontext = system_u:system_r:initrc_t
tcontext = system_u:object_r:tmpfs_t
===============================================
In /var/log/messages:
UNLABELED:
path = /etc/ld.so.cache
tclass = file
denied { getattr } exe = /bin/env
scontext = system_u:system_r:kernel_t
tcontext = system_u:object_r:unlabeled_t
dev = pipefs
path = pipe:[851]
tclass = fifo_file
denied { getattr } { write } exe = /bin/env
scontext = system_u:system_r:kernel_t
tcontext = system_u:object_r:unabeled_t
path = /lib/ld-2.3.3.so
tlcass = file
denied { read } exe = /bin/bash
scontext = system_u:system_r:kernel_t
tcontext = system_u:object_r:unlabeled_t
HOTPLUG:
name = hotplug
tclass = dir
denied { search } exe = /bin/bash
scontext = system_u:system_r:kernel_t
tcontext = system_u:object_r:hotplug_etc_t
name = hal.hotplug
tclass = lnk_file
denied { read } exe = /bin/bash
scontext = system_u:system_r:kernel_t
tcontext = system_u:object_r:etc_t
path = /etc/hotplug.d/default/udev.hotplug
tclass = file
denied { getattr } exe = /bin/bash
scontext = system_u:system_r:kernel_t
tcontext = system_u:object_r:udev_helper_exec_t
VAR
name = var
tclass = dir
denied { search } exe = /bin/bash
denied { search } exe = /sbin/lvm_static
scontext = system_u:system_r:kernel_t (bash)
scontext = system_u:system_r:lvm_t (lvm_static)
tcontext = system_u:object_r:var_t
...some of the errors from /var/log/dmesg repeat...
Also
dev = selinuxfs
tclass = dir
denied { search } exe = /bin/bash
scontext = system_u:system_r:initrc_t
tcontext = system_u:object_r:security_t
More tmpfs denies...
READAHEAD:
name = aliases
tclass = file
denied { read } exe = /usr/sbin/readahead
scontext = system_u:system_r:initrc_t
tcontext = system_u:object_r:etc_aliases_t
name = crontab
tclass = file
denied { read } exe = /usr/sbin/readahead
scontext = system_u:system_r:initrc_t
tcontext = system_u:object_r:system_cron_spool_t
name = ssh_host_dsa_key, ssh_host_key, ssh_host_rsa_key
tclass = file
denied { read } exe = /usr/sbin/readahead
scontext = system_u:system_r:initrc_t
tcontext = system_u:object_r:sshd_key_t
name = dhclient-eth0.leases
tclass = file
denied { read } exe = /usr/sbin/readahead
scontext = system_u:system_r:initrc_t
tcontext = system_u:object_r:dhcpc_state_t
name = state
tclass = file
denied { read } exe = /usr/sbin/readahead
scontext = system_u:system_r:initrc_t
tcontext = system_u:object_r:var_lib_nfs_t
MODPROBE
dev = proc
path = /proc/sys/dev/parport/parport0/autoprobe
tclass = file
denied { read } exe = /sbin/modprobe
scontext = system_u:system_r:insmod_t
tcontext = system_u:object_r:sysctl_dev_t
KLOGD (this was there in the last version too)
name = System.map
tclass = lnk_file
denied { read } exe = /sbin/klogd
scontext = system_u:system_r:klogd_t
tcontext = system_u:object_r:boot_t
SELINUX
name = config
tclass = file
denied { read } exe = /usr/bin/selinuxenabled
scontext = system_u:system_r:initrc_t
tcontext = system_u:object_r:selinux_config_t
I think there was one for ls trying to read selinux files too, but I
lost it. Also:
name = config
tclass = file
denied { read } exe = /usr/bin/find
scontext = system_u:system_r:initrc_t
tcontext = system_u:object_r:selinux_config_t
Then there's all the httpd errors I posted in my other two mails (on
previous versions).
Then I get about a million of those:
class = tcp_socket
denied { name_bind } exe = /usr/sbin/htt_server
scontext = user_u:user_r:user_t
tcontext = system_u:object_r:port_t
until I log in and kill htt_server.\
Sorry for the long post :)
I won't test the target policy anymore since it isn't very interesting
in my case - the only daemon I have that it protects is httpd.
Attachment:
signature.asc
Description: This is a digitally signed message part
