Re: selinux-policy-strict-1.13.9-1, difficulty.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Test Results: selinux-policy-strict-1.13.9-1
Kernel: 2.6.7-1.456

I relabeled in permissive mode prior to running in enforcing mode.
However, I notice things that didn't get labeled. 
I've been running the targeted policy prior to this - perhaps that's a
factor. Also I use tmpfs, which I think causes some of the issues (but
def. not all).

In /var/log/dmesg (early before init):

UNLABELED:

     path = /initrd/dev/root
     dev = ram0
     tclass = blk_file
     denied { getattr } exe = /bin/bash
     scontext = system_u:system_r:initrc_t
     tcontext = system_u:object_r:unabeled_t

HOTPLUG:

     path = /etc/hotplug.d/default/udev.hotplug
     tclass = file
     denied { getattr } exe = /bin/bash
     scontext = system_u:system_r:hotplug_t
     tcontext = system_u:object_r:udev_helper_exec_t

     name = dbus
     tclass = dir
     denied { search } exe = /usr/libexec/hal.hotplug
     scontext = system_u:system_r:hotplug_t
     tcontext = system_u:object_r:dbus_var_run_t


LVM:
     name = control
     tclass = chr_file
     denied { unlink } exe = /bin/rm
     scontext = system_u:system_r:initrc_t
     tcontext = system_u:object_r:lvm_control_t

     name = selinux or var
     tclass = dir
     denied { search } exe = /sbin/lvm.static
     scontext = system_u:system_r:lvm_t
     tcontext = system_u:object_r:selinux_config_t (for selinux)
     tcontext = system_u:object_r:var_t (for var)

Others:

     name = config
     tclass = file
     denied { read } exe = /usr/bin/id
     scontext = system_u:system_r:initrc_t
     tcontext = system_u:object_r:selinux_config_t


     tmpfs being a problem?
     ======================
     dev = tmpfs
     tclass = dir
     denied { read } exe = /bin/bash
     scontext = system_u:system_r:initrc_t
     tcontext = system_u:object_r:tmpfs_t

===============================================

In /var/log/messages:

UNLABELED:
	
     path = /etc/ld.so.cache
     tclass = file
     denied { getattr } exe = /bin/env
     scontext = system_u:system_r:kernel_t
     tcontext = system_u:object_r:unlabeled_t

     dev = pipefs
     path = pipe:[851]
     tclass = fifo_file
     denied { getattr } { write } exe = /bin/env
     scontext = system_u:system_r:kernel_t
     tcontext = system_u:object_r:unabeled_t

     path = /lib/ld-2.3.3.so
     tlcass = file
     denied { read } exe = /bin/bash
     scontext = system_u:system_r:kernel_t
     tcontext = system_u:object_r:unlabeled_t

HOTPLUG:

     name = hotplug
     tclass = dir
     denied { search } exe = /bin/bash
     scontext = system_u:system_r:kernel_t
     tcontext = system_u:object_r:hotplug_etc_t

     name = hal.hotplug
     tclass = lnk_file
     denied { read } exe = /bin/bash
     scontext = system_u:system_r:kernel_t
     tcontext = system_u:object_r:etc_t

     path = /etc/hotplug.d/default/udev.hotplug
     tclass = file
     denied { getattr } exe = /bin/bash
     scontext = system_u:system_r:kernel_t
     tcontext = system_u:object_r:udev_helper_exec_t

VAR
	name = var
	tclass = dir
	denied { search } exe = /bin/bash
	denied { search } exe = /sbin/lvm_static
	scontext = system_u:system_r:kernel_t (bash)
	scontext = system_u:system_r:lvm_t (lvm_static)
	tcontext = system_u:object_r:var_t

...some of the errors from /var/log/dmesg repeat...
Also
	dev = selinuxfs
	tclass = dir
	denied { search } exe = /bin/bash
	scontext = system_u:system_r:initrc_t
	tcontext = system_u:object_r:security_t

More tmpfs denies...


READAHEAD:

	name = aliases
	tclass = file
	denied { read } exe = /usr/sbin/readahead
	scontext = system_u:system_r:initrc_t
	tcontext = system_u:object_r:etc_aliases_t

	name = crontab
	tclass = file
	denied { read } exe = /usr/sbin/readahead
	scontext = system_u:system_r:initrc_t
	tcontext = system_u:object_r:system_cron_spool_t

	name = ssh_host_dsa_key, ssh_host_key, ssh_host_rsa_key
	tclass = file
	denied { read } exe = /usr/sbin/readahead
	scontext = system_u:system_r:initrc_t
	tcontext = system_u:object_r:sshd_key_t

	name = dhclient-eth0.leases
	tclass = file
	denied { read } exe = /usr/sbin/readahead
	scontext = system_u:system_r:initrc_t
	tcontext = system_u:object_r:dhcpc_state_t

	name = state
	tclass = file
	denied { read } exe = /usr/sbin/readahead
	scontext = system_u:system_r:initrc_t
	tcontext = system_u:object_r:var_lib_nfs_t

MODPROBE
	
	dev = proc
	path = /proc/sys/dev/parport/parport0/autoprobe
	tclass = file
	denied { read } exe = /sbin/modprobe
	scontext = system_u:system_r:insmod_t
	tcontext = system_u:object_r:sysctl_dev_t

KLOGD (this was there in the last version too)
	name = System.map
	tclass = lnk_file
	denied { read } exe = /sbin/klogd
	scontext = system_u:system_r:klogd_t
	tcontext = system_u:object_r:boot_t

SELINUX

	name = config
	tclass = file
	denied { read } exe = /usr/bin/selinuxenabled
	scontext = system_u:system_r:initrc_t
	tcontext = system_u:object_r:selinux_config_t

I think there was one for ls trying to read selinux files too, but I
lost it. Also:

	name = config
	tclass = file
	denied { read } exe = /usr/bin/find
	scontext = system_u:system_r:initrc_t
	tcontext = system_u:object_r:selinux_config_t

Then there's all the httpd errors I posted in my other two mails (on
previous versions).

Then I get about a million of those:

	class = tcp_socket
	denied { name_bind } exe = /usr/sbin/htt_server
	scontext = user_u:user_r:user_t
	tcontext = system_u:object_r:port_t
	

	until I log in and kill htt_server.\



Sorry for the long post :)
I won't test the target policy anymore since it isn't very interesting
in my case - the only daemon I have that it protects is httpd. 


Attachment: signature.asc
Description: This is a digitally signed message part


[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux