Ivan Gyurdiev wrote:
Please attach the AVC Messages. The problems are probably being caused by update to other applications like hotplug.Test Results: selinux-policy-strict-1.13.9-1 Kernel: 2.6.7-1.456
I relabeled in permissive mode prior to running in enforcing mode.
However, I notice things that didn't get labeled. I've been running the targeted policy prior to this - perhaps that's a
factor. Also I use tmpfs, which I think causes some of the issues (but
def. not all).
In /var/log/dmesg (early before init):
UNLABELED:
path = /initrd/dev/root dev = ram0 tclass = blk_file denied { getattr } exe = /bin/bash scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:unabeled_t
HOTPLUG:
path = /etc/hotplug.d/default/udev.hotplug tclass = file denied { getattr } exe = /bin/bash scontext = system_u:system_r:hotplug_t tcontext = system_u:object_r:udev_helper_exec_t
name = dbus tclass = dir denied { search } exe = /usr/libexec/hal.hotplug scontext = system_u:system_r:hotplug_t tcontext = system_u:object_r:dbus_var_run_t
LVM: name = control tclass = chr_file denied { unlink } exe = /bin/rm scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:lvm_control_t
name = selinux or var tclass = dir denied { search } exe = /sbin/lvm.static scontext = system_u:system_r:lvm_t tcontext = system_u:object_r:selinux_config_t (for selinux) tcontext = system_u:object_r:var_t (for var)
Others:
name = config tclass = file denied { read } exe = /usr/bin/id scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:selinux_config_t
tmpfs being a problem? ====================== dev = tmpfs tclass = dir denied { read } exe = /bin/bash scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:tmpfs_t
===============================================
In /var/log/messages:
UNLABELED: path = /etc/ld.so.cache tclass = file denied { getattr } exe = /bin/env scontext = system_u:system_r:kernel_t tcontext = system_u:object_r:unlabeled_t
dev = pipefs path = pipe:[851] tclass = fifo_file denied { getattr } { write } exe = /bin/env scontext = system_u:system_r:kernel_t tcontext = system_u:object_r:unabeled_t
path = /lib/ld-2.3.3.so tlcass = file denied { read } exe = /bin/bash scontext = system_u:system_r:kernel_t tcontext = system_u:object_r:unlabeled_t
HOTPLUG:
name = hotplug tclass = dir denied { search } exe = /bin/bash scontext = system_u:system_r:kernel_t tcontext = system_u:object_r:hotplug_etc_t
name = hal.hotplug tclass = lnk_file denied { read } exe = /bin/bash scontext = system_u:system_r:kernel_t tcontext = system_u:object_r:etc_t
path = /etc/hotplug.d/default/udev.hotplug tclass = file denied { getattr } exe = /bin/bash scontext = system_u:system_r:kernel_t tcontext = system_u:object_r:udev_helper_exec_t
VAR name = var tclass = dir denied { search } exe = /bin/bash denied { search } exe = /sbin/lvm_static scontext = system_u:system_r:kernel_t (bash) scontext = system_u:system_r:lvm_t (lvm_static) tcontext = system_u:object_r:var_t
...some of the errors from /var/log/dmesg repeat... Also dev = selinuxfs tclass = dir denied { search } exe = /bin/bash scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:security_t
More tmpfs denies...
READAHEAD:
name = aliases tclass = file denied { read } exe = /usr/sbin/readahead scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:etc_aliases_t
name = crontab tclass = file denied { read } exe = /usr/sbin/readahead scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:system_cron_spool_t
name = ssh_host_dsa_key, ssh_host_key, ssh_host_rsa_key tclass = file denied { read } exe = /usr/sbin/readahead scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:sshd_key_t
name = dhclient-eth0.leases tclass = file denied { read } exe = /usr/sbin/readahead scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:dhcpc_state_t
name = state tclass = file denied { read } exe = /usr/sbin/readahead scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:var_lib_nfs_t
MODPROBE dev = proc path = /proc/sys/dev/parport/parport0/autoprobe tclass = file denied { read } exe = /sbin/modprobe scontext = system_u:system_r:insmod_t tcontext = system_u:object_r:sysctl_dev_t
KLOGD (this was there in the last version too) name = System.map tclass = lnk_file denied { read } exe = /sbin/klogd scontext = system_u:system_r:klogd_t tcontext = system_u:object_r:boot_t
SELINUX
name = config tclass = file denied { read } exe = /usr/bin/selinuxenabled scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:selinux_config_t
I think there was one for ls trying to read selinux files too, but I lost it. Also:
name = config tclass = file denied { read } exe = /usr/bin/find scontext = system_u:system_r:initrc_t tcontext = system_u:object_r:selinux_config_t
Then there's all the httpd errors I posted in my other two mails (on previous versions).
Then I get about a million of those:
class = tcp_socket denied { name_bind } exe = /usr/sbin/htt_server scontext = user_u:user_r:user_t tcontext = system_u:object_r:port_t
until I log in and kill htt_server.\
Sorry for the long post :)
I won't test the target policy anymore since it isn't very interesting
in my case - the only daemon I have that it protects is httpd.
------------------------------------------------------------------------
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Dan
