On Sat, 10 Jul 2004 16:57, Richard Hally <rhallyx@xxxxxxxxxxxxxx> wrote:
> Jul 10 02:44:08 new2 richard: now doing logrotate
> Jul 10 02:44:16 new2 kernel: audit(1089441856.765:0): avc: denied {
> transition } for pid=4105 exe=/bin/bash path=/etc/rc.d/init.d/cups
> dev=hda2 ino=864571 scontext=root:sysadm_r:logrotate_t
> tcontext=root:system_r:initrc_t tclass=process
The role sysadm_r is not permitted to have domain initrc_t. The options for
solving this are 1:
role sysadm_r types initrc_t;
2:
role_transition sysadm_r initrc_exec_t system_r;
domain_auto_trans(sysadm_t, initrc_exec_t, initrc_t)
3:
role_transition sysadm_r logrotate_exec_t system_r;
In option 2 the domain_auto_trans() is needed to prevent the
command /etc/init.d/whatever from ending up in the context
root:system_r:sysadm_t which is not a valid context.
The problem with option 1 is that initrc_t then launches other domains so it
doesn't work.
Steve, what do you think about option 2 vs option 3?
> Jul 10 02:44:16 new2 kernel: audit(1089441856.773:0): avc: denied {
> use } for pid=4107 exe=/sbin/consoletype path=/dev/null dev=hda2
> ino=1064669 scontext=root:system_r:consoletype_t
> tcontext=root:sysadm_r:logrotate_t tclass=fd
I guess we need a dontaudit rule for that as there is:
can_exec(logrotate_t, consoletype_exec_t)
So I put the following in logrotate.te:
dontaudit consoletype_t logrotate_t:fd use;
> Jul 10 02:44:16 new2 cups: cupsd shutdown succeeded
> Jul 10 02:44:16 new2 kernel: audit(1089441856.913:0): avc: denied {
> ioctl } for pid=4114 exe=/usr/bin/python path=/dev/pts/0 dev=devpts
> ino=2 scontext=root:system_r:cupsd_t
> tcontext=root:object_r:sysadm_devpts_t tclass=chr_file
> Jul 10 02:44:16 new2 kernel: audit(1089441856.914:0): avc: denied {
> getattr } for pid=4114 exe=/usr/bin/python path=/dev/pts/0 dev=devpts
> ino=2 scontext=root:system_r:cupsd_t
> tcontext=root:object_r:sysadm_devpts_t tclass=chr_file
The attached patch takes care of that.
> Jul 10 02:44:17 new2 kernel: audit(1089441857.053:0): avc: denied {
> read } for pid=4121 exe=/bin/bash name=.bashrc dev=hda2 ino=130311
> scontext=root:system_r:cupsd_t tcontext=root:object_r:staff_home_t
> tclass=file
In enforcing mode access to the parent directory is denied and that file will
never be accessed.
> Jul 10 02:44:17 new2 kernel: audit(1089441857.056:0): avc: denied {
> read } for pid=4123 exe=/usr/bin/id name=config dev=hda2 ino=914871
> scontext=root:system_r:cupsd_t
> tcontext=system_u:object_r:selinux_config_t tclass=file
Maybe we should change id to read /proc/self/attr/current directly? We don't
want to have to put in allow or dontaudit rules for every shell script that
runs "id".
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--- macros/global_macros.te 2004-07-11 16:32:30.000000000 +1000
+++ macros/global_macros.te.new 2004-07-11 16:33:12.000000000 +1000
@@ -326,7 +326,7 @@
read_sysctl($1_t)
ifdef(`direct_sysadm_daemon', `
-dontaudit $1_t admin_tty_type:chr_file { read write };
+dontaudit $1_t admin_tty_type:chr_file rw_file_perms;
')
#
