| View previous topic :: View next topic |
| Author |
Message |
SnEptUne
l33t
Joined: 23 Aug 2004
Posts: 656
|
 Posted: Thu Oct 14, 2004 6:14 am Post subject: SELinux avc denied? |
 |
|
Hi everyone,
I have recently converted to SElinux Hardened Gentoo from normal Gentoo PPC installation. However, my boot messages and messages log are full of "avc: denied". It really render my log more or less unusable. I can't run a server with all those error. Moreover, webmin fails to start. Is it because SELinux isn't production ready? Any advice would be welcome.
_________________
"There will be more joy in heaven over the tear-bathed face of a repentant sinner than over the white robes of a hundred just men." (LM, 114) |
|
| Back to top |
|
 |
SnEptUne
l33t
Joined: 23 Aug 2004
Posts: 656
|
| Posted: Thu Oct 14, 2004 8:25 am Post subject: |
|
|
I check my sestatus, the process seems to run in an incorrect security context. Here's the output to my sestatus -v
| Code: |
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Policy version: 17
Policy booleans:
user_ping inactive
Process contexts:
Current context: test:sysadm_r:sysadm_t
Init context: system_u:system_r:kernel_t
/sbin/agetty system_u:system_r:kernel_t
/usr/sbin/sshd system_u:system_r:kernel_t
File contexts:
Controlling term: unknown (Operation not supported)
/sbin/init system_u:object_r:init_exec_t
/sbin/agetty system_u:object_r:getty_exec_t
/bin/login system_u:object_r:login_exec_t
/usr/sbin/sshd system_u:object_r:sshd_exec_t
/sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t
/etc/passwd system_u:object_r:etc_t
/etc/shadow system_u:object_r:shadow_t
/bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
/bin/bash system_u:object_r:shell_exec_t
/usr/bin/gdm system_u:object_r:bin_t
/usr/X11R6/bin/xdm system_u:object_r:bin_t
/lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:shlib_t
/lib/ld.so.1 system_u:object_r:lib_t -> system_u:object_r:ld_so_t
|
I have tried rlpkg sysvinit; rlpkg util-linux; and rlpkg openssh; however, they change nothing.
_________________
"There will be more joy in heaven over the tear-bathed face of a repentant sinner than over the white robes of a hundred just men." (LM, 114) |
|
| Back to top |
|
|
sdwarfs
n00b
Joined: 06 Dec 2004
Posts: 5
|
| Posted: Mon Dec 06, 2004 11:22 am Post subject: |
|
|
I HAVE (not had) same problem here...
Maybe it helps to do:
| Quote: |
cd /etc/security/selinux/src/
make load
make relabel
|
I personally cant do that now, as I only cant remote-login to the server and sshd doesnt work because of all that labels set with the above commands. Since I did this I have this errors and my sshd doesnt work - the only way to access the server is rebooting with a kernel without selinux...
Relabeling works only with kernel with activated selinux...
Stefan
PS: If you find a solution - let me know  |
|
| Back to top |
|
|
SnEptUne
l33t
Joined: 23 Aug 2004
Posts: 656
|
| Posted: Mon Dec 06, 2004 12:03 pm Post subject: |
|
|
| sdwarfs wrote: | I HAVE (not had) same problem here...
Maybe it helps to do:
| Quote: |
cd /etc/security/selinux/src/
make load
make relabel
|
I personally cant do that now, as I only cant remote-login to the server and sshd doesnt work because of all that labels set with the above commands. Since I did this I have this errors and my sshd doesnt work - the only way to access the server is rebooting with a kernel without selinux...
Relabeling works only with kernel with activated selinux...
Stefan
PS: If you find a solution - let me know |
Unfortunately, relabeling the file system does not help at all.
_________________
"There will be more joy in heaven over the tear-bathed face of a repentant sinner than over the white robes of a hundred just men." (LM, 114) |
|
| Back to top |
|
|
sdwarfs
n00b
Joined: 06 Dec 2004
Posts: 5
|
| Posted: Mon Dec 06, 2004 5:14 pm Post subject: |
|
|
Hello,
thx for you answer into my thread...
I found the following website related to it, somehow providing a possible solution which doesnt work for me (I cant login via ssh - but you seem to have direct root access):
Link: http://www.nsa.gov/selinux/list-archive/0309/5025.cfm
The solution provided there is:
| Quote: |
> login and not via ssh):
> 24176 195 root:staff_r:staff_t /usr/sbin/sshd
Firstly you should be sysadm_r:sysadm_t when you start daemons. Secondly you should use "run_init".
Do the following:
newrole -r sysadm_r
run_init /etc/init.d/sshd start
Then things should be fine.
|
I hope that helps... If that works - plz let me know (Im notified if you are answereing to this thread here - so you can post your answer here)
If so... I could think about, how I could adapt that solution to my problem.
Stefan |
|
| Back to top |
|
|
|
Networking & Security
