| View previous topic :: View next topic |
| Author |
Message |
inch
n00b
Joined: 04 Mar 2012
Posts: 17
|
 Posted: Mon Mar 12, 2012 7:12 pm Post subject: SELinux AVC denies at boot |
 |
|
Hello, I'm having problems with my hardened gentoo and selinux kernel, to be more precise with the filesystems.
this is from dmesg:
| Code: | Mar 12 19:15:04 localhost kernel: [ 1.961353] type=1400 audit(1331576099.547:3): avc: denied { read } for pid=1 comm="init" name="ld.so.cache" dev=md2 ino=971 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t tclass=file
Mar 12 19:15:04 localhost kernel: [ 1.961428] type=1400 audit(1331576099.547:4): avc: denied { open } for pid=1 comm="init" name="ld.so.cache" dev=md2 ino=971 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t tclass=file
Mar 12 19:15:04 localhost kernel: [ 1.961506] type=1400 audit(1331576099.547:5): avc: denied { getattr } for pid=1 comm="init" path="/etc/ld.so.cache" dev=md2 ino=971 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t tclass=file
Mar 12 19:15:04 localhost kernel: [ 2.009915] type=1400 audit(1331576099.595:6): avc: denied { read } for pid=1149 comm="rc" name="ld.so.cache" dev=md2 ino=971 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=file
Mar 12 19:15:04 localhost kernel: [ 2.009993] type=1400 audit(1331576099.595:7): avc: denied { open } for pid=1149 comm="rc" name="ld.so.cache" dev=md2 ino=971 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=file
Mar 12 19:15:04 localhost kernel: [ 2.200480] SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Mar 12 19:15:04 localhost kernel: [ 2.260640] type=1400 audit(1331576099.847:8): avc: denied { execute } for pid=1169 comm="rc" path="/lib/rc/runscript_selinux.so" dev=md2 ino=1287 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=file
Mar 12 19:15:04 localhost kernel: [ 2.319301] SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
Mar 12 19:15:04 localhost kernel: [ 2.361021] type=1400 audit(1331576099.947:9): avc: denied { read } for pid=1189 comm="runscript.sh" name="restorecon" dev=md2 ino=1315 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=lnk_file
Mar 12 19:15:04 localhost kernel: [ 2.361404] type=1400 audit(1331576099.947:10): avc: denied { execute_no_trans } for pid=1197 comm="runscript.sh" path="/sbin/setfiles" dev=md2 ino=1297 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=file |
| Code: | Mar 12 19:15:04 localhost kernel: [ 5.132080] type=1400 audit(1331576102.392:65): avc: denied { write } for pid=1467 comm="rm" name="console" dev=md2 ino=1513 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=dir
Mar 12 19:15:04 localhost kernel: [ 5.132090] type=1400 audit(1331576102.392:66): avc: denied { remove_name } for pid=1467 comm="rm" name="keymap" dev=md2 ino=385 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=dir
Mar 12 19:15:04 localhost kernel: [ 5.132100] type=1400 audit(1331576102.392:67): avc: denied { unlink } for pid=1467 comm="rm" name="keymap" dev=md2 ino=385 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=file
Mar 12 19:15:04 localhost kernel: [ 5.229707] type=1400 audit(1331576102.492:68): avc: denied { create } for pid=1468 comm="mkdir" name=".test.1461" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:var_run_t tclass=dir
Mar 12 19:15:04 localhost kernel: [ 5.348217] type=1400 audit(1331576102.608:69): avc: denied { getattr } for pid=1522 comm="fuser" path="socket:[1074]" dev=sockfs ino=1074 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:udev_t tclass=unix_stream_socket
Mar 12 19:15:04 localhost kernel: [ 5.348386] type=1400 audit(1331576102.608:70): avc: denied { getattr } for pid=1523 comm="fuser" path="socket:[1075]" dev=sockfs ino=1075 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:udev_t tclass=netlink_kobject_uevent_socket
Mar 12 19:15:04 localhost kernel: [ 5.353354] type=1400 audit(1331576102.616:71): avc: denied { getattr } for pid=1555 comm="fuser" path="/sys/kernel/debug" dev=debugfs ino=1 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:debugfs_t tclass=dir
Mar 12 19:15:04 localhost kernel: [ 5.355496] type=1400 audit(1331576102.616:72): avc: denied { unlink } for pid=1565 comm="rm" name="syslog-ng.ctl" dev=md7 ino=2228230 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=sock_file
Mar 12 19:15:04 localhost kernel: [ 5.379676] type=1400 audit(1331576102.640:73): avc: denied { setattr } for pid=1569 comm="chmod" name="/" dev=md5 ino=2 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:tmp_t tclass=dir
Mar 12 19:15:04 localhost kernel: [ 5.387467] type=1400 audit(1331576102.648:74): avc: denied { write } for pid=1571 comm="rm" name="tmux-1000" dev=md5 ino=14 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=dir
Mar 12 19:15:04 localhost kernel: [ 6.188543] md8: unknown partition table
Mar 12 19:15:04 localhost kernel: [ 6.237769] SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts |
/etc/fstab
| Code: | /dev/md1 /boot ext4 defaults 1 2
/dev/md2 / ext4 defaults 0 1
/dev/md3 /home ext4 defaults 0 2
/dev/md4 /srv ext4 defaults 0 2
/dev/md5 /tmp ext4 defaults 0 2
/dev/md6 /usr ext4 defaults 0 2
/dev/md7 /var ext4 defaults 0 2
/dev/md8 none swap sw 0 0
proc /proc proc defaults 0 0
shm /dev/shm tmpfs nodev,nosuid,noexec 0 0
udev /dev tmpfs rw,rootcontext=system_u:object_r:device_t,seclabel,nosuid,relatime,size=10m,mode=755 0 0
none /selinux selinuxfs defaults 0 0 |
The RAID components are assembled correctly but it fails to mount each of the devices. I followed the Gentoo Hardened SELinux Handbook and probably missed out somewhere around the filesystems part.
Not sure what exactly is the problem here, could you help me please? |
|
| Back to top |
|
 |
vaxbrat
l33t
Joined: 05 Oct 2005
Posts: 731
Location: DC Burbs
|
| Posted: Wed Mar 21, 2012 5:05 am Post subject: shooting from the hip |
|
|
It's been a while since I've dabbled with selinux, but I did run into a couple of things in the past that are labeling related. This may also help you with your other thread.
Your boot process involves a point where selinux is enabled and udev has yet to plumb everything up. Look at the /dev filesystem before udev overlays it with its own work:
| Code: |
mkdir /mnt/rawroot
mount --bind / /mnt/rawroot
|
The dev tree underneath /mnt/rawroot will show everything hiding underneath the udev overlay.
When you build your software raid, are you using an initial ram device or just pulling the old trick where you label the partitions with an old version tag that still allows the kernel to autoassemble? (0.9 I think)
Are you taking into account whether selinux is enabled with /selinux mounted during that initram phase? If not, you will be stomping all over various trees with selinux maybe not enabled thus losing whatever context may have been labeled. I have yet to mess with both selinux and a software mirror or raid at the same time. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
