Strict policy test, 1.13.7-1, denies: lvm.static, klogd, udev, httpd, xfs, xorg, dmesg
Ivan Gyurdiev
ivg2 at cornell.edu
Thu Jun 24 18:57:55 UTC 2004
Hi, these are the results of running strict policy selinux.
Kernel: 2.6.7-1.448
Selinux-strict: 1.13.7-1
Filesystems: / is xfs, /tmp is tmpfs (is that a problem? xattrs?),
/boot is ext3
I relabeled prior to running this test.
I know there's a new version released today and I'll try that soon.
I'm sorry if any of this are duplicates or have been fixed.
==================================================================
audit2allow:
allow dmesg_t staff_home_t:file { write };
allow dmesg_t user_home_t:file { write };
allow httpd_t bin_t:dir { getattr };
allow httpd_t httpd_log_t:file { write };
allow httpd_t sbin_t:dir { getattr };
allow httpd_t snmpd_var_lib_t:file { getattr write };
allow klogd_t boot_t:lnk_file { read };
allow lvm_t device_t:file { getattr };
allow lvm_t selinux_config_t:dir { search };
allow udev_t var_lock_t:dir { search };
allow xdm_xserver_t xdm_tmpfs_t:dir { getattr };
allow xfs_t tmpfs_t:dir { search };
====================================================================
Denies summary - all of those occur during normal startup,
and the dmesg ones are me trying to pipe dmesg to a log file in my home
folder as root.
LVM.STATIC
1)
name = selinux
tclass = dir
denied { search } exe=lvm.static
scontext = system_u:system_r:lvm_t
tcontext = system_u:object_r:selinux_config_t
2)
path = /dev/vcsa01 or /dev/vcsa05
tclass = file
denied { getattr } exe=lvm.static
scontext = system_u:system_r:lvm_t
tcontext = system_u:object_r:device_t
KLOGD
3)
name = System.map
tclass = lnk_file
denied { read } exe=/sbin/klogd
scontext = system_u:system_r:klog_t
tcontext = system_u:object_r:boot_t
UDEV
4)
name = lock
tclass = dir
denied { search } exe=/bin/bash
scontext = system_u:system_r:udev_t
tcontext = system_u:object_r:var_lock_t
HTTPD
5)
name = /sbin or /usr/sbin
tclass = dir
denied { getattr } exe = /usr/sbin/httpd
scontext = system_u:system_r:httpd_t
tcontext = system_u:object_r:sbin_t
6) name = /bin or /usr/bin or /usr/X11R6/bin
tclass = dir
denied { getattr } exe = /usr/sbin/httpd
scontext = system_u:system_r:httpd_t
tcontext = system_u:object_r:bin_t
7) name = jk2.shm
tclass = file
denied { write } exe = /usr/sbin/httpd
scontext = system_u:system_r:httpd_t
tcontext = system_u:object_r:httpd_log_t
8) path = /usr/share/snmp/mibs/.index
tclass = file
denied { getattr } exe = /usr/sbin/httpd
scontext = system_u:system_r:httpd_t
tcontext = system_u:object_r:snmpd_var_lib_t
name = .index
tclass = file
denied { write } exe = /usr/sbin/httpd
scontext = system_u:system_r:httpd_t
tcontext = system_u:object_r:snmpd_var_lib_t
XFS
9)
dev = tmpfs
tclass = dir
denied { search } exe = /usr/X11R6/bin/xfs
scontext = system_u:system_r:xfs_t
tcontext = system_u:object_r:tmpfs_t
Xorg
10)
dev = tmpfs
path = /tmp/.X11-unix
tclass = dir
denied { getattr } exe = /usr/X11R6/bin/Xorg
scontext = system_u:system_r:xdm_xserver_t
tcontext = system_u:object_r:xdm_tmpfs_t
Dmesg
11)
path = /home/-username-/log
tclass = file
denied { write } exe = /bin/dmesg
scontext = root:system_r:dmesg_t
tcontext = root:object_r:user_home_t
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20040624/f0a5d4a0/attachment.sig>
More information about the fedora-selinux-list
mailing list