Fresh rawhide install / AVC messages
Russell Coker
russell at coker.com.au
Wed Mar 10 07:21:47 UTC 2004
On Wed, 10 Mar 2004 04:45, Dax Kelson <dax at gurulabs.com> wrote:
> On the first boot, I got the following AVC messages. Is enforcing mode
> expected to work? Is this helpful?
This is helpful!
> audit(1078849141.136:0): avc: denied { create } for pid=942
> exe=/usr/sbin/updfstab name=floppy scontext=system_u:system_r:updfstab_t
> tcontext=system_u:object_r:mnt_t tclass=dir audit(1078849141.160:0): avc:
allow updfstab_t mnt_t:dir create_dir_perms;
It's in my tree now.
> denied { read write } for pid=943 exe=/sbin/pam_console_apply
> path=/dev/pts/0 dev= ino=2 scontext=system_u:system_r:pam_console_t
> tcontext=system_u:object_r:initrc_devpts_t tclass=chr_file
I've attached a modified pamconsole.te to fix this. I've also included it in
my policy archive on http://www.coker.com.au/selinux/policy.tgz .
> audit(1078849141.979:0): avc: denied { write } for pid=953
> exe=/usr/sbin/cpuspeed name=scaling_governor dev= ino=335
> scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:sysfs_t
I have attached a first cut at cpuspeed policy, it won't work but if you try
it out I'll get more information and be able to write more policy. What is
the full path name for this scaling_governor file?
> audit(1078849148.792:0): avc: denied { getattr } for
> pid=1141 exe=/bin/bash path=/etc/ntp.conf dev=hda8 ino=19690
> scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:ntpd_etc_t
> tclass=file audit(1078849148.796:0): avc: denied { rename } for pid=1160
> exe=/bin/mv name=ntp.conf dev=hda8 ino=19690
> scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:ntpd_etc_t
> tclass=file audit(1078849148.797:0): avc: denied { getattr } for
> pid=1161 exe=/bin/bash path=/tmp dev=hda8 ino=588673
This is a problem. Is this standard functionality of the dhcp client or have
you written your own scripts?
The problem we face is that the dhcp client as a standard function will
replace /etc/resolv.conf. The /etc/resolv.conf file is given the type
resolv_conf_t because so many programs want to re-write it.
Now we can give the ntpd config file the same type. But in that case we will
probably want to rename it to net_conf_t or something.
This is all conditional on this being standard functionality of the dhcp
client. If it's your customisation then you can just change ntpd.fc to label
the file as resolv_conf_t. Although I suspect that if this is a
customisation of yours it'll become a standard thing soon enough, it sounds
like a good idea!
> tclass=dir audit(1078849148.798:0): avc: denied { search } for pid=1161
> exe=/bin/bash name=tmp dev=hda8 ino=588673
> scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t
> tclass=dir audit(1078849148.798:0): avc: denied { write } for pid=1161
> exe=/bin/bash name=tmp dev=hda8 ino=588673
> scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t
> tclass=dir audit(1078849148.798:0): avc: denied { add_name } for
> pid=1161 exe=/bin/bash name=sh-thd-1078853309
What is this for? The following is the policy needed to address that. If
it's a standard thing then I'll put it in my policy tree.
tmp_domain(dhcpc)
> audit(1078849214.284:0):
> avc: denied { read } for pid=3923 exe=/usr/bin/python name=backend.pyo
> dev=hda8 ino=148720 scontext=system_u:system_r:cupsd_t
> tcontext=system_u:object_r:usr_t tclass=file audit(1078849214.285:0): avc:
> denied { getattr } for pid=3923 exe=/usr/bin/python
> path=/usr/share/printconf/util/backend.pyo dev=hda8 ino=148720
> scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:usr_t
> tclass=file
Below is the policy, it's now in my tree.
allow cupsd_t usr_t:file { read getattr };
> audit(1078849230.652:0): avc: denied { write } for pid=4290
> exe=/usr/sbin/sendmail.sendmail name=aliases.db dev=hda8 ino=19435
> scontext=system_u:system_r:sendmail_t tcontext=system_u:object_r:etc_t
> tclass=file audit(1078849230.652:0): avc: denied { lock } for pid=4290
> exe=/usr/sbin/sendmail.sendmail path=/etc/aliases.db dev=hda8 ino=19435
> scontext=system_u:system_r:sendmail_t tcontext=system_u:object_r:etc_t
/etc/aliases.db should have type etc_aliases_t.
> audit(1078849246.286:0): avc: denied { create } for pid=4526
> exe=/usr/bin/python key=0 scontext=system_u:system_r:initrc_t
> tcontext=system_u:system_r:initrc_t tclass=shm audit(1078849246.286:0):
> avc: denied { unix_read unix_write } for pid=4526 exe=/usr/bin/python
> key=0 scontext=system_u:system_r:initrc_t
> tcontext=system_u:system_r:initrc_t tclass=shm audit(1078849246.286:0):
> avc: denied { read write } for pid=4526 exe=/usr/bin/python key=0
> scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t
> tclass=shm
Any idea what this program is?
> audit(1078849246.287:0): avc: denied { unix_read unix_write }
> for pid=51 exe=/usr/X11R6/bin/XFree86 key=0
> scontext=system_u:system_r:xdm_xserver_t
> tcontext=system_u:system_r:initrc_t tclass=shm
Looks like it's an X client. Something using RHGB I guess.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
-------------- next part --------------
#DESC Pamconsole - PAM console
# X-Debian-Packages:
#
# pam_console_apply
daemon_base_domain(pam_console)
allow pam_console_t etc_t:file { getattr read ioctl };
allow pam_console_t self:unix_stream_socket create_stream_socket_perms;
allow pam_console_t self:capability { chown fowner fsetid };
# for /var/run/console.lock checking
allow pam_console_t { var_t var_run_t }:dir search;
# mouse_device_t is for joy sticks
allow pam_console_t { framebuf_device_t v4l_device_t apm_bios_t sound_device_t misc_device_t tty_device_t scanner_device_t mouse_device_t removable_device_t scsi_generic_device_t }:chr_file { getattr setattr };
allow pam_console_t { removable_device_t fixed_disk_device_t }:blk_file { getattr setattr };
allow pam_console_t mnt_t:dir r_dir_perms;
ifdef(`gpm.te', `
allow pam_console_t gpmctl_t:sock_file { getattr setattr };
')
-------------- next part --------------
# cpuspeed
/usr/sbin/cpuspeed -- system_u:object_r:cpuspeed_exec_t
-------------- next part --------------
#DESC cpuspeed - domain for microcode_ctl and other programs to speed CPU
#
# Author: Russell Coker <russell at coker.com.au>
#
daemon_base_domain(cpuspeed)
More information about the fedora-selinux-list
mailing list