Fresh rawhide install / AVC messages

Russell Coker russell at coker.com.au
Wed Mar 10 07:21:47 UTC 2004 

On Wed, 10 Mar 2004 04:45, Dax Kelson <dax at gurulabs.com> wrote:
> On the first boot, I got the following AVC messages. Is enforcing mode
> expected to work? Is this helpful?

This is helpful!

> audit(1078849141.136:0): avc:  denied  { create } for  pid=942
> exe=/usr/sbin/updfstab name=floppy scontext=system_u:system_r:updfstab_t
> tcontext=system_u:object_r:mnt_t tclass=dir audit(1078849141.160:0): avc: 

allow updfstab_t mnt_t:dir create_dir_perms;
It's in my tree now.

> denied  { read write } for  pid=943 exe=/sbin/pam_console_apply
> path=/dev/pts/0 dev= ino=2 scontext=system_u:system_r:pam_console_t
> tcontext=system_u:object_r:initrc_devpts_t tclass=chr_file

I've attached a modified pamconsole.te to fix this.  I've also included it in 
my policy archive on http://www.coker.com.au/selinux/policy.tgz .

> audit(1078849141.979:0): avc:  denied  { write } for  pid=953
> exe=/usr/sbin/cpuspeed name=scaling_governor dev= ino=335
> scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:sysfs_t

I have attached a first cut at cpuspeed policy, it won't work but if you try 
it out I'll get more information and be able to write more policy.  What is 
the full path name for this scaling_governor file?

> audit(1078849148.792:0): avc:  denied  { getattr } for 
> pid=1141 exe=/bin/bash path=/etc/ntp.conf dev=hda8 ino=19690
> scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:ntpd_etc_t
> tclass=file audit(1078849148.796:0): avc:  denied  { rename } for  pid=1160
> exe=/bin/mv name=ntp.conf dev=hda8 ino=19690
> scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:ntpd_etc_t
> tclass=file audit(1078849148.797:0): avc:  denied  { getattr } for 
> pid=1161 exe=/bin/bash path=/tmp dev=hda8 ino=588673

This is a problem.  Is this standard functionality of the dhcp client or have 
you written your own scripts?

The problem we face is that the dhcp client as a standard function will 
replace /etc/resolv.conf.  The /etc/resolv.conf file is given the type 
resolv_conf_t because so many programs want to re-write it.

Now we can give the ntpd config file the same type.  But in that case we will 
probably want to rename it to net_conf_t or something.

This is all conditional on this being standard functionality of the dhcp 
client.  If it's your customisation then you can just change ntpd.fc to label 
the file as resolv_conf_t.  Although I suspect that if this is a 
customisation of yours it'll become a standard thing soon enough, it sounds 
like a good idea!

> tclass=dir audit(1078849148.798:0): avc:  denied  { search } for  pid=1161
> exe=/bin/bash name=tmp dev=hda8 ino=588673
> scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t
> tclass=dir audit(1078849148.798:0): avc:  denied  { write } for  pid=1161
> exe=/bin/bash name=tmp dev=hda8 ino=588673
> scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmp_t
> tclass=dir audit(1078849148.798:0): avc:  denied  { add_name } for 
> pid=1161 exe=/bin/bash name=sh-thd-1078853309

What is this for?  The following is the policy needed to address that.  If 
it's a standard thing then I'll put it in my policy tree.

tmp_domain(dhcpc)

> audit(1078849214.284:0):
> avc:  denied  { read } for  pid=3923 exe=/usr/bin/python name=backend.pyo
> dev=hda8 ino=148720 scontext=system_u:system_r:cupsd_t
> tcontext=system_u:object_r:usr_t tclass=file audit(1078849214.285:0): avc: 
> denied  { getattr } for  pid=3923 exe=/usr/bin/python
> path=/usr/share/printconf/util/backend.pyo dev=hda8 ino=148720
> scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:usr_t
> tclass=file

Below is the policy, it's now in my tree.
allow cupsd_t usr_t:file { read getattr };

> audit(1078849230.652:0): avc:  denied  { write } for  pid=4290 
> exe=/usr/sbin/sendmail.sendmail name=aliases.db dev=hda8 ino=19435
> scontext=system_u:system_r:sendmail_t tcontext=system_u:object_r:etc_t
> tclass=file audit(1078849230.652:0): avc:  denied  { lock } for  pid=4290
> exe=/usr/sbin/sendmail.sendmail path=/etc/aliases.db dev=hda8 ino=19435
> scontext=system_u:system_r:sendmail_t tcontext=system_u:object_r:etc_t

/etc/aliases.db should have type etc_aliases_t.

> audit(1078849246.286:0): avc:  denied  { create } for  pid=4526
> exe=/usr/bin/python key=0 scontext=system_u:system_r:initrc_t
> tcontext=system_u:system_r:initrc_t tclass=shm audit(1078849246.286:0):
> avc:  denied  { unix_read unix_write } for  pid=4526 exe=/usr/bin/python
> key=0 scontext=system_u:system_r:initrc_t
> tcontext=system_u:system_r:initrc_t tclass=shm audit(1078849246.286:0):
> avc:  denied  { read write } for  pid=4526 exe=/usr/bin/python key=0
> scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t
> tclass=shm

Any idea what this program is?

> audit(1078849246.287:0): avc:  denied  { unix_read unix_write } 
> for  pid=51 exe=/usr/X11R6/bin/XFree86 key=0
> scontext=system_u:system_r:xdm_xserver_t
> tcontext=system_u:system_r:initrc_t tclass=shm

Looks like it's an X client.  Something using RHGB I guess.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page
-------------- next part --------------
#DESC Pamconsole - PAM console
# X-Debian-Packages:
#
# pam_console_apply

daemon_base_domain(pam_console)
allow pam_console_t etc_t:file { getattr read ioctl };
allow pam_console_t self:unix_stream_socket create_stream_socket_perms;

allow pam_console_t self:capability { chown fowner fsetid };

# for /var/run/console.lock checking
allow pam_console_t { var_t var_run_t }:dir search;

# mouse_device_t is for joy sticks
allow pam_console_t { framebuf_device_t v4l_device_t apm_bios_t sound_device_t misc_device_t tty_device_t scanner_device_t mouse_device_t removable_device_t scsi_generic_device_t }:chr_file { getattr setattr };
allow pam_console_t { removable_device_t fixed_disk_device_t }:blk_file { getattr setattr };

allow pam_console_t mnt_t:dir r_dir_perms;

ifdef(`gpm.te', `
allow pam_console_t gpmctl_t:sock_file { getattr setattr };
')
-------------- next part --------------
# cpuspeed
/usr/sbin/cpuspeed	--	system_u:object_r:cpuspeed_exec_t
-------------- next part --------------
#DESC cpuspeed - domain for microcode_ctl and other programs to speed CPU
#
# Author:  Russell Coker <russell at coker.com.au>
#

daemon_base_domain(cpuspeed)

More information about the fedora-selinux-list mailing list