Kernel 2.6.14-1.1653 & selinux 1.27.1.-2.16
Stephen Smalley
sds at tycho.nsa.gov
Fri Jan 27 12:33:54 UTC 2006
On Fri, 2006-01-27 at 12:36 +0200, G Jahchan wrote:
> I have been desperately trying to get selinux strict policy to work on my
> laptop to no avail. I have been using a strict policy in enforcing mode for a
> long time, but since I upgraded to the kernel / selinux versions listed below,
> when in enforcing mode, the policy causes authentication to fail from the
> console (my default runlevel is 3).
>
> Even though I have the following statements in my custom.te under
> /etc/selinux/strict/src/policy/domains/misc/
>
> allow kernel_t sysadm_t:process transition;
> allow kernel_t sysadm_tty_device_t:chr_file { relabelfrom relabelto };
> allow sysadm_t sysadm_t:process transition;
>
> I keep getting corresponding 'avc: denied' events in the audit log.
These rules shouldn't be necessary, so they imply a more fundamental
problem. They suggest that your login program is still running in
kernel_t rather than local_login_t. In turn, this suggests that the
initial transition from kernel_t to init_t upon executing /sbin/init did
not occur. What does ls -Z /sbin/init show?
What does '/usr/sbin/sestatus -v | grep -v active' show?
As a side note, avc denials can be caused by other components of the
policy beyond the TE rules, and the above permissions are likely being
(correctly) denied by the role-based restrictions and user-based
restrictions. Normally, kernel_t doesn't need to be able to transition
to a user security context since kernel_t is only for the initial kernel
task and other kernel threads. audit2why(8) will try to tell you why a
given avc denial occurred.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list