HI ALL <br>I have configured SELinux on ContOS 5.1. I have configured the RBAC using MLS (Multilevel Security) Policy using enforcing mode. I am trying to restart the system services and they are not restarting and it is throwing some error message. <br>
<br>Steps to reproduce:<br><br>1 ) MLS Policy configuration.<br><br>1. Install selinux-policy-mls<br>2. Set SELINUXTYPE=MLS in /etc/selinux/config file<br>3. touch ./autorelabel; on root's home directory, and reboot the machine.<br>
4. While machine is rebooting, change the GRUB parameter.<br>enforcing=0 <br><br>2) Now system is in permissive mode and SELinux status is as follows.<br><br>[root@turtle11 ~]# sestatus <br>SELinux status: enabled<br>
SELinuxfs mount: /selinux<br>Current mode: permissive<br>Mode from config file: enforcing<br>Policy version: 21<br>Policy from config file: mls<br><br>
3) Restart the system services and they restart successfully.<br><br>[root@turtle11 ~]# service nfs restart<br>Shutting down NFS mountd: [ OK ]<br>Shutting down NFS daemon: [ OK ]<br>
Shutting down NFS quotas: [ OK ]<br>Shutting down NFS services: [ OK ]<br>Starting NFS services: [ OK ]<br>Starting NFS quotas: [ OK ]<br>
Starting NFS daemon: [ OK ]<br>Starting NFS mountd: [ OK ]<br><br>3) Now i am setting enforcing mode using setenforce command.<br> <br>root@turtle11 ~]#setenforce 1<br>
root@turtle11 ~]# sestatus<br>SELinux status: enabled<br>SELinuxfs mount: /selinux<br>Current mode: enforcing<br>Mode from config file: enforcing<br>Policy version: 21 <br>
Policy from config file: mls <br><br>4) a) Now system is in enforcing mode and i am trying to restart the system service. The restart will result in error message.<br><br>[root@turtle11 ~]# service nfs restart<br>nfs: unrecognized service<br>
<br>[root@turtle11 ~]# run_init /etc/init.d/nfs restart<br>Authenticating root.<br>Password: XXXXXX<br>run_init: incorrect password for root<br>authentication failed.<br>[root@turtle11 ~]#<br><br>[root@turtle11 ~]# run_init /etc/init.d/ldap restart<br>
Authenticating root.<br>Password: XXXXXX<br>run_init: incorrect password for root<br>authentication failed.<br><br>5) I am using sysadm_r <br><br>[root@turtle11 ~]# id<br>uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:sysadm_r:sysadm_t:SystemLow-SystemHigh<br>
[root@turtle11 ~]# <br><br>6) This is i am getting /sbin/ausearch log messages.<br><br>[root@turtle11 ~]#/sbin/ausearch -i -m AVC -sv no<br>type=SYSCALL msg=audit(06/11/2008 20:01:29.285:130367) : arch=x86_64 syscall=recvfrom success=no exit=-13(Permission denied) a0=5 a1=7fff60825b40 a2=5dc a3=0 items=0 ppid=1 pid=3103 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) comm=dhcpd exe=/usr/sbin/dhcpd subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) <br>
type=AVC msg=audit(06/11/2008 20:01:29.285:130367) : avc: denied { read } for pid=3103 comm=dhcpd lport=1 scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tclass=rawip_socket <br>
<br>please help me. what is going on.<br><br>Thanks<br>Prakash.<br><br>