SE Linux policy
Russell Coker
russell at coker.com.au
Mon Apr 26 22:26:08 UTC 2004
On Mon, 26 Apr 2004 20:05, Krzysztof Mazurczyk <kmazurczyk at wskiz.poznan.pl>
wrote:
> > > I have started playing with new SE Linux. I have it already running.
> > > BTW minor question: There are messages in log that /sbin/unix_verify
> > > is denied to do something. System is seemed to work well. Because
> > > /sbin/unix_verify is from libpam-modules I'm not sure what to do -
> > > ignore or add some rules to policy for /sbin/unix_verify.
> >
> > What access is denied?
>
> avc: denied { getattr } for pid=1768 exe=/sbin/unix_verify
> path=/proc/1768/mounts dev= ino=115867664 scontext=system_u:system_r:
> system_chkpwd_t tcontext=system_u:system_r:system_chkpwd_t tclass=file
Allow this. The main policy will be changed to allow this.
> avc: denied { use } for pid=3608 exe=/sbin/unix_verify path=/dev/null
> dev=sda2 ino=2021 scontext=system_u:system_r:system_chkpwd_t tcontext=
> system_u:system_r:system_crond_t tclass=fd
This looks like a bug in the policy, it should have been allowed. Please file
a bug on bugzilla.
> avc: denied { read write } for pid=1795 exe=/sbin/unix_verify
> path=/dev/tty1 dev=sda2 ino=2845 scontext=system_u:system_r:
> system_chkpwd_t tcontext=root:object_r:sysadm_tty_device_t tclass=
> chr_file
This looks like a bug in pam, that file handle should have been closed before
the execution of unix_verify.
> avc: denied { search } for pid=1795 exe=/sbin/unix_verify name=run
> dev=sda5 ino=31172 scontext=system_u:system_r:system_chkpwd_t
> tcontext=system_u:object_r:var_run_t tclass=dir
We should have a dontaudit for that.
> > The following is the start of what is needed for a first cut at it. Try
> > it and let me know how it goes.
> > domain_auto_trans(initrc_t, uml_exec_t, sysadm_uml_t)
>
> Yes, I have found it. But then I've got 'security-compute-sid: invalid
> context system_u:system_r:sysadm_uml_t for scontext=system_u:system_r:
> initrc_t tcontext=system_u:object_r:uml_exec_t tclass=process'. Googling
> hasn't told me what to do.
In this case:
role system_r types sysadm_uml_t;
But long-term I think that the right thing to do is to make some changes to
the UML policy to cover this and related issues.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-selinux-list
mailing list