selinux-policy-strict-1.13.9-1, difficulty.
Daniel J Walsh
dwalsh at redhat.com
Sun Jun 27 10:01:48 UTC 2004
Ivan Gyurdiev wrote:
>Test Results: selinux-policy-strict-1.13.9-1
>Kernel: 2.6.7-1.456
>
>I relabeled in permissive mode prior to running in enforcing mode.
>However, I notice things that didn't get labeled.
>I've been running the targeted policy prior to this - perhaps that's a
>factor. Also I use tmpfs, which I think causes some of the issues (but
>def. not all).
>
>In /var/log/dmesg (early before init):
>
>UNLABELED:
>
> path = /initrd/dev/root
> dev = ram0
> tclass = blk_file
> denied { getattr } exe = /bin/bash
> scontext = system_u:system_r:initrc_t
> tcontext = system_u:object_r:unabeled_t
>
>HOTPLUG:
>
> path = /etc/hotplug.d/default/udev.hotplug
> tclass = file
> denied { getattr } exe = /bin/bash
> scontext = system_u:system_r:hotplug_t
> tcontext = system_u:object_r:udev_helper_exec_t
>
> name = dbus
> tclass = dir
> denied { search } exe = /usr/libexec/hal.hotplug
> scontext = system_u:system_r:hotplug_t
> tcontext = system_u:object_r:dbus_var_run_t
>
>
>LVM:
> name = control
> tclass = chr_file
> denied { unlink } exe = /bin/rm
> scontext = system_u:system_r:initrc_t
> tcontext = system_u:object_r:lvm_control_t
>
> name = selinux or var
> tclass = dir
> denied { search } exe = /sbin/lvm.static
> scontext = system_u:system_r:lvm_t
> tcontext = system_u:object_r:selinux_config_t (for selinux)
> tcontext = system_u:object_r:var_t (for var)
>
>Others:
>
> name = config
> tclass = file
> denied { read } exe = /usr/bin/id
> scontext = system_u:system_r:initrc_t
> tcontext = system_u:object_r:selinux_config_t
>
>
> tmpfs being a problem?
> ======================
> dev = tmpfs
> tclass = dir
> denied { read } exe = /bin/bash
> scontext = system_u:system_r:initrc_t
> tcontext = system_u:object_r:tmpfs_t
>
>===============================================
>
>In /var/log/messages:
>
>UNLABELED:
>
> path = /etc/ld.so.cache
> tclass = file
> denied { getattr } exe = /bin/env
> scontext = system_u:system_r:kernel_t
> tcontext = system_u:object_r:unlabeled_t
>
> dev = pipefs
> path = pipe:[851]
> tclass = fifo_file
> denied { getattr } { write } exe = /bin/env
> scontext = system_u:system_r:kernel_t
> tcontext = system_u:object_r:unabeled_t
>
> path = /lib/ld-2.3.3.so
> tlcass = file
> denied { read } exe = /bin/bash
> scontext = system_u:system_r:kernel_t
> tcontext = system_u:object_r:unlabeled_t
>
>HOTPLUG:
>
> name = hotplug
> tclass = dir
> denied { search } exe = /bin/bash
> scontext = system_u:system_r:kernel_t
> tcontext = system_u:object_r:hotplug_etc_t
>
> name = hal.hotplug
> tclass = lnk_file
> denied { read } exe = /bin/bash
> scontext = system_u:system_r:kernel_t
> tcontext = system_u:object_r:etc_t
>
> path = /etc/hotplug.d/default/udev.hotplug
> tclass = file
> denied { getattr } exe = /bin/bash
> scontext = system_u:system_r:kernel_t
> tcontext = system_u:object_r:udev_helper_exec_t
>
>VAR
> name = var
> tclass = dir
> denied { search } exe = /bin/bash
> denied { search } exe = /sbin/lvm_static
> scontext = system_u:system_r:kernel_t (bash)
> scontext = system_u:system_r:lvm_t (lvm_static)
> tcontext = system_u:object_r:var_t
>
>...some of the errors from /var/log/dmesg repeat...
>Also
> dev = selinuxfs
> tclass = dir
> denied { search } exe = /bin/bash
> scontext = system_u:system_r:initrc_t
> tcontext = system_u:object_r:security_t
>
>More tmpfs denies...
>
>
>READAHEAD:
>
> name = aliases
> tclass = file
> denied { read } exe = /usr/sbin/readahead
> scontext = system_u:system_r:initrc_t
> tcontext = system_u:object_r:etc_aliases_t
>
> name = crontab
> tclass = file
> denied { read } exe = /usr/sbin/readahead
> scontext = system_u:system_r:initrc_t
> tcontext = system_u:object_r:system_cron_spool_t
>
> name = ssh_host_dsa_key, ssh_host_key, ssh_host_rsa_key
> tclass = file
> denied { read } exe = /usr/sbin/readahead
> scontext = system_u:system_r:initrc_t
> tcontext = system_u:object_r:sshd_key_t
>
> name = dhclient-eth0.leases
> tclass = file
> denied { read } exe = /usr/sbin/readahead
> scontext = system_u:system_r:initrc_t
> tcontext = system_u:object_r:dhcpc_state_t
>
> name = state
> tclass = file
> denied { read } exe = /usr/sbin/readahead
> scontext = system_u:system_r:initrc_t
> tcontext = system_u:object_r:var_lib_nfs_t
>
>MODPROBE
>
> dev = proc
> path = /proc/sys/dev/parport/parport0/autoprobe
> tclass = file
> denied { read } exe = /sbin/modprobe
> scontext = system_u:system_r:insmod_t
> tcontext = system_u:object_r:sysctl_dev_t
>
>KLOGD (this was there in the last version too)
> name = System.map
> tclass = lnk_file
> denied { read } exe = /sbin/klogd
> scontext = system_u:system_r:klogd_t
> tcontext = system_u:object_r:boot_t
>
>SELINUX
>
> name = config
> tclass = file
> denied { read } exe = /usr/bin/selinuxenabled
> scontext = system_u:system_r:initrc_t
> tcontext = system_u:object_r:selinux_config_t
>
>I think there was one for ls trying to read selinux files too, but I
>lost it. Also:
>
> name = config
> tclass = file
> denied { read } exe = /usr/bin/find
> scontext = system_u:system_r:initrc_t
> tcontext = system_u:object_r:selinux_config_t
>
>Then there's all the httpd errors I posted in my other two mails (on
>previous versions).
>
>Then I get about a million of those:
>
> class = tcp_socket
> denied { name_bind } exe = /usr/sbin/htt_server
> scontext = user_u:user_r:user_t
> tcontext = system_u:object_r:port_t
>
>
> until I log in and kill htt_server.\
>
>
>
>Sorry for the long post :)
>I won't test the target policy anymore since it isn't very interesting
>in my case - the only daemon I have that it protects is httpd.
>
>
>
>
>------------------------------------------------------------------------
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
Please attach the AVC Messages. The problems are probably being caused
by update to other applications like hotplug.
Dan
More information about the fedora-selinux-list
mailing list