selinux-policy-strict-1.13.9-1, difficulty.
Daniel J Walsh
dwalsh at redhat.com
Sun Jun 27 10:36:07 UTC 2004
Daniel J Walsh wrote:
> Ivan Gyurdiev wrote:
>
>> Test Results: selinux-policy-strict-1.13.9-1
>> Kernel: 2.6.7-1.456
>>
>> I relabeled in permissive mode prior to running in enforcing mode.
>> However, I notice things that didn't get labeled. I've been running
>> the targeted policy prior to this - perhaps that's a
>> factor. Also I use tmpfs, which I think causes some of the issues (but
>> def. not all).
>>
>> In /var/log/dmesg (early before init):
>>
>> UNLABELED:
>>
>> path = /initrd/dev/root
>> dev = ram0
>> tclass = blk_file
>> denied { getattr } exe = /bin/bash
>> scontext = system_u:system_r:initrc_t
>> tcontext = system_u:object_r:unabeled_t
>>
>> HOTPLUG:
>>
>> path = /etc/hotplug.d/default/udev.hotplug
>> tclass = file
>> denied { getattr } exe = /bin/bash
>> scontext = system_u:system_r:hotplug_t
>> tcontext = system_u:object_r:udev_helper_exec_t
>>
>> name = dbus
>> tclass = dir
>> denied { search } exe = /usr/libexec/hal.hotplug
>> scontext = system_u:system_r:hotplug_t
>> tcontext = system_u:object_r:dbus_var_run_t
>>
>>
>> LVM:
>> name = control
>> tclass = chr_file
>> denied { unlink } exe = /bin/rm
>> scontext = system_u:system_r:initrc_t
>> tcontext = system_u:object_r:lvm_control_t
>>
>> name = selinux or var
>> tclass = dir
>> denied { search } exe = /sbin/lvm.static
>> scontext = system_u:system_r:lvm_t
>> tcontext = system_u:object_r:selinux_config_t (for selinux)
>> tcontext = system_u:object_r:var_t (for var)
>>
>> Others:
>>
>> name = config
>> tclass = file
>> denied { read } exe = /usr/bin/id
>> scontext = system_u:system_r:initrc_t
>> tcontext = system_u:object_r:selinux_config_t
>>
>>
>> tmpfs being a problem?
>> ======================
>> dev = tmpfs
>> tclass = dir
>> denied { read } exe = /bin/bash
>> scontext = system_u:system_r:initrc_t
>> tcontext = system_u:object_r:tmpfs_t
>>
>> ===============================================
>>
>> In /var/log/messages:
>>
>> UNLABELED:
>>
>> path = /etc/ld.so.cache
>> tclass = file
>> denied { getattr } exe = /bin/env
>> scontext = system_u:system_r:kernel_t
>> tcontext = system_u:object_r:unlabeled_t
>>
>> dev = pipefs
>> path = pipe:[851]
>> tclass = fifo_file
>> denied { getattr } { write } exe = /bin/env
>> scontext = system_u:system_r:kernel_t
>> tcontext = system_u:object_r:unabeled_t
>>
>> path = /lib/ld-2.3.3.so
>> tlcass = file
>> denied { read } exe = /bin/bash
>> scontext = system_u:system_r:kernel_t
>> tcontext = system_u:object_r:unlabeled_t
>>
>> HOTPLUG:
>>
>> name = hotplug
>> tclass = dir
>> denied { search } exe = /bin/bash
>> scontext = system_u:system_r:kernel_t
>> tcontext = system_u:object_r:hotplug_etc_t
>>
>> name = hal.hotplug
>> tclass = lnk_file
>> denied { read } exe = /bin/bash
>> scontext = system_u:system_r:kernel_t
>> tcontext = system_u:object_r:etc_t
>>
>> path = /etc/hotplug.d/default/udev.hotplug
>> tclass = file
>> denied { getattr } exe = /bin/bash
>> scontext = system_u:system_r:kernel_t
>> tcontext = system_u:object_r:udev_helper_exec_t
>>
>> VAR
>> name = var
>> tclass = dir
>> denied { search } exe = /bin/bash
>> denied { search } exe = /sbin/lvm_static
>> scontext = system_u:system_r:kernel_t (bash)
>> scontext = system_u:system_r:lvm_t (lvm_static)
>> tcontext = system_u:object_r:var_t
>>
>> ...some of the errors from /var/log/dmesg repeat...
>> Also
>> dev = selinuxfs
>> tclass = dir
>> denied { search } exe = /bin/bash
>> scontext = system_u:system_r:initrc_t
>> tcontext = system_u:object_r:security_t
>>
>> More tmpfs denies...
>>
>>
>> READAHEAD:
>>
>> name = aliases
>> tclass = file
>> denied { read } exe = /usr/sbin/readahead
>> scontext = system_u:system_r:initrc_t
>> tcontext = system_u:object_r:etc_aliases_t
>>
>> name = crontab
>> tclass = file
>> denied { read } exe = /usr/sbin/readahead
>> scontext = system_u:system_r:initrc_t
>> tcontext = system_u:object_r:system_cron_spool_t
>>
>> name = ssh_host_dsa_key, ssh_host_key, ssh_host_rsa_key
>> tclass = file
>> denied { read } exe = /usr/sbin/readahead
>> scontext = system_u:system_r:initrc_t
>> tcontext = system_u:object_r:sshd_key_t
>>
>> name = dhclient-eth0.leases
>> tclass = file
>> denied { read } exe = /usr/sbin/readahead
>> scontext = system_u:system_r:initrc_t
>> tcontext = system_u:object_r:dhcpc_state_t
>>
>> name = state
>> tclass = file
>> denied { read } exe = /usr/sbin/readahead
>> scontext = system_u:system_r:initrc_t
>> tcontext = system_u:object_r:var_lib_nfs_t
>>
>> MODPROBE
>>
>> dev = proc
>> path = /proc/sys/dev/parport/parport0/autoprobe
>> tclass = file
>> denied { read } exe = /sbin/modprobe
>> scontext = system_u:system_r:insmod_t
>> tcontext = system_u:object_r:sysctl_dev_t
>>
>> KLOGD (this was there in the last version too)
>> name = System.map
>> tclass = lnk_file
>> denied { read } exe = /sbin/klogd
>> scontext = system_u:system_r:klogd_t
>> tcontext = system_u:object_r:boot_t
>>
>> SELINUX
>>
>> name = config
>> tclass = file
>> denied { read } exe = /usr/bin/selinuxenabled
>> scontext = system_u:system_r:initrc_t
>> tcontext = system_u:object_r:selinux_config_t
>>
>> I think there was one for ls trying to read selinux files too, but I
>> lost it. Also:
>>
>> name = config
>> tclass = file
>> denied { read } exe = /usr/bin/find
>> scontext = system_u:system_r:initrc_t
>> tcontext = system_u:object_r:selinux_config_t
>>
>> Then there's all the httpd errors I posted in my other two mails (on
>> previous versions).
>>
>> Then I get about a million of those:
>>
>> class = tcp_socket
>> denied { name_bind } exe = /usr/sbin/htt_server
>> scontext = user_u:user_r:user_t
>> tcontext = system_u:object_r:port_t
>>
>>
>> until I log in and kill htt_server.\
>>
>>
>>
>> Sorry for the long post :)
>> I won't test the target policy anymore since it isn't very interesting
>> in my case - the only daemon I have that it protects is httpd.
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>>
> Please attach the AVC Messages. The problems are probably being
> caused by update to other applications like hotplug.
>
> Dan
1.13.9 went out with tunables turned off. 1.13.10 fixes this problem.
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list