selinux-policy-strict-1.23.13-4: suggestions?

Daniel J Walsh dwalsh at redhat.com
Mon May 2 15:09:05 UTC 2005 

Tom London wrote:

>Running strict/enforcing, latest rawhide.
>
>I finally got around to 'blowing the dust off' of my strict PC. I
>updated to latest rawhide, did a 'fixfiles relabel', and rebooted.
>
>Graphical login failed. Appears that xdm is failing on creating a sem:
>Apr 30 13:20:44 fedora kernel: audit(1114892386.776:0): avc:  denied 
>{ create } for  key=1417649221 scontext=system_u:system_r:xdm_t
>tcontext=system_u:system_r:xdm_t tclass=sem
>Apr 30 13:25:35 fedora kernel: audit(1114892735.514:0): avc:  denied 
>{ unix_read unix_write } for  key=199061348
>scontext=system_u:system_r:xdm_t tcontext=system_u:system_r:xdm_t
>tclass=sem
>  
>
>Adding:
>allow xdm_t self:sem { create unix_read unix_write };
>to xdm.te seems to fix this.  That OK?
>
>  
>
I will add.

>Also, running firefox proxied through privoxy generates:
>Apr 30 13:48:23 fedora kernel: audit(1114894103.357:0): avc:  denied 
>{ name_connect } for  dest=8118 scontext=user_u:user_r:user_mozilla_t
>tcontext=system_u:object_r:port_t tclass=tcp_socket
>or
>allow user_mozilla_t port_t:tcp_socket name_connect;
>That right?
>
>  
>
Better solution is to add 8118 to the list of http_cache_port_t in 
net_contexts
portcon tcp 8118  system_u:object_r:http_cache_port_t

Your solution allows mozilla to connect to any ports.

>Going through /var/log/messages:
>Early on, I get this:
>Apr 30 13:27:05 fedora kernel: SELinux:  Completing initialization.
>Apr 30 13:27:05 fedora kernel: SELinux:  Setting up existing superblocks.
>Apr 30 13:27:05 fedora kernel: audit(1114867589.097:0): avc:  denied 
>{ write } for  path=pipe:[1886] dev=pipefs ino=1886
>scontext=system_u:system_r:kernel_t
>tcontext=system_u:object_r:unlabeled_t tclass=fifo_file
>Apr 30 13:27:05 fedora kernel: SELinux: initialized (dev hda2, type
>ext3), uses xattr
>Apr 30 13:27:06 fedora kernel: SELinux: initialized (dev tmpfs, type
>tmpfs), uses transition SIDs
>and
>Apr 30 13:27:06 fedora kernel: SELinux: initialized (dev rootfs, type
>rootfs), uses genfs_contexts
>Apr 30 13:27:06 fedora kernel: SELinux: initialized (dev sysfs, type
>sysfs), uses genfs_contexts
>Apr 30 13:27:06 fedora kernel: audit(1114867589.937:0): avc:  denied 
>{ read } for  name=class at vc@vcsa1 dev=tmpfs ino=1836
>scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t
>tclass=file
>Apr 30 13:27:06 fedora kernel: audit(1114867589.939:0): avc:  denied 
>{ read } for  name=class at vc@vcs1 dev=tmpfs ino=1830
>scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t
>tclass=file
>Apr 30 13:27:06 fedora kernel: SELinux: initialized (dev usbfs, type
>usbfs), uses genfs_contexts
>Apr 30 13:27:06 fedora kernel: audit(1114867590.492:0): avc:  denied 
>{ create } for  name=input scontext=system_u:system_r:udev_t
>tcontext=system_u:object_r:tmpfs_t tclass=dir
>Apr 30 13:27:06 fedora kernel: audit(1114867590.494:0): avc:  denied 
>{ create } for  name=input scontext=system_u:system_r:udev_t
>tcontext=system_u:object_r:tmpfs_t tclass=dir
>Apr 30 13:27:06 fedora kernel: audit(1114867591.604:0): avc:  denied 
>{ write } for  name=class at vc@vcs1 dev=tmpfs ino=1830
>scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t
>tclass=file
>Apr 30 13:27:06 fedora kernel: audit(1114867591.627:0): avc:  denied 
>{ write } for  name=class at vc@vcsa1 dev=tmpfs ino=1836
>scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t
>tclass=file
>Apr 30 13:27:06 fedora kernel: audit(1114867591.754:0): avc:  denied 
>{ read } for  name=class at vc@vcs1 dev=tmpfs ino=1830
>scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t
>tclass=file
>Apr 30 13:27:06 fedora kernel: audit(1114867591.764:0): avc:  denied 
>{ read } for  name=class at vc@vcsa1 dev=tmpfs ino=1836
>scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t
>tclass=file
>Apr 30 13:27:06 fedora kernel: audit(1114867592.051:0): avc:  denied 
>{ write } for  name=class at vc@vcsa1 dev=tmpfs ino=1836
>scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t
>tclass=file
><<<<SNIP>>>>
>Apr 30 13:27:06 fedora kernel: audit(1114867595.180:0): avc:  denied 
>{ search } for  name=485 dev=proc ino=31784962
>scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:init_t
>tclass=dir
>Apr 30 13:27:06 fedora kernel: audit(1114867595.180:0): avc:  denied 
>{ search } for  name=494 dev=proc ino=32374786
>scontext=system_u:system_r:kernel_t
>tcontext=system_u:system_r:initrc_t tclass=dir
>Apr 30 13:27:06 fedora kernel: audit(1114867595.180:0): avc:  denied 
>{ search } for  name=545 dev=proc ino=35717122
>scontext=system_u:system_r:kernel_t
>tcontext=system_u:system_r:hotplug_t tclass=dir
>
>and
>
>Apr 30 13:27:08 fedora kernel: ohci1394: fw-host0: OHCI-1394 1.0
>(PCI): IRQ=[11]  MMIO=[ed100000-ed1007ff]  Max Packet=[2048]
>Apr 30 13:27:08 fedora kernel: audit(1114867609.739:0): avc:  denied 
>{ getattr } for  path=/etc/hotplug dev=hda2 ino=4472955
>scontext=system_u:system_r:insmod_t
>tcontext=system_u:object_r:hotplug_etc_t tclass=dir
>Apr 30 13:27:09 fedora kernel: audit(1114867609.739:0): avc:  denied 
>{ search } for  name=hotplug dev=hda2 ino=4472955
>scontext=system_u:system_r:insmod_t
>tcontext=system_u:object_r:hotplug_etc_t tclass=dir
>
>and
>Apr 30 13:27:10 fedora kernel: audit(1114892828.091:0): avc:  denied 
>{ execute } for  name=auto.net dev=hda2 ino=4474546
>scontext=system_u:system_r:initrc_t
>tcontext=system_u:object_r:automount_etc_t tclass=file
>Apr 30 13:27:10 fedora kernel: audit(1114892828.595:0): avc:  denied 
>{ write } for  name=/ dev=hda2 ino=2
>scontext=system_u:system_r:automount_t
>tcontext=system_u:object_r:root_t tclass=dir
>Apr 30 13:27:10 fedora kernel: audit(1114892828.677:0): avc:  denied 
>{ dac_override } for  capability=1
>scontext=system_u:system_r:automount_t
>tcontext=system_u:system_r:automount_t tclass=capability
>Apr 30 13:27:10 fedora kernel: audit(1114892828.787:0): avc:  denied 
>{ write } for  name=/ dev=hda2 ino=2
>scontext=system_u:system_r:automount_t
>tcontext=system_u:object_r:root_t tclass=dir
>
>
>Sorry if these are already fixed.
>   tom
>
>  
>
Added a bunch of fixes,

Thanks.

--

More information about the fedora-selinux-list mailing list