selinux-policy-strict-1.23.13-4: suggestions?
Daniel J Walsh
dwalsh at redhat.com
Mon May 2 15:09:05 UTC 2005
Tom London wrote:
>Running strict/enforcing, latest rawhide.
>
>I finally got around to 'blowing the dust off' of my strict PC. I
>updated to latest rawhide, did a 'fixfiles relabel', and rebooted.
>
>Graphical login failed. Appears that xdm is failing on creating a sem:
>Apr 30 13:20:44 fedora kernel: audit(1114892386.776:0): avc: denied
>{ create } for key=1417649221 scontext=system_u:system_r:xdm_t
>tcontext=system_u:system_r:xdm_t tclass=sem
>Apr 30 13:25:35 fedora kernel: audit(1114892735.514:0): avc: denied
>{ unix_read unix_write } for key=199061348
>scontext=system_u:system_r:xdm_t tcontext=system_u:system_r:xdm_t
>tclass=sem
>
>
>Adding:
>allow xdm_t self:sem { create unix_read unix_write };
>to xdm.te seems to fix this. That OK?
>
>
>
I will add.
>Also, running firefox proxied through privoxy generates:
>Apr 30 13:48:23 fedora kernel: audit(1114894103.357:0): avc: denied
>{ name_connect } for dest=8118 scontext=user_u:user_r:user_mozilla_t
>tcontext=system_u:object_r:port_t tclass=tcp_socket
>or
>allow user_mozilla_t port_t:tcp_socket name_connect;
>That right?
>
>
>
Better solution is to add 8118 to the list of http_cache_port_t in
net_contexts
portcon tcp 8118 system_u:object_r:http_cache_port_t
Your solution allows mozilla to connect to any ports.
>Going through /var/log/messages:
>Early on, I get this:
>Apr 30 13:27:05 fedora kernel: SELinux: Completing initialization.
>Apr 30 13:27:05 fedora kernel: SELinux: Setting up existing superblocks.
>Apr 30 13:27:05 fedora kernel: audit(1114867589.097:0): avc: denied
>{ write } for path=pipe:[1886] dev=pipefs ino=1886
>scontext=system_u:system_r:kernel_t
>tcontext=system_u:object_r:unlabeled_t tclass=fifo_file
>Apr 30 13:27:05 fedora kernel: SELinux: initialized (dev hda2, type
>ext3), uses xattr
>Apr 30 13:27:06 fedora kernel: SELinux: initialized (dev tmpfs, type
>tmpfs), uses transition SIDs
>and
>Apr 30 13:27:06 fedora kernel: SELinux: initialized (dev rootfs, type
>rootfs), uses genfs_contexts
>Apr 30 13:27:06 fedora kernel: SELinux: initialized (dev sysfs, type
>sysfs), uses genfs_contexts
>Apr 30 13:27:06 fedora kernel: audit(1114867589.937:0): avc: denied
>{ read } for name=class at vc@vcsa1 dev=tmpfs ino=1836
>scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t
>tclass=file
>Apr 30 13:27:06 fedora kernel: audit(1114867589.939:0): avc: denied
>{ read } for name=class at vc@vcs1 dev=tmpfs ino=1830
>scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t
>tclass=file
>Apr 30 13:27:06 fedora kernel: SELinux: initialized (dev usbfs, type
>usbfs), uses genfs_contexts
>Apr 30 13:27:06 fedora kernel: audit(1114867590.492:0): avc: denied
>{ create } for name=input scontext=system_u:system_r:udev_t
>tcontext=system_u:object_r:tmpfs_t tclass=dir
>Apr 30 13:27:06 fedora kernel: audit(1114867590.494:0): avc: denied
>{ create } for name=input scontext=system_u:system_r:udev_t
>tcontext=system_u:object_r:tmpfs_t tclass=dir
>Apr 30 13:27:06 fedora kernel: audit(1114867591.604:0): avc: denied
>{ write } for name=class at vc@vcs1 dev=tmpfs ino=1830
>scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t
>tclass=file
>Apr 30 13:27:06 fedora kernel: audit(1114867591.627:0): avc: denied
>{ write } for name=class at vc@vcsa1 dev=tmpfs ino=1836
>scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t
>tclass=file
>Apr 30 13:27:06 fedora kernel: audit(1114867591.754:0): avc: denied
>{ read } for name=class at vc@vcs1 dev=tmpfs ino=1830
>scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t
>tclass=file
>Apr 30 13:27:06 fedora kernel: audit(1114867591.764:0): avc: denied
>{ read } for name=class at vc@vcsa1 dev=tmpfs ino=1836
>scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t
>tclass=file
>Apr 30 13:27:06 fedora kernel: audit(1114867592.051:0): avc: denied
>{ write } for name=class at vc@vcsa1 dev=tmpfs ino=1836
>scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t
>tclass=file
><<<<SNIP>>>>
>Apr 30 13:27:06 fedora kernel: audit(1114867595.180:0): avc: denied
>{ search } for name=485 dev=proc ino=31784962
>scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:init_t
>tclass=dir
>Apr 30 13:27:06 fedora kernel: audit(1114867595.180:0): avc: denied
>{ search } for name=494 dev=proc ino=32374786
>scontext=system_u:system_r:kernel_t
>tcontext=system_u:system_r:initrc_t tclass=dir
>Apr 30 13:27:06 fedora kernel: audit(1114867595.180:0): avc: denied
>{ search } for name=545 dev=proc ino=35717122
>scontext=system_u:system_r:kernel_t
>tcontext=system_u:system_r:hotplug_t tclass=dir
>
>and
>
>Apr 30 13:27:08 fedora kernel: ohci1394: fw-host0: OHCI-1394 1.0
>(PCI): IRQ=[11] MMIO=[ed100000-ed1007ff] Max Packet=[2048]
>Apr 30 13:27:08 fedora kernel: audit(1114867609.739:0): avc: denied
>{ getattr } for path=/etc/hotplug dev=hda2 ino=4472955
>scontext=system_u:system_r:insmod_t
>tcontext=system_u:object_r:hotplug_etc_t tclass=dir
>Apr 30 13:27:09 fedora kernel: audit(1114867609.739:0): avc: denied
>{ search } for name=hotplug dev=hda2 ino=4472955
>scontext=system_u:system_r:insmod_t
>tcontext=system_u:object_r:hotplug_etc_t tclass=dir
>
>and
>Apr 30 13:27:10 fedora kernel: audit(1114892828.091:0): avc: denied
>{ execute } for name=auto.net dev=hda2 ino=4474546
>scontext=system_u:system_r:initrc_t
>tcontext=system_u:object_r:automount_etc_t tclass=file
>Apr 30 13:27:10 fedora kernel: audit(1114892828.595:0): avc: denied
>{ write } for name=/ dev=hda2 ino=2
>scontext=system_u:system_r:automount_t
>tcontext=system_u:object_r:root_t tclass=dir
>Apr 30 13:27:10 fedora kernel: audit(1114892828.677:0): avc: denied
>{ dac_override } for capability=1
>scontext=system_u:system_r:automount_t
>tcontext=system_u:system_r:automount_t tclass=capability
>Apr 30 13:27:10 fedora kernel: audit(1114892828.787:0): avc: denied
>{ write } for name=/ dev=hda2 ino=2
>scontext=system_u:system_r:automount_t
>tcontext=system_u:object_r:root_t tclass=dir
>
>
>Sorry if these are already fixed.
> tom
>
>
>
Added a bunch of fixes,
Thanks.
--
More information about the fedora-selinux-list
mailing list