[MLS Policy]:- MLS policy enforcing mode problem when manully restart the system services.
prakash hallalli
prakashkhallalli at gmail.com
Wed Jun 11 15:02:24 UTC 2008
HI ALL
I have configured SELinux on ContOS 5.1. I have configured the RBAC using
MLS (Multilevel Security) Policy using enforcing mode. I am trying to
restart the system services and they are not restarting and it is throwing
some error message.
Steps to reproduce:
1 ) MLS Policy configuration.
1. Install selinux-policy-mls
2. Set SELINUXTYPE=MLS in /etc/selinux/config file
3. touch ./autorelabel; on root's home directory, and reboot the machine.
4. While machine is rebooting, change the GRUB parameter.
enforcing=0
2) Now system is in permissive mode and SELinux status is as follows.
[root at turtle11 ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: enforcing
Policy version: 21
Policy from config file: mls
3) Restart the system services and they restart successfully.
[root at turtle11 ~]# service nfs restart
Shutting down NFS mountd: [ OK ]
Shutting down NFS daemon: [ OK ]
Shutting down NFS quotas: [ OK ]
Shutting down NFS services: [ OK ]
Starting NFS services: [ OK ]
Starting NFS quotas: [ OK ]
Starting NFS daemon: [ OK ]
Starting NFS mountd: [ OK ]
3) Now i am setting enforcing mode using setenforce command.
root at turtle11 ~]#setenforce 1
root at turtle11 ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: mls
4) a) Now system is in enforcing mode and i am trying to restart the system
service. The restart will result in error message.
[root at turtle11 ~]# service nfs restart
nfs: unrecognized service
[root at turtle11 ~]# run_init /etc/init.d/nfs restart
Authenticating root.
Password: XXXXXX
run_init: incorrect password for root
authentication failed.
[root at turtle11 ~]#
[root at turtle11 ~]# run_init /etc/init.d/ldap restart
Authenticating root.
Password: XXXXXX
run_init: incorrect password for root
authentication failed.
5) I am using sysadm_r
[root at turtle11 ~]# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=root:sysadm_r:sysadm_t:SystemLow-SystemHigh
[root at turtle11 ~]#
6) This is i am getting /sbin/ausearch log messages.
[root at turtle11 ~]#/sbin/ausearch -i -m AVC -sv no
type=SYSCALL msg=audit(06/11/2008 20:01:29.285:130367) : arch=x86_64
syscall=recvfrom success=no exit=-13(Permission denied) a0=5 a1=7fff60825b40
a2=5dc a3=0 items=0 ppid=1 pid=3103 auid=root uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) comm=dhcpd
exe=/usr/sbin/dhcpd subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(06/11/2008 20:01:29.285:130367) : avc: denied { read }
for pid=3103 comm=dhcpd lport=1
scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023
tcontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tclass=rawip_socket
please help me. what is going on.
Thanks
Prakash.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20080611/927e515a/attachment.htm>
More information about the fedora-selinux-list
mailing list