[MLS Policy]:- MLS policy enforcing mode problem when manully restart the system services.

Stephen Smalley sds at tycho.nsa.gov
Wed Jun 11 15:08:41 UTC 2008


On Wed, 2008-06-11 at 20:32 +0530, prakash hallalli wrote:
> HI ALL 
> I have configured SELinux on ContOS 5.1. I have configured the RBAC
> using MLS (Multilevel Security) Policy using enforcing mode. I am
> trying to restart the system services and they are not restarting and
> it is throwing some error message. 
> 
> Steps to reproduce:
> 
> 1 ) MLS Policy configuration.
> 
> 1. Install selinux-policy-mls
> 2. Set SELINUXTYPE=MLS in /etc/selinux/config file
> 3. touch ./autorelabel; on root's home directory, and reboot the
> machine.

As others noted, this should have been touch /.autorelabel, not
touch ./autorelabel on root's home directory.  But I don't think that is
relevant any more - you already manually relabeled.

> 4. While machine is rebooting, change the GRUB parameter.
> enforcing=0 
> 
> 2) Now system is in permissive mode and SELinux status is as follows.
> 
> [root at turtle11 ~]# sestatus 
> SELinux status:                  enabled
> SELinuxfs mount:                /selinux
> Current mode:                      permissive
> Mode from config file:          enforcing
> Policy version:                    21
> Policy from config file:         mls
> 
> 3) Restart the system services and they restart successfully.
> 
> [root at turtle11 ~]# service nfs restart
> Shutting down NFS mountd:                                  [  OK  ]
> Shutting down NFS daemon:                                  [  OK  ]
> Shutting down NFS quotas:                                  [  OK  ]
> Shutting down NFS services:                                [  OK  ]
> Starting NFS services:                                         [
> OK  ]
> Starting NFS quotas:                                           [
> OK  ]
> Starting NFS daemon:                                         [  OK  ]
> Starting NFS mountd:                                         [  OK  ]
> 
> 3) Now i am setting enforcing mode using setenforce command.
>   
> root at turtle11 ~]#setenforce 1
> root at turtle11 ~]# sestatus
> SELinux status:             enabled
> SELinuxfs mount:          /selinux
> Current mode:               enforcing
> Mode from config file:    enforcing
> Policy version:              21   
> Policy from config file:   mls 
> 
> 4) a) Now system is in enforcing mode and i am trying to restart the
> system service. The restart will result in error message.
> 
> [root at turtle11 ~]# service nfs restart
> nfs: unrecognized service
> 
> [root at turtle11 ~]# run_init /etc/init.d/nfs restart
> Authenticating root.
> Password: XXXXXX
> run_init: incorrect password for root
> authentication failed.
> [root at turtle11 ~]#
> 
> [root at turtle11 ~]# run_init /etc/init.d/ldap restart
> Authenticating root.
> Password: XXXXXX
> run_init: incorrect password for root
> authentication failed.

This implies that the existing policy isn't allowing these domains to do
what they need to perform the authentication.  Elsewhere you said you
are using ldap, so they may need additional permissions for the network
lookup.  

> 5) I am using sysadm_r  
> 
> [root at turtle11 ~]# id
> uid=0(root) gid=0(root)
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
> context=root:sysadm_r:sysadm_t:SystemLow-SystemHigh
> [root at turtle11 ~]# 
> 
> 6) This is i am getting /sbin/ausearch log messages.
> 
> [root at turtle11 ~]#/sbin/ausearch -i -m AVC -sv no
> type=SYSCALL msg=audit(06/11/2008 20:01:29.285:130367) : arch=x86_64
> syscall=recvfrom success=no exit=-13(Permission denied) a0=5
> a1=7fff60825b40 a2=5dc a3=0 items=0 ppid=1 pid=3103 auid=root uid=root
> gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
> tty=(none) comm=dhcpd exe=/usr/sbin/dhcpd
> subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) 
> type=AVC msg=audit(06/11/2008 20:01:29.285:130367) : avc:  denied
> { read } for  pid=3103 comm=dhcpd lport=1
> scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023
> tcontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tclass=rawip_socket 

On this one, as I said, dhcpd shouldn't be running in sysadm_t.
How did you start it?

-- 
Stephen Smalley
National Security Agency




More information about the fedora-selinux-list mailing list