Trying SELinux again on CentOS 5.1 - HOPELESS
Robert Nichols
rnicholsNOSPAM at comcast.net
Tue Mar 4 00:25:07 UTC 2008
Daniel J Walsh wrote:
> Simplest thing is to run this through
> # grep avc /var/log/audit2allow | audit2allow -M mypol
> # semodule -i mypol.pp
>
>
> You might want to first update to the U2 preview policy, available on
> http://people.redhat.com/dwalsh/SELinux/RHEL5
This is turning into a worse disaster than I would have imagined.
I updated to selinux-policy-targeted-2.4.6-122.el5 and ran
audit2allow and semodule from the AVCs I now got when starting
eth1. All looked good for a moment. Then I tried changing
the config file for named so that the next network restart
would cause an update. Got 151 new AVCs from that. Built
a new policy to include allows for those AVCs, installed that,
and tried the experiment again. Got another 20 AVCs. This
is unending. The cuplrit appears to be a "pidof -o $PPID named"
command which is getting a denial for each process on the
system:
avc: denied { ptrace } for pid=6134 comm="pidof" scontext=system_u:system_r:dhcpc_t:s0
tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=process
OK, it only really needs to succeed for the tcontext of the actual
named process, but the log is going to get flooded with meaningless
denials every time this runs.
While I was tracking that down, a cron job that fetches news started
and plopped a bunch more AVC denials in the log. When I printed out
the /etc/dhclient-exit-hooks script for study, I got a whole bunch
move denials from the hplip package.
This situation is 100% hopeless. SELinux just keeps getting worse
and worse. Enforcing mode would be equivalent to turning the system
off. I'd need a daemon that scans the log for AVC denials and
automatically runs audit2allow, etc., on whatever it finds to have
any hope of keeping up. Absent a paid expert to write custom policy,
SELinux on the desktop is suitable only for systems that run the
Linux distribution 100% as supplied, with no changes whatsoever,
and with the additional restriction that the user's interaction is
limited to clicking on icons.
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
More information about the fedora-selinux-list
mailing list