Hello everyone
I've put Gentoo-Hardened on a testing computer and been learning a lot about
selinux. Everything works, including X, but I have a few entries in my avc log
that I'm not sure about.
I note that this is running on an encrypted root drive and therefore I need an
initramfs. Dracut wasn't working for me so I rolled my own, which does boot in
enforcing mode (with a few minor errors) so bug 397567 seems to not be
universal. So some of these errors may be due to the initramfs then, although
I'm not sure why, since almost everything is unmounted before switch_root.
avc: denied { read write } for pid=1 comm="init"
path=2F6465762F636F6E736F6C65202864656C6574656429 dev="rootfs" ino=5998
scontext=system_u:system_r:init_t tcontext=system_u:object_r:root_t
tclass=chr_file
avc: denied { getattr } for pid=1 comm="init" name="/" dev="selinuxfs"
ino=1 scontext=system_u:system_r:init_t tcontext=system_u:object_r:security_t
tclass=filesystem
avc: denied { search } for pid=1 comm="init" name="var" dev="dm-0"
ino=556492 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t
tclass=dir
avc: denied { write } for pid=400 comm="cryptsetup" name="read_ahead_kb"
dev="sysfs" ino=14972 scontext=system_u:system_r:lvm_t
tcontext=system_u:object_r:sysfs_t tclass=file
avc: denied { getattr } for pid=411 comm="mkswap" name="/" dev="selinuxfs"
ino=1 scontext=system_u:system_r:fsadm_t tcontext=system_u:object_r:security_t
tclass=filesystem
avc: denied { getattr } for pid=20 comm="kdevtmpfs" path="/dm-2"
dev="devtmpfs" ino=6891 scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
avc: denied { read } for pid=1019 comm="syslog-ng" path="/dev/console"
dev="devtmpfs" ino=1039 scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:console_device_t tclass=chr_file
avc: denied { read write } for pid=1084 comm="unix_chkpwd" path="/dev/tty1"
dev="devtmpfs" ino=1045 scontext=system_u:system_r:chkpwd_t
tcontext=system_u:object_r:tty_device_t tclass=chr_file
avc: denied { search } for pid=1084 comm="unix_chkpwd" name="/" dev="sysfs"
ino=1 scontext=system_u:system_r:chkpwd_t tcontext=system_u:object_r:sysfs_t
tclass=dir
avc: denied { getattr } for pid=1084 comm="unix_chkpwd" name="/"
dev="selinuxfs" ino=1 scontext=system_u:system_r:chkpwd_t
tcontext=system_u:object_r:security_t tclass=filesystem
avc: denied { getattr } for pid=1084 comm="unix_chkpwd"
path="/sys/fs/selinux" dev="selinuxfs" ino=1
scontext=system_u:system_r:chkpwd_t tcontext=system_u:object_r:security_t
tclass=dir
Particularly, I get a lot of unix_chkpwd denials. There's a few more errors
sometimes:
avc: denied { setattr } for pid=20 comm="kdevtmpfs" name="dm-2"
dev="devtmpfs" ino=1973 scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
avc: denied { unlink } for pid=20 comm="kdevtmpfs" name="dm-2"
dev="devtmpfs" ino=1973 scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
avc: denied { module_request } for pid=977 comm="sshd" kmod="net-pf-10"
scontext=system_u:system_r:sshd_t tcontext=system_u:system_r:kernel_t
tclass=system
avc: denied { use } for pid=977 comm="sshd" path="/dev/console"
dev="devtmpfs" ino=1039 scontext=system_u:system_r:sshd_t
tcontext=system_u:system_r:init_t tclass=fd
avc: denied { use } for pid=991 comm="cron" path="/dev/console"
dev="devtmpfs" ino=1039 scontext=system_u:system_r:crond_t
tcontext=system_u:system_r:init_t tclass=fd
avc: denied { read } for pid=127 comm="rc" name="openrc" dev="dm-0"
ino=591026 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:file_t tclass=lnk_file
avc: denied { read } for pid=354 comm="hwclock" path="/dev/console"
dev="devtmpfs" ino=1039 scontext=system_u:system_r:hwclock_t
tcontext=system_u:object_r:console_device_t tclass=chr_file
avc: denied { search } for pid=1396 comm="X" name="1395" dev="proc"
ino=3997 scontext=user_u:user_r:xserver_t tcontext=user_u:user_r:user_t
tclass=dir
avc: denied { read } for pid=1396 comm="X" name="cmdline" dev="proc"
ino=3998 scontext=user_u:user_r:xserver_t tcontext=user_u:user_r:user_t
tclass=file
avc: denied { open } for pid=1396 comm="X" path="/proc/1395/cmdline"
dev="proc" ino=3998 scontext=user_u:user_r:xserver_t
tcontext=user_u:user_r:user_t tclass=file
Thoughts?
Thanks
BennyP
I've put Gentoo-Hardened on a testing computer and been learning a lot about
selinux. Everything works, including X, but I have a few entries in my avc log
that I'm not sure about.
I note that this is running on an encrypted root drive and therefore I need an
initramfs. Dracut wasn't working for me so I rolled my own, which does boot in
enforcing mode (with a few minor errors) so bug 397567 seems to not be
universal. So some of these errors may be due to the initramfs then, although
I'm not sure why, since almost everything is unmounted before switch_root.
avc: denied { read write } for pid=1 comm="init"
path=2F6465762F636F6E736F6C65202864656C6574656429 dev="rootfs" ino=5998
scontext=system_u:system_r:init_t tcontext=system_u:object_r:root_t
tclass=chr_file
avc: denied { getattr } for pid=1 comm="init" name="/" dev="selinuxfs"
ino=1 scontext=system_u:system_r:init_t tcontext=system_u:object_r:security_t
tclass=filesystem
avc: denied { search } for pid=1 comm="init" name="var" dev="dm-0"
ino=556492 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t
tclass=dir
avc: denied { write } for pid=400 comm="cryptsetup" name="read_ahead_kb"
dev="sysfs" ino=14972 scontext=system_u:system_r:lvm_t
tcontext=system_u:object_r:sysfs_t tclass=file
avc: denied { getattr } for pid=411 comm="mkswap" name="/" dev="selinuxfs"
ino=1 scontext=system_u:system_r:fsadm_t tcontext=system_u:object_r:security_t
tclass=filesystem
avc: denied { getattr } for pid=20 comm="kdevtmpfs" path="/dm-2"
dev="devtmpfs" ino=6891 scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
avc: denied { read } for pid=1019 comm="syslog-ng" path="/dev/console"
dev="devtmpfs" ino=1039 scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:console_device_t tclass=chr_file
avc: denied { read write } for pid=1084 comm="unix_chkpwd" path="/dev/tty1"
dev="devtmpfs" ino=1045 scontext=system_u:system_r:chkpwd_t
tcontext=system_u:object_r:tty_device_t tclass=chr_file
avc: denied { search } for pid=1084 comm="unix_chkpwd" name="/" dev="sysfs"
ino=1 scontext=system_u:system_r:chkpwd_t tcontext=system_u:object_r:sysfs_t
tclass=dir
avc: denied { getattr } for pid=1084 comm="unix_chkpwd" name="/"
dev="selinuxfs" ino=1 scontext=system_u:system_r:chkpwd_t
tcontext=system_u:object_r:security_t tclass=filesystem
avc: denied { getattr } for pid=1084 comm="unix_chkpwd"
path="/sys/fs/selinux" dev="selinuxfs" ino=1
scontext=system_u:system_r:chkpwd_t tcontext=system_u:object_r:security_t
tclass=dir
Particularly, I get a lot of unix_chkpwd denials. There's a few more errors
sometimes:
avc: denied { setattr } for pid=20 comm="kdevtmpfs" name="dm-2"
dev="devtmpfs" ino=1973 scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
avc: denied { unlink } for pid=20 comm="kdevtmpfs" name="dm-2"
dev="devtmpfs" ino=1973 scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
avc: denied { module_request } for pid=977 comm="sshd" kmod="net-pf-10"
scontext=system_u:system_r:sshd_t tcontext=system_u:system_r:kernel_t
tclass=system
avc: denied { use } for pid=977 comm="sshd" path="/dev/console"
dev="devtmpfs" ino=1039 scontext=system_u:system_r:sshd_t
tcontext=system_u:system_r:init_t tclass=fd
avc: denied { use } for pid=991 comm="cron" path="/dev/console"
dev="devtmpfs" ino=1039 scontext=system_u:system_r:crond_t
tcontext=system_u:system_r:init_t tclass=fd
avc: denied { read } for pid=127 comm="rc" name="openrc" dev="dm-0"
ino=591026 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:file_t tclass=lnk_file
avc: denied { read } for pid=354 comm="hwclock" path="/dev/console"
dev="devtmpfs" ino=1039 scontext=system_u:system_r:hwclock_t
tcontext=system_u:object_r:console_device_t tclass=chr_file
avc: denied { search } for pid=1396 comm="X" name="1395" dev="proc"
ino=3997 scontext=user_u:user_r:xserver_t tcontext=user_u:user_r:user_t
tclass=dir
avc: denied { read } for pid=1396 comm="X" name="cmdline" dev="proc"
ino=3998 scontext=user_u:user_r:xserver_t tcontext=user_u:user_r:user_t
tclass=file
avc: denied { open } for pid=1396 comm="X" path="/proc/1395/cmdline"
dev="proc" ino=3998 scontext=user_u:user_r:xserver_t
tcontext=user_u:user_r:user_t tclass=file
Thoughts?
Thanks
BennyP