Mailing List Archive: [SELinux] denials and lock up

Hello,
I'm a SELinux newbie and I have some problems with denials.
It seems that SELinux would deny almost everything, including system
tasks:

audit(1094916629.677:0): avc: denied { search } for pid=18204
exe=/bin/dmesg dev=ramfs ino=774 scontext=system_u:system_r:d
mesg_t tcontext=system_u:object_r:ramfs_t tclass=dir
audit(1094916629.677:0): avc: denied { read } for pid=18204
exe=/bin/dmesg name=urandom dev=ramfs ino=5629 scontext=system_
u:system_r:dmesg_t tcontext=system_u:object_r:ramfs_t tclass=chr_file
audit(1094916630.023:0): avc: denied { getattr } for pid=9704
exe=/sbin/e2fsck path=/dev/hda1 dev=ramfs ino=1729 scontext=s
ystem_u:system_r:fsadm_t tcontext=system_u:object_r:ramfs_t
tclass=blk_file
audit(1094916630.024:0): avc: denied { read write } for pid=9704
exe=/sbin/e2fsck name=hda1 dev=ramfs ino=1729 scontext=sys
tem_u:system_r:fsadm_t tcontext=system_u:object_r:ramfs_t tclass=blk_file
audit(1094916630.067:0): avc: denied { ioctl } for pid=9704
exe=/sbin/e2fsck path=/dev/hda1 dev=ramfs ino=1729 scontext=sys
tem_u:system_r:fsadm_t tcontext=system_u:object_r:ramfs_t tclass=blk_file
EXT3 FS on hda1, internal journal
audit(1094916630.393:0): avc: denied { search } for pid=16474
exe=/bin/hostname dev=ramfs ino=774 scontext=system_u:system_
r:hostname_t tcontext=system_u:object_r:ramfs_t tclass=dir
audit(1094916630.393:0): avc: denied { read } for pid=16474
exe=/bin/hostname name=urandom dev=ramfs ino=5629 scontext=syst
em_u:system_r:hostname_t tcontext=system_u:object_r:ramfs_t
tclass=chr_file
audit(1094916630.496:0): avc: denied { write } for pid=19589
exe=/bin/bash path=/dev/null dev=ramfs ino=2761 scontext=syste
m_u:system_r:update_modules_t tcontext=system_u:object_r:ramfs_t
tclass=chr_file
audit(1094916630.504:0): avc: denied { search } for pid=19589
exe=/bin/bash dev=ramfs ino=774 scontext=system_u:system_r:up
date_modules_t tcontext=system_u:object_r:ramfs_t tclass=dir
audit(1094916630.504:0): avc: denied { read } for pid=19589
exe=/bin/bash name=urandom dev=ramfs ino=5629 scontext=system_u
:system_r:update_modules_t tcontext=system_u:object_r:ramfs_t
tclass=chr_file
audit(1094916630.506:0): avc: denied { search } for pid=19589
exe=/bin/bash name=run dev=hda1 ino=1909442 scontext=system_u
:system_r:update_modules_t tcontext=system_u:object_r:var_run_t tclass=dir
audit(1094916630.604:0): avc: denied { getattr } for pid=3014
exe=/bin/gawk-3.1.3 path=/dev/null dev=ramfs ino=2761 scontex
t=system_u:system_r:update_modules_t tcontext=system_u:object_r:ramfs_t
tclass=chr_file
audit(1094916630.887:0): avc: denied { search } for pid=1
exe=/sbin/init dev=ramfs ino=774 scontext=system_u:system_r:init_
t tcontext=system_u:object_r:ramfs_t tclass=dir
audit(1094916630.887:0): avc: denied { getattr } for pid=1
exe=/sbin/init path=/dev/initctl dev=ramfs ino=2672 scontext=sys
tem_u:system_r:init_t tcontext=system_u:object_r:ramfs_t tclass=fifo_file
audit(1094916630.887:0): avc: denied { read write } for pid=1
exe=/sbin/init name=initctl dev=ramfs ino=2672 scontext=syste
m_u:system_r:init_t tcontext=system_u:object_r:ramfs_t tclass=fifo_file

and the list goes on.

The system is running in permissive mode and I've reloaded the policy and
relabeled the filesystem.

/dev/hda1 on / type ext3 (rw,noatime)
none on /selinux type selinuxfs (rw)
none on /proc type proc (rw)
none on /sys type sysfs (rw)
none on /dev type ramfs (rw)
none on /dev/pts type devpts (rw,gid=5,mode=620)
none on /dev/shm type tmpfs (rw)

Portage 2.0.50-r11 (x86, gcc-3.3.4, glibc-2.3.4.20040808-r0,
2.6.7-hardened-r8)
=================================================================
System uname: 2.6.7-hardened-r8 i686 Celeron (Mendocino)
Gentoo Base System version 1.5.3
Autoconf: sys-devel/autoconf-2.59-r4
Automake: sys-devel/automake-1.8.5-r1
ACCEPT_KEYWORDS="x86 ~x86"
AUTOCLEAN="yes"
CFLAGS="-march=pentium2 -O3 -pipe -fomit-frame-pointer -ffast-math
-fforce-addr -falign-functions=4 -ftracer -fstack-protector-all"
CHOST="i686-pc-linux-gnu"
COMPILER=""
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config
/usr/share/config /var/qmail/alias /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-march=pentium2 -O3 -pipe -fomit-frame-pointer -ffast-math
-fforce-addr -falign-functions=4 -ftracer -fstack-protector-all"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs autoload ccache sandbox sfperms strict"
GENTOO_MIRRORS="http://ftp.lug.ro/gentoo"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY=""
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="3dnow aalib acl acpi adns apache2 berkdb bzlib caps crypt curl
curlwrappers dio exif fam flac ftp gd gmp gnutls hardened imagemagick imap
java junit ldap mad maildir mailwrapper memlimit mhash mmap mmx ncurses
nls nptl offensive oggvorbis pam pcntl pcre pic pie png posix readline
samba selinux session shared sharedmem slang soap sockets socks5 speex
sqlite sse ssl svg sysvipc tcpd theora tiff unicode usb vhosts wmf x86 xml
xmlrpc zlib"

Btw, if I type echo 1 > /selinux/enforce the system locks up instantly :(

I've installed the distribution using the SELinux handbook, but it seems
that I didn't do something the right way.

Please help.

--
gentoo-hardened@gentoo.org mailing list

Mailing List Archive

Mailing List Archive

Attached Files: