headers
Markus Bartl | 1 Oct 08:43
Favicon

SELinux boot errors

Hi Folks!

Im now able to boot up in enforcing mode and log in to my system.

What i still get is
Sep 30 10:20:01 odin type=1400 audit(1222762783.108:5): avc:  denied  { read write } for  pid=1278 comm="modprobe" path="/dev/null" dev=tmpfs ino=1330 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:device_t tclass=chr_file
...
Sep 30 10:20:01 odin type=1400 audit(1222762796.338:19): avc:  denied  { write } for  pid=2882 comm="runscript.sh" name="resolv.conf" dev=sda3 ino=1999328 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:net_conf_t tclass=file
Sep 30 10:20:01 odin type=1400 audit(1222762801.746:21): avc:  denied  { search } for  pid=3681 comm="syslog-ng" name="lib" dev=sda3 ino=770262 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_lib_t tclass=dir
Sep 30 10:35:05 odin type=1400 audit(1222763686.716:3): avc:  denied  { write } for  pid=1150 comm="bash" name="null" dev=tmpfs ino=1330 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=chr_file

Im not quite sure if the /dev/null thing is really a problem, but the reslov.conf thing is one, because i dont get an IP from DHCP later on during boot.
Again any ideas are welcome.

Regards,
Markus

Permalink | Reply |
headers
William Keaney | 1 Oct 20:46

Re: SELinux boot errors



On Wed, Oct 1, 2008 at 2:45 AM, Markus Bartl <hardened-fI6J7lfedsq94EBAefA18BvVK+yQ3ZXh@public.gmane.org> wrote:
Hi Folks!

Im now able to boot up in enforcing mode and log in to my system.

What i still get is
Sep 30 10:20:01 odin type=1400 audit(1222762783.108:5): avc:  denied  { read write } for  pid=1278 comm="modprobe" path="/dev/null" dev=tmpfs ino=1330 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:device_t tclass=chr_file
...
Sep 30 10:20:01 odin type=1400 audit(1222762796.338:19): avc:  denied  { write } for  pid=2882 comm="runscript.sh" name="resolv.conf" dev=sda3 ino=1999328 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:net_conf_t tclass=file
Sep 30 10:20:01 odin type=1400 audit(1222762801.746:21): avc:  denied  { search } for  pid=3681 comm="syslog-ng" name="lib" dev=sda3 ino=770262 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_lib_t tclass=dir
Sep 30 10:35:05 odin type=1400 audit(1222763686.716:3): avc:  denied  { write } for  pid=1150 comm="bash" name="null" dev=tmpfs ino=1330 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=chr_file

Im not quite sure if the /dev/null thing is really a problem, but the reslov.conf thing is one, because i dont get an IP from DHCP later on during boot.
Again any ideas are welcome.

Regards,
Markus


The /dev/null thing is due to a temporary mislabeling of the nodes under /dev/ during udev initialization.  I have submitted a patch to Chris PeBenito that should fix this.

Will
Permalink | Reply |
headers
Markus Bartl | 1 Oct 21:58
Favicon

Re: SELinux boot errors

William Keaney schrieb:
>
>
> On Wed, Oct 1, 2008 at 2:45 AM, Markus Bartl 
> <hardened@...
<mailto:hardened@...>> 
> wrote:
>
>     Hi Folks!
>
>     Im now able to boot up in enforcing mode and log in to my system.
>
>     What i still get is
>     Sep 30 10:20:01 odin type=1400 audit(1222762783.108:5): avc: 
>     denied  { read write } for  pid=1278 comm="modprobe"
>     path="/dev/null" dev=tmpfs ino=1330
>     scontext=system_u:system_r:insmod_t
>     tcontext=system_u:object_r:device_t tclass=chr_file
>     ...
>     Sep 30 10:20:01 odin type=1400 audit(1222762796.338:19): avc: 
>     denied  { write } for  pid=2882 comm="runscript.sh"
>     name="resolv.conf" dev=sda3 ino=1999328
>     scontext=system_u:system_r:initrc_t
>     tcontext=system_u:object_r:net_conf_t tclass=file
>     Sep 30 10:20:01 odin type=1400 audit(1222762801.746:21): avc: 
>     denied  { search } for  pid=3681 comm="syslog-ng" name="lib"
>     dev=sda3 ino=770262 scontext=system_u:system_r:syslogd_t
>     tcontext=system_u:object_r:var_lib_t tclass=dir
>     Sep 30 10:35:05 odin type=1400 audit(1222763686.716:3): avc: 
>     denied  { write } for  pid=1150 comm="bash" name="null" dev=tmpfs
>     ino=1330 scontext=system_u:system_r:initrc_t
>     tcontext=system_u:object_r:device_t tclass=chr_file
>
>     Im not quite sure if the /dev/null thing is really a problem, but
>     the reslov.conf thing is one, because i dont get an IP from DHCP
>     later on during boot.
>     Again any ideas are welcome.
>
>     Regards,
>     Markus
>
>
> The /dev/null thing is due to a temporary mislabeling of the nodes 
> under /dev/ during udev initialization.  I have submitted a patch to 
> Chris PeBenito that should fix this.
>
> Will
Ok thats one thing.
But the real nasty thing is the denial of write access to resolv.conf 
which leads to an improper network configuration.
I would really be happy about any suggestions.

Markus
Permalink | Reply |
headers
Mike Edenfield | 1 Oct 23:09

Re: SELinux boot errors

Markus Bartl wrote:

> Ok thats one thing.
> But the real nasty thing is the denial of write access to resolv.conf 
> which leads to an improper network configuration.
> I would really be happy about any suggestions.

What kind of network setup do you have in your conf.d/net file?  It's 
not your dhcp client that is being denied access -- it's runscript.sh 
itself.  Your dhcp client should be running it its own context (dhcpc_t) 
which has the proper access.

And, as always, if the policy on your system is missing something you 
need to boot, it's fairly straightforward to make a local policy module. 
  You can then use audit2allow and pipe those avc messages through it. 
A good tutorial can be found here:

http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=3&chap=5
Permalink | Reply |
headers
Markus Bartl | 2 Oct 10:26
Favicon

Re: SELinux boot errors

Mike Edenfield schrieb:
Markus Bartl wrote:

Ok thats one thing.
But the real nasty thing is the denial of write access to resolv.conf which leads to an improper network configuration.
I would really be happy about any suggestions.

What kind of network setup do you have in your conf.d/net file?  It's not your dhcp client that is being denied access -- it's runscript.sh itself.  Your dhcp client should be running it its own context (dhcpc_t) which has the proper access.

And, as always, if the policy on your system is missing something you need to boot, it's fairly straightforward to make a local policy module.  You can then use audit2allow and pipe those avc messages through it. A good tutorial can be found here:

http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=3&chap=5

Ok. I wrote the following policy:

policy_module(boot,1.0)

require {
        type initrc_t, net_conf_t;
}

allow initrc_t net_conf_t:file { setattr write };

I compiled it and added it to the existing policy using semodule -i boot.pp
That did what it should :-)
Maybe this should be included in the base-policy shipped with gentoo.

My next step is setting up a dhcp- and a nameserver on this machine.

Regards,
Markus

Permalink | Reply |

Gmane