Hello,
I've just installed for the first time SElinux on a running 2.4.9 Linux box. As this is my first contact with SELinux, I've been doing exactly what's described in the README file, and I now have done all the steps described, and restarted successfully my box.
The good news is : the box is running.
The bad news is : I've a bunch of :
Aug 29 17:58:46 www-dev kernel: avc: denied { read write } for pid=58
exe=/bi
n/mount path=/etc/mtab dev=08:02 ino=166389
Aug 29 17:58:46 www-dev kernel: scontext=system_u:system_r:mount_t
Aug 29 17:58:46 www-dev kernel: tcontext=system_u:object_r:file_t
Aug 29 17:58:46 www-dev kernel: tclass=file
Aug 29 17:58:46 www-dev kernel:
Aug 29 17:58:46 www-dev kernel: avc: denied { read append } for pid=58
exe=/b
in/mount path=/etc/mtab dev=08:02 ino=166389
Aug 29 17:58:46 www-dev kernel: scontext=system_u:system_r:mount_t
Aug 29 17:58:46 www-dev kernel: tcontext=system_u:object_r:file_t
Aug 29 17:58:46 www-dev kernel: tclass=file
Aug 29 17:58:46 www-dev kernel:
Aug 29 17:58:46 www-dev kernel: avc: denied { write } for pid=10
exe=/bin/bas
Aug 29 17:58:46 www-dev kernel: scontext=system_u:system_r:initrc_t
Aug 29 17:58:46 www-dev kernel: tcontext=system_u:object_r:file_t
Aug 29 17:58:46 www-dev kernel: tclass=file
Aug 29 17:58:46 www-dev kernel:
Aug 29 17:58:46 www-dev kernel: avc: denied { setattr } for pid=10
exe=/bin/b
Aug 29 17:58:46 www-dev kernel: scontext=system_u:system_r:initrc_t
Aug 29 17:58:46 www-dev kernel: tcontext=system_u:object_r:file_t
Aug 29 17:58:46 www-dev kernel: tclass=file
Aug 29 17:58:46 www-dev kernel:
Aug 29 17:58:46 www-dev kernel: avc: denied { getattr } for pid=73
exe=/sbin/
Aug 29 17:58:46 www-dev kernel: scontext=system_u:system_r:insmod_t
Aug 29 17:58:46 www-dev kernel: tcontext=system_u:object_r:modules_object_t
Aug 29 17:58:46 www-dev kernel: tclass=lnk_file
Aug 29 17:58:46 www-dev kernel:
Aug 29 17:58:46 www-dev kernel: avc: denied { unlink } for pid=91
exe=/bin/rm
Aug 29 17:58:46 www-dev kernel: scontext=system_u:system_r:initrc_t Aug 29 17:58:46 www-dev kernel: tcontext=system_u:object_r:file_t Aug 29 17:58:46 www-dev kernel: tclass=file
but I can't find anywhere where and what to change to prevent what is mentionned denied to be really denied when I'll switch to a "live" SELinux config...
For example, looking at the first one :
Aug 29 17:58:46 www-dev kernel: avc: denied { read write } for pid=58
exe=/bin/mount path=/etc/mtab dev=08:02 ino=166389 Aug 29 17:58:46 www-dev kernel: scontext=system_u:system_r:mount_t Aug 29 17:58:46 www-dev kernel: tcontext=system_u:object_r:file_tAug 29 17:58:46 www-dev kernel: tclass=file Aug 29 17:58:46 www-dev kernel:
I've found in the source tree :
/bin/mount: system_u:object_t:mount_exec_t
/etc/mtab: system_u:object_r:etc_runtime_t
This is different from scontext (Security (?) context) and tcontext (Task (?) context)....
It seems I deeply missed some configs, but I can't find them. Could someone help me ?
Regards,
Paul
--
.--. The penguin
Paul Rolland, rol@as2917.net |o_o | will survive,
|(_/ | unlike
// \ \ dinosaurs !
(| | )
/'\_ _/`\
\___)=(___/
Please no MIME, I don't read it - Pas de MIME, je ne le lis pas
Please no HTML, I'm not a browser - Pas d'HTML, je ne suis pas un navigateur
"Some people dreams of success... while others wake up and work hard at it"
--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
From: Conan Callen <ccallen_at_windowpane.com>
Hi Paul,
I too am new to selinux. I had it installed, and everything was working fine until Friday. I had two hard-drives go out on me! (there old timers). Stephen Smalley sent me the message below on fixing the errors you have encountered. I havent had a chance to work through it yet. I've finally got some replacement hard-drives working and am now building the new kernel.
My first time through I had missed a step or two, and had some other strange problems. This time I am going very carefully.
Conan
Ok, let's go through these:
avc: denied { write search } for pid=1504 exe=/usr/sbin/sendmail path=/var/spool/mqueue dev=03:41 ino=32194
scontext=system_u:system_r:system_crond_t
tcontext=system_u:object_r:mqueue_spool_t
tclass=dir
The root cause of this access denial (and several of the subsequent denials) is that crond is running sendmail without transitioning into an appropriate domain. The question is why is sendmail being run from one of your system cron jobs? Anyway, if you want to do this, just add the following to policy/domains/system/crond.te and do a 'make load' in your policy directory: domain_auto_trans(system_crond_t, sendmail_exec_t, user_mail_t)
avc: denied { getattr } for pid=1932 exe=/usr/bin/slocate dev=00:06 ino=1582
kernel: scontext=system_u:system_r:system_crond_t
kernel: tcontext=system_u:object_r:unlabeled_t
kernel: tclass=dir
This is probably because you are running the automounter. Unless you really need it, shut it off.
avc: denied { write } for pid=2003 exe=/usr/local/bin/logtail path=/var/log/messages.offset dev=03:41 ino=81507
scontext=system_u:system_r:system_crond_t
tcontext=system_u:object_r:var_log_t
tclass=file
So, what is /usr/local/bin/logtail? And why is it run from crond, and why is it trying to write to /var/log? Anyway, if you want to allow this, you can use the logrotate_t domain as an example. You can either label /usr/local/bin/logtail with logrotate_exec_t if it just needs the same permissions as logrotate, or you can define a separate domain for it that is similar.
avc: denied { execute } for pid=2327 exe=/bin/bash path=/usr/bin/which dev=03:41 ino=351008
scontext=system_u:system_r:atd_t
tcontext=system_u:object_r:bin_t
tclass=file
The atd domain is just a stub, because we don't use it for anything (why not just use cron?). If you really want to use atd, then you'll need to add some permissions to it. Also, you may even want to extend atd in the same way that we changed crond so that it runs in different security contexts depending on what it is doing.
--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com
--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
On Sun, 2 Sep 2001, Paul Rolland wrote:
> For example, looking at the first one :
> Aug 29 17:58:46 www-dev kernel: avc: denied { read write } for pid=58
> exe=/bin/mount path=/etc/mtab dev=08:02 ino=166389
> Aug 29 17:58:46 www-dev kernel: scontext=system_u:system_r:mount_t
> Aug 29 17:58:46 www-dev kernel: tcontext=system_u:object_r:file_t
> Aug 29 17:58:46 www-dev kernel: tclass=file
> Aug 29 17:58:46 www-dev kernel:
>
> I've found in the source tree :
> /bin/mount: system_u:object_t:mount_exec_t
> /etc/mtab: system_u:object_r:etc_runtime_t
>
> This is different from scontext (Security (?) context) and tcontext
> (Task (?) context)....
>
> It seems I deeply missed some configs, but I can't find them. Could someone
> help me ?
Do the following:
cd setfiles rm -f relabel make relabel
This was step #14 of the README.
The scontext is the source security context, which is typically the security context of a process (but not always). The tcontext is the target security context, which can be the security context of a target process (e.g. for controlling kill) or the security context of an object (e.g. for file accesses).
-- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Paul Rolland <rol_at_as2917.net>
Hello,
This I did, but I think there is something wrong in the setfiles/*, the problem is that from the error messages, I don't know how to translate this to :
Paul
Paul Rolland, rol@witbe.net
Witbe.net SA
Directeur Associe
-- Please no HTML, I'm not a browser - Pas d'HTML, je ne suis pas un navigateur "Some people dreams of success... while others wake up and work hard at it"
> -----Original Message-----
> From: Stephen Smalley [mailto:sds@tislabs.com]
> Sent: Tuesday, September 04, 2001 2:52 PM
> To: Paul Rolland
> Cc: selinux@tycho.nsa.gov
> Subject: Re: Question regarding security policy configuration
>
>
>
> On Sun, 2 Sep 2001, Paul Rolland wrote:
>
> > For example, looking at the first one :
> > Aug 29 17:58:46 www-dev kernel: avc: denied { read write }
> for pid=58
> > exe=/bin/mount path=/etc/mtab dev=08:02 ino=166389
> > Aug 29 17:58:46 www-dev kernel: scontext=system_u:system_r:mount_t
> > Aug 29 17:58:46 www-dev kernel: tcontext=system_u:object_r:file_t
> > Aug 29 17:58:46 www-dev kernel: tclass=file
> > Aug 29 17:58:46 www-dev kernel:
> >
> > I've found in the source tree :
> > /bin/mount: system_u:object_t:mount_exec_t
> > /etc/mtab: system_u:object_r:etc_runtime_t
> >
> > This is different from scontext (Security (?) context) and tcontext
> > (Task (?) context)....
> >
> > It seems I deeply missed some configs, but I can't find them.
> Could someone
> > help me ?
>
> Do the following:
> cd setfiles
> rm -f relabel
> make relabel
>
> This was step #14 of the README.
>
> The scontext is the source security context, which is typically
> the security context of a process (but not always). The tcontext
> is the target security context, which can be the security
> context of a target process (e.g. for controlling kill) or
> the security context of an object (e.g. for file accesses).
>
> --
> Stephen D. Smalley, NAI Labs
> ssmalley@nai.com
>
>
>
>
-- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:54 EDT