Gentoo Forums :: View topic - Gentoo-Hardened Selinux Issues

Gentoo-Hardened Selinux Issues

View unanswered posts
View posts from last 24 hours

Gentoo Forums Forum Index

Installing Gentoo

View previous topic :: View next topic

Author

Message

mmishima
n00b
n00b

Joined: 05 Oct 2014
Posts: 1

Posted: Sun Oct 05, 2014 7:33 pm Post subject: Gentoo-Hardened Selinux Issues

Hello,

I set my install up with a separate /var and /tmp so I needed to use initramfs which apparently is incompatible with selinux during boot mode.
So my understanding is that to boot the machine I need to boot with permissive mode and switch to enforcing once Im logged in.

Im still having serious problems though.
All init scripts added to the default runlevel using rc-update (syslog-ng, sshd, etc) break when enforcing is set.
Agetty is completely broken as well so no more users can log on.
I installed the policies and ran the rlpkg -a -r command to relabel as stated in http://wiki.gentoo.org/wiki/SELinux/Labels

I also tried reloading the policies as shown in the FAQ

Code:

root # cd /usr/share/selinux/strict
root # semodule -b base.pp -i $(ls *.pp | grep -v unconfined | grep -v base.pp)

But still everything I do, from changing profiles to running dmesg logs a deny in permissive mode.
Im not sure what I missed, but as soon as I turn on enforcing the entire system is pretty much unusable.

Here are some AVC deny logs from dmesg:

Code:

[ 17.007766] audit: type=1400 audit(1412468551.819:75): avc: denied { read } for pid=2771 comm="rc" name="sshd.pid" dev="tmpfs" ino=4752 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:sshd_tmpfs_t tclass=file
[ 17.007786] audit: type=1400 audit(1412468551.819:76): avc: denied { open } for pid=2771 comm="rc" path="/run/sshd.pid" dev="tmpfs" ino=4752 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:sshd_tmpfs_t tclass=file
[ 17.011138] audit: type=1400 audit(1412468551.823:77): avc: denied { search } for pid=3209 comm="cgroup-release-" name="/" dev="tmpfs" ino=1842 scontext=system_u:system_r:openrc_cgroup_release_t tcontext=system_u:object_r:tmpfs_t tclass=dir
[ 17.130504] audit: type=1400 audit(1412468551.942:78): avc: denied { read } for pid=3245 comm="tmpfiles.sh" name="tmpfiles.d" dev="tmpfs" ino=1818 scontext=system_u:system_r:tmpfiles_t tcontext=system_u:object_r:tmpfs_t tclass=dir
[ 17.130521] audit: type=1400 audit(1412468551.942:79): avc: denied { open } for pid=3245 comm="tmpfiles.sh" path="/run/tmpfiles.d" dev="tmpfs" ino=1818 scontext=system_u:system_r:tmpfiles_t tcontext=system_u:object_r:tmpfs_t tclass=dir
[ 17.138425] audit: type=1400 audit(1412468551.950:80): avc: denied { getattr } for pid=3245 comm="tmpfiles.sh" path="/var/lib/dhcp" dev="sda3" ino=2359306 scontext=system_u:system_r:tmpfiles_t tcontext=system_u:object_r:unlabeled_t tclass=dir
[ 17.156247] audit: type=1400 audit(1412468551.968:81): avc: denied { write } for pid=3250 comm="install" name="/" dev="tmpfs" ino=1744 scontext=system_u:system_r:tmpfiles_t tcontext=system_u:object_r:tmpfs_t tclass=dir
[ 17.168190] audit: type=1400 audit(1412468551.980:84): avc: denied { setattr } for pid=3253 comm="install" name="mysqld" dev="tmpfs" ino=6013 scontext=system_u:system_r:tmpfiles_t tcontext=system_u:object_r:tmpfs_t tclass=dir
[ 22.728943] audit_printk_skb: 152 callbacks suppressed
[ 22.728949] audit: type=1400 audit(1412468557.540:138): avc: denied { read } for pid=3463 comm="login" name="run" dev="sda3" ino=2359302 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:unlabeled_t tclass=lnk_file
[ 22.728988] audit: type=1400 audit(1412468557.540:139): avc: denied { search } for pid=3463 comm="login" name="/" dev="tmpfs" ino=1744 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:tmpfs_t tclass=dir
[ 22.729063] audit: type=1400 audit(1412468557.541:140): avc: denied { read } for pid=3463 comm="login" name="utmp" dev="tmpfs" ino=4896 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:initrc_state_t tclass=file
[ 22.729085] audit: type=1400 audit(1412468557.541:141): avc: denied { open } for pid=3463 comm="login" path="/run/utmp" dev="tmpfs" ino=4896 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:initrc_state_t tclass=file
[ 22.729119] audit: type=1400 audit(1412468557.541:142): avc: denied { lock } for pid=3463 comm="login" path="/run/utmp" dev="tmpfs" ino=4896 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:initrc_state_t tclass=file
[ 22.864001] audit: type=1400 audit(1412468557.676:143): avc: denied { getattr } for pid=3463 comm="login" path="/var/log/tallylog" dev="sda3" ino=2359312 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:unlabeled_t tclass=file
[ 22.864054] audit: type=1400 audit(1412468557.676:144): avc: denied { read write } for pid=3463 comm="login" name="tallylog" dev="sda3" ino=2359312 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:unlabeled_t tclass=file
[ 22.864076] audit: type=1400 audit(1412468557.676:145): avc: denied { open } for pid=3463 comm="login" path="/var/log/tallylog" dev="sda3" ino=2359312 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:unlabeled_t tclass=file
[ 28.177162] audit: type=1400 audit(1412468562.989:146): avc: denied { lock } for pid=3463 comm="login" path="/var/log/lastlog" dev="sda3" ino=2359313 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:unlabeled_t tclass=file
[ 28.221567] audit: type=1400 audit(1412468563.033:147): avc: denied { read } for pid=3472 comm="login" name="run" dev="sda3" ino=2359302 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:unlabeled_t tclass=lnk_file
[ 28.221617] audit: type=1400 audit(1412468563.033:148): avc: denied { read } for pid=3472 comm="login" name="utmp" dev="tmpfs" ino=4896 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:initrc_state_t tclass=file
[ 28.221632] audit: type=1400 audit(1412468563.033:149): avc: denied { open } for pid=3472 comm="login" path="/run/utmp" dev="tmpfs" ino=4896 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:initrc_state_t tclass=file
[ 28.221666] audit: type=1400 audit(1412468563.033:150): avc: denied { write } for pid=3472 comm="login" name="utmp" dev="tmpfs" ino=4896 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:initrc_state_t tclass=file
[ 28.221699] audit: type=1400 audit(1412468563.033:151): avc: denied { lock } for pid=3472 comm="login" path="/run/utmp" dev="tmpfs" ino=4896 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:initrc_state_t tclass=file
[ 52.704099] usb 4-1: USB disconnect, device number 2
[ 52.719100] audit: type=1400 audit(1412468587.531:152): avc: denied { getattr } for pid=15 comm="kdevtmpfs" path="/input/event2" dev="devtmpfs" ino=4246 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:event_device_t tclass=chr_file
[ 52.719117] audit: type=1400 audit(1412468587.531:153): avc: denied { setattr } for pid=15 comm="kdevtmpfs" name="event2" dev="devtmpfs" ino=4246 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:event_device_t tclass=chr_file
[ 52.719133] audit: type=1400 audit(1412468587.531:154): avc: denied { unlink } for pid=15 comm="kdevtmpfs" name="event2" dev="devtmpfs" ino=4246 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:event_device_t tclass=chr_file
[ 52.719758] audit: type=1400 audit(1412468587.531:155): avc: denied { write } for pid=2402 comm="systemd-udevd" name="udev" dev="tmpfs" ino=4330 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir
[ 52.719780] audit: type=1400 audit(1412468587.531:156): avc: denied { add_name } for pid=2402 comm="systemd-udevd" name="queue" scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir
[ 52.719854] audit: type=1400 audit(1412468587.531:157): avc: denied { create } for pid=2402 comm="systemd-udevd" name="queue" scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=file
[ 52.719896] audit: type=1400 audit(1412468587.531:158): avc: denied { write open } for pid=2402 comm="systemd-udevd" path="/run/udev/queue" dev="tmpfs" ino=6144 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=file
[ 52.720249] audit: type=1400 audit(1412468587.532:159): avc: denied { read } for pid=3480 comm="systemd-udevd" name="c13:66" dev="tmpfs" ino=5270 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=file
[ 52.720281] audit: type=1400 audit(1412468587.532:160): avc: denied { getattr } for pid=3480 comm="systemd-udevd" path="/run/udev/data/c13:66" dev="tmpfs" ino=5270 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=file
[ 52.721050] audit: type=1400 audit(1412468587.533:161): avc: denied { remove_name } for pid=3480 comm="systemd-udevd" name="c13:66" dev="tmpfs" ino=5270 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir
[ 177.092910] audit_printk_skb: 15 callbacks suppressed
[ 177.092919] audit: type=1400 audit(1412468711.904:167): avc: denied { search } for pid=3484 comm="sshd" name="empty" dev="sda3" ino=2359305 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:unlabeled_t tclass=dir
[ 177.251850] audit: type=1400 audit(1412468712.063:168): avc: denied { getattr } for pid=3486 comm="sshd" path="/var/log/tallylog" dev="sda3" ino=2359312 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:unlabeled_t tclass=file
[ 177.251873] audit: type=1400 audit(1412468712.063:169): avc: denied { read write } for pid=3486 comm="sshd" name="tallylog" dev="sda3" ino=2359312 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:unlabeled_t tclass=file
[ 177.251887] audit: type=1400 audit(1412468712.063:170): avc: denied { open } for pid=3486 comm="sshd" path="/var/log/tallylog" dev="sda3" ino=2359312 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:unlabeled_t tclass=file
[ 177.303704] audit: type=1400 audit(1412468712.116:171): avc: denied { read } for pid=3486 comm="sshd" name="run" dev="sda3" ino=2359302 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:unlabeled_t tclass=lnk_file
[ 189.635294] audit: type=1400 audit(1412468724.447:172): avc: denied { lock } for pid=3482 comm="sshd" path="/var/log/lastlog" dev="sda3" ino=2359313 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:unlabeled_t tclass=file
[ 189.642253] audit: type=1400 audit(1412468724.454:173): avc: denied { read } for pid=3482 comm="sshd" name="utmp" dev="tmpfs" ino=4896 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:initrc_state_t tclass=file
[ 189.642269] audit: type=1400 audit(1412468724.454:174): avc: denied { open } for pid=3482 comm="sshd" path="/run/utmp" dev="tmpfs" ino=4896 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:initrc_state_t tclass=file
[ 189.642292] audit: type=1400 audit(1412468724.454:175): avc: denied { lock } for pid=3482 comm="sshd" path="/run/utmp" dev="tmpfs" ino=4896 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:initrc_state_t tclass=file
[ 189.706297] audit: type=1400 audit(1412468724.518:176): avc: denied { write } for pid=3482 comm="sshd" name="utmp" dev="tmpfs" ino=4896 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:initrc_state_t tclass=file

[ 202.767035] audit: type=1400 audit(1412468737.578:177): avc: denied { read } for pid=3500 comm="newrole" name="run" dev="sda3" ino=2359302 scontext=staff_u:staff_r:newrole_t tcontext=system_u:object_r:unlabeled_t tclass=lnk_file
[ 202.767098] audit: type=1400 audit(1412468737.579:178): avc: denied { search } for pid=3500 comm="newrole" name="/" dev="tmpfs" ino=1744 scontext=staff_u:staff_r:newrole_t tcontext=system_u:object_r:tmpfs_t tclass=dir
[ 202.767154] audit: type=1400 audit(1412468737.579:179): avc: denied { read } for pid=3500 comm="newrole" name="utmp" dev="tmpfs" ino=4896 scontext=staff_u:staff_r:newrole_t tcontext=system_u:object_r:initrc_state_t tclass=file
[ 202.767177] audit: type=1400 audit(1412468737.579:180): avc: denied { open } for pid=3500 comm="newrole" path="/run/utmp" dev="tmpfs" ino=4896 scontext=staff_u:staff_r:newrole_t tcontext=system_u:object_r:initrc_state_t tclass=file
[ 202.767219] audit: type=1400 audit(1412468737.579:181): avc: denied { lock } for pid=3500 comm="newrole" path="/run/utmp" dev="tmpfs" ino=4896 scontext=staff_u:staff_r:newrole_t tcontext=system_u:object_r:initrc_state_t tclass=file
[ 223.673337] audit: type=1400 audit(1412468758.485:182): avc: denied { read } for pid=3513 comm="su" name="run" dev="sda3" ino=2359302 scontext=staff_u:sysadm_r:sysadm_su_t tcontext=system_u:object_r:unlabeled_t tclass=lnk_file
[ 223.673373] audit: type=1400 audit(1412468758.485:183): avc: denied { search } for pid=3513 comm="su" name="/" dev="tmpfs" ino=1744 scontext=staff_u:sysadm_r:sysadm_su_t tcontext=system_u:object_r:tmpfs_t tclass=dir
[ 223.673411] audit: type=1400 audit(1412468758.485:184): avc: denied { read } for pid=3513 comm="su" name="utmp" dev="tmpfs" ino=4896 scontext=staff_u:sysadm_r:sysadm_su_t tcontext=system_u:object_r:initrc_state_t tclass=file
[ 223.673426] audit: type=1400 audit(1412468758.485:185): avc: denied { open } for pid=3513 comm="su" path="/run/utmp" dev="tmpfs" ino=4896 scontext=staff_u:sysadm_r:sysadm_su_t tcontext=system_u:object_r:initrc_state_t tclass=file
[ 223.673451] audit: type=1400 audit(1412468758.485:186): avc: denied { lock } for pid=3513 comm="su" path="/run/utmp" dev="tmpfs" ino=4896 scontext=staff_u:sysadm_r:sysadm_su_t tcontext=system_u:object_r:initrc_state_t tclass=file
[ 228.661060] audit: type=1400 audit(1412468763.473:187): avc: denied { read } for pid=3482 comm="sshd" name="run" dev="sda3" ino=2359302 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:unlabeled_t tclass=lnk_file
[42666.501903] audit: type=1400 audit(1412511201.313:188): avc: denied { read } for pid=3611 comm="sshd" name="utmp" dev="tmpfs" ino=4896 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:initrc_state_t tclass=file
[42666.501921] audit: type=1400 audit(1412511201.313:189): avc: denied { open } for pid=3611 comm="sshd" path="/run/utmp" dev="tmpfs" ino=4896 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:initrc_state_t tclass=file
[42666.501943] audit: type=1400 audit(1412511201.313:190): avc: denied { lock } for pid=3611 comm="sshd" path="/run/utmp" dev="tmpfs" ino=4896 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:initrc_state_t tclass=file
[42666.558918] audit: type=1400 audit(1412511201.370:191): avc: denied { write } for pid=3611 comm="sshd" name="utmp" dev="tmpfs" ino=4896 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:initrc_state_t tclass=file
[43139.979483] audit: type=1400 audit(1412511674.791:192): avc: denied { read } for pid=3632 comm="screen" name="run" dev="sda3" ino=2359302 scontext=staff_u:staff_r:staff_screen_t tcontext=system_u:object_r:unlabeled_t tclass=lnk_file
[43139.979517] audit: type=1400 audit(1412511674.791:193): avc: denied { search } for pid=3632 comm="screen" name="/" dev="tmpfs" ino=1744 scontext=staff_u:staff_r:staff_screen_t tcontext=system_u:object_r:tmpfs_t tclass=dir
[43139.979543] audit: type=1400 audit(1412511674.791:194): avc: denied { read write } for pid=3632 comm="screen" name="utmp" dev="tmpfs" ino=4896 scontext=staff_u:staff_r:staff_screen_t tcontext=system_u:object_r:initrc_state_t tclass=file
[43139.979558] audit: type=1400 audit(1412511674.791:195): avc: denied { open } for pid=3632 comm="screen" path="/run/utmp" dev="tmpfs" ino=4896 scontext=staff_u:staff_r:staff_screen_t tcontext=system_u:object_r:initrc_state_t tclass=file
[43139.980313] audit: type=1400 audit(1412511674.792:196): avc: denied { getattr } for pid=3348 comm="syslog-ng" path="/var/log/messages" dev="sda3" ino=2359311 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:unlabeled_t tclass=file
[43139.980337] audit: type=1400 audit(1412511674.792:197): avc: denied { append } for pid=3348 comm="syslog-ng" name="messages" dev="sda3" ino=2359311 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:unlabeled_t tclass=file
[43139.980350] audit: type=1400 audit(1412511674.792:198): avc: denied { open } for pid=3348 comm="syslog-ng" path="/var/log/messages" dev="sda3" ino=2359311 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:unlabeled_t tclass=file
[43139.980380] audit: type=1400 audit(1412511674.792:199): avc: denied { setattr } for pid=3348 comm="syslog-ng" name="messages" dev="sda3" ino=2359311 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:unlabeled_t tclass=file
43140.022799] audit: type=1400 audit(1412511674.834:200): avc: denied { lock } for pid=3632 comm="screen" path="/run/utmp" dev="tmpfs" ino=4896 scontext=staff_u:staff_r:staff_screen_t tcontext=system_u:object_r:initrc_state_t tclass=file
[43212.073388] audit: type=1400 audit(1412511746.885:201): avc: denied { create } for pid=2691 comm="busybox" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=rawip_socket
[43212.073489] audit: type=1400 audit(1412511746.885:202): avc: denied { ioctl } for pid=2691 comm="busybox" path="socket:[7244]" dev="sockfs" ino=7244 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=rawip_socket
[43212.073630] audit: type=1400 audit(1412511746.885:203): avc: denied { name_bind } for pid=2691 comm="busybox" src=68 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:dhcpc_port_t tclass=udp_socket
[43212.073651] audit: type=1400 audit(1412511746.885:204): avc: denied { node_bind } for pid=2691 comm="busybox" src=68 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:node_t tclass=udp_socket
[43212.095393] audit: type=1400 audit(1412511746.907:205): avc: denied { read } for pid=3653 comm="udhcpc-hook.sh" name="run" dev="sda3" ino=2359302 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:unlabeled_t tclass=lnk_file
[43388.089618] audit: type=1400 audit(1412511922.901:206): avc: denied { lock } for pid=3645 comm="screen" path="/run/utmp" dev="tmpfs" ino=4896 scontext=staff_u:staff_r:staff_screen_t tcontext=system_u:object_r:initrc_state_t tclass=file
[43722.892860] audit: type=1400 audit(1412512257.704:207): avc: denied { read } for pid=3686 comm="screen" name="run" dev="sda3" ino=2359302 scontext=staff_u:staff_r:staff_screen_t tcontext=system_u:object_r:unlabeled_t tclass=lnk_file
[43722.892889] audit: type=1400 audit(1412512257.704:208): avc: denied { read write } for pid=3686 comm="screen" name="utmp" dev="tmpfs" ino=4896 scontext=staff_u:staff_r:staff_screen_t tcontext=system_u:object_r:initrc_state_t tclass=file
[43722.892904] audit: type=1400 audit(1412512257.704:209): avc: denied { open } for pid=3686 comm="screen" path="/run/utmp" dev="tmpfs" ino=4896 scontext=staff_u:staff_r:staff_screen_t tcontext=system_u:object_r:initrc_state_t tclass=file
[44618.157803] audit: type=1400 audit(1412513152.969:210): avc: denied { read } for pid=3702 comm="su" name="run" dev="sda3" ino=2359302 scontext=staff_u:sysadm_r:sysadm_su_t tcontext=system_u:object_r:unlabeled_t tclass=lnk_file
[44618.157850] audit: type=1400 audit(1412513152.969:211): avc: denied { read } for pid=3702 comm="su" name="utmp" dev="tmpfs" ino=4896 scontext=staff_u:sysadm_r:sysadm_su_t tcontext=system_u:object_r:initrc_state_t tclass=file
[44618.157866] audit: type=1400 audit(1412513152.969:212): avc: denied { open } for pid=3702 comm="su" path="/run/utmp" dev="tmpfs" ino=4896 scontext=staff_u:sysadm_r:sysadm_su_t tcontext=system_u:object_r:initrc_state_t tclass=file
[44618.157891] audit: type=1400 audit(1412513152.969:213): avc: denied { lock } for pid=3702 comm="su" path="/run/utmp" dev="tmpfs" ino=4896 scontext=staff_u:sysadm_r:sysadm_su_t tcontext=system_u:object_r:initrc_state_t tclass=file
[44707.311465] audit: type=1400 audit(1412513242.123:214): avc: denied { search } for pid=3727 comm="su" name="/" dev="tmpfs" ino=1744 scontext=staff_u:sysadm_r:sysadm_su_t tcontext=system_u:object_r:tmpfs_t tclass=dir
[46489.698095] audit: type=1400 audit(1412515024.510:215): avc: denied { read } for pid=3753 comm="dmesg" name="kmsg" dev="devtmpfs" ino=3534 scontext=staff_u:sysadm_r:sysadm_t tcontext=system_u:object_r:kmsg_device_t tclass=chr_file
[46489.698124] audit: type=1400 audit(1412515024.510:216): avc: denied { open } for pid=3753 comm="dmesg" path="/dev/kmsg" dev="devtmpfs" ino=3534 scontext=staff_u:sysadm_r:sysadm_t tcontext=system_u:object_r:kmsg_device_t tclass=chr_file
[46891.097591] audit: type=1400 audit(1412515425.909:217): avc: denied { getattr } for pid=3781 comm="sshd" path="/var/empty" dev="sda3" ino=2359305 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:unlabeled_t tclass=dir
[46891.112469] audit: type=1400 audit(1412515425.924:218): avc: denied { read } for pid=3783 comm="rc" name="sshd.pid" dev="tmpfs" ino=4752 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:sshd_tmpfs_t tclass=file
[46891.112496] audit: type=1400 audit(1412515425.924:219): avc: denied { open } for pid=3783 comm="rc" path="/run/sshd.pid" dev="tmpfs" ino=4752 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:sshd_tmpfs_t tclass=file
[46898.607933] audit: type=1400 audit(1412515433.419:220): avc: denied { read } for pid=3806 comm="dmesg" name="kmsg" dev="devtmpfs" ino=3534 scontext=staff_u:sysadm_r:sysadm_t tcontext=system_u:object_r:kmsg_device_t tclass=chr_file
[46898.607953] audit: type=1400 audit(1412515433.419:221): avc: denied { open } for pid=3806 comm="dmesg" path="/dev/kmsg" dev="devtmpfs" ino=3534 scontext=staff_u:sysadm_r:sysadm_t tcontext=system_u:object_r:kmsg_device_t tclass=chr_file

To see what the context was in this case here is how I connected.
Connected via ssh to user account.
Then:

Code:

$ newrole -r sysadm_r
Password:
$ id -Z
staff_u:sysadm_r:sysadm_t
$ su
Password:
# id -Z
staff_u:sysadm_r:sysadm_t

My fstab:

Code:

# cat /etc/fstab
# /etc/fstab: static file system information.
#
# noatime turns off atimes for increased performance (atimes normally aren't
# needed); notail increases performance of ReiserFS (at the expense of storage
# efficiency). It's safe to drop the noatime options if you want and to
# switch between notail / tail freely.
#
# The root filesystem should have a pass number of either 0 or 1.
# All other filesystems should have a pass number of 0 or greater than 1.
#
# See the manpage fstab(5) for more information.
#

# <fs> <mountpoint> <type> <opts> <dump/pass>

# NOTE: If your BOOT partition is ReiserFS, add the notail option to opts.
/dev/sda3 /boot ext2 noauto,noatime 1 2
/dev/sda1 / ext4 noatime 0 1
/dev/sda2 none swap sw 0 0
/dev/cdrom /mnt/cdrom auto noauto,ro 0 0
/dev/sda5 /var ext4 noatime 0 2
/dev/sda6 /tmp ext4 noatime 0 2

So my first focus is to figure out why syslog-ng, sshd, and agetty/login are unable to work in enforcing mode.
Is this entirely because I have /tmp on a separate partition?

Let me know if there is any other info I can provide to narrow in on the issue.

Thank you

juggling_ben
n00b
n00b

Joined: 25 Nov 2007
Posts: 15

Posted: Tue Oct 14, 2014 1:32 am Post subject: Re: Gentoo-Hardened Selinux Issues

Few things:

1.) Are you using openrc or systemd? From the log, it may be systemd.

Unfortunately, I don't have much experience with systemd + selinux, and I'm not sure how common that setup is yet.

If you are actually using openrc, what version are you using? I highly recommend 13.1, as there were some important fixes concerning selinux. It was mostly about contexts in /var/run (where you are seeing a lot of errors)

2.) You do have some unlabeled files. They need to be fixed with restorecon. ie

Code:

restorecon -Rv /var

etc, wherever you want.

3.) /tmp is usually a separate partition, but is almost always a ram-based filesystem (tmpfs). Nothing in tmp should really be stored between boots

I don't know how much the hardened guys pay attention to the forums. You can usually reach them on the gentoo-hardened mailing list - they are usually pretty helpful. They may know more about the systemd stuff, but with all the controversy about systemd lately, approach with caution

Display posts from previous:

	Gentoo Forums Forum Index Installing Gentoo	All times are GMT
Page 1 of 1

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy