View previous topic :: View next topic |
Author |
Message |
wichtounet Tux's lil' helper
Joined: 17 Mar 2012 Posts: 122
|
Posted: Fri May 08, 2015 7:48 pm Post subject: Any documentation on systemd and selinux ? |
|
|
Hello Gentoo folks
I started installing a new server following the Gentoo hardened information and it works well for now with SELINUX in permissive mode. However, I have a lot of denial that seems related to selinux and I don't find any information on how to work with the two together.
Here are some examples of denials I have:
Quote: | avc: denied { search } for pid=3481 comm="systemd-journal" name="4119" dev="proc" ino=10406 scontext=system_u:system_r:init_t tcontext=staff_u:sysadm_r:sysadm_sudo_t tclass=dir permissive=1
avc: denied { read } for pid=3481 comm="systemd-journal" name="cgroup" dev="proc" ino=9616 scontext=system_u:system_r:init_t tcontext=staff_u:sysadm_r:sysadm_sudo_t tclass=file permissive=1
avc: denied { open } for pid=3481 comm="systemd-journal" path="/proc/4119/cgroup" dev="proc" ino=9616 scontext=system_u:system_r:init_t tcontext=staff_u:sysadm_r:sysadm_sudo_t tclass=file permissive=1
avc: denied { getattr } for pid=3481 comm="systemd-journal" path="/proc/4119/cgroup" dev="proc" ino=9616 scontext=system_u:system_r:init_t tcontext=staff_u:sysadm_r:sysadm_sudo_t tclass=file permissive=1
avc: denied { read } for pid=3481 comm="systemd-journal" name="exe" dev="proc" ino=9618 scontext=system_u:system_r:init_t tcontext=staff_u:sysadm_r:sysadm_sudo_t tclass=lnk_file permissive=1
avc: denied { write } for pid=4119 comm="sudo" path="/run/systemd/sessions/2.ref" dev="tmpfs" ino=9130 scontext=staff_u:sysadm_r:sysadm_sudo_t tcontext=system_u:object_r:init_var_run_t tclass=fifo_file permissive=1
avc: denied { sendto } for pid=4046 comm="systemd-network" path="/run/systemd/notify" scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t tclass=unix_dgram_socket permissive=1 |
Have I missed something in the installation ?
Another question with this kind of denial:
Quote: | avc: denied { use } for pid=4119 comm="sudo" path="/dev/pts/0" dev="devpts" ino=3 scontext=staff_u:sysadm_r:sysadm_sudo_t tcontext=system_u:system_r:init_t tclass=fd permissive=1 |
I have read that it is necessary to put tmpfs/devpts and other non-physical file systems in fstab for selinux, but in my case, it is systemd that is mounting them. What do I have to do to fix this ?
This is my first functional selinux system, so maybe there is something trivial that I forgot, don't hesitate to point me out to docs.
Thanks a lot |
|
Back to top |
|
|
gienah Developer
Joined: 24 Nov 2010 Posts: 212 Location: AU
|
|
Back to top |
|
|
wichtounet Tux's lil' helper
Joined: 17 Mar 2012 Posts: 122
|
Posted: Wed May 20, 2015 6:22 am Post subject: |
|
|
Thanks for your answer. I assumed that systemd policy would be complete since so many people are using it now, but it seems I was too optimistic
It is my first system every with selinux, I'm probably not a good candidate to help with creating the policy. OpenRC is not an option on this server. I'm gonna try seeing what I can do with audit2allow for starter.
Thanks |
|
Back to top |
|
|
|