Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Different small problems with the impementation of SELinux
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Jimini
Guru
Guru


Joined: 31 Oct 2006
Posts: 581
Location: Germany

PostPosted: Sun May 24, 2015 7:04 am    Post subject: Different small problems with the impementation of SELinux Reply with quote

Hey there,

I am currently implementing SELinux on one of my Gentoo systems and experiencing some smaller problems:

1. "neverallow" rules
When building modules using audit2allow, some rules are generated that lead to a compiler error, for example:
Code:
allow zabbix_agent_t fixed_disk_device_t:blk_file { read ioctl open };

or
Code:
allow kernel_t proc_kmsg_t:file { read open };

or
Code:
allow kernel_t shadow_t:file { read open };


The error looks like the following:
Quote:
Neverallow found that matches avrule at line 93 of /var/lib/selinux/strict/tmp/modules/100/storage/cil
Binary policy creation failed at line 3 of /var/lib/selinux/strict/tmp/modules/400/test/cil
Failed to generate binary
semodule: Failed!


Since /var/lib/selinux/strict/active/modules/100/storage/cil contains the line
Quote:
(neverallow storage_typeattr_1 fixed_disk_device_t (blk_file (read)))

the compiler throws an error.

I am now unsure how to deal with this rules.

2. When executing audit2allow -li /var/log/audit.log, I get the following errors:
Quote:
libsepol.context_from_record: invalid security context: "system_u:system_r:gcc_config_t"
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:system_r:gcc_config_t to sid
libsepol.context_from_record: invalid security context: "system_u:system_r:gcc_config_t"
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:system_r:gcc_config_t to sid
libsepol.context_from_record: invalid security context: "system_u:system_r:gcc_config_t"
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:system_r:gcc_config_t to sid
libsepol.context_from_record: invalid security context: "system_u:system_r:gcc_config_t"
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:system_r:gcc_config_t to sid
libsepol.context_from_record: invalid security context: "system_u:system_r:gcc_config_t"
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:system_r:gcc_config_t to sid
libsepol.context_from_record: invalid security context: "system_u:system_r:gcc_config_t"
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:system_r:gcc_config_t to sid
libsepol.context_from_record: invalid security context: "system_u:system_r:gcc_config_t"
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:system_r:gcc_config_t to sid


I assume, that this has to do with the next problem.

3. My syslog logs "SELinux: Context system_u:system_r:gcc_config_t would be invalid if enforcing" from time to time. This seems to happen independently from the occurring of the previous problem.

I have been searching the web for two weeks now, also a SELinux book could not help me to shed a light on this so far. Hence, any help would be really appreciated.

Best regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)
Back to top
View user's profile Send private message
Jimini
Guru
Guru


Joined: 31 Oct 2006
Posts: 581
Location: Germany

PostPosted: Sat Apr 07, 2018 3:55 pm    Post subject: Reply with quote

Since I recently again got some of these errors, I googled - and found this thread. So I solved the problem with the neverallow rules by identifying processes, which violate against these conditions.
The other problems remain unsolved, so far.

Best Regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum