View previous topic :: View next topic |
Author |
Message |
Jimini l33t
Joined: 31 Oct 2006 Posts: 601 Location: Germany
|
Posted: Sun May 24, 2015 7:04 am Post subject: Different small problems with the impementation of SELinux |
|
|
Hey there,
I am currently implementing SELinux on one of my Gentoo systems and experiencing some smaller problems:
1. "neverallow" rules
When building modules using audit2allow, some rules are generated that lead to a compiler error, for example:
Code: | allow zabbix_agent_t fixed_disk_device_t:blk_file { read ioctl open }; |
or
Code: | allow kernel_t proc_kmsg_t:file { read open }; |
or
Code: | allow kernel_t shadow_t:file { read open }; |
The error looks like the following:
Quote: | Neverallow found that matches avrule at line 93 of /var/lib/selinux/strict/tmp/modules/100/storage/cil
Binary policy creation failed at line 3 of /var/lib/selinux/strict/tmp/modules/400/test/cil
Failed to generate binary
semodule: Failed! |
Since /var/lib/selinux/strict/active/modules/100/storage/cil contains the line
Quote: | (neverallow storage_typeattr_1 fixed_disk_device_t (blk_file (read))) |
the compiler throws an error.
I am now unsure how to deal with this rules.
2. When executing audit2allow -li /var/log/audit.log, I get the following errors:
Quote: | libsepol.context_from_record: invalid security context: "system_u:system_r:gcc_config_t"
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:system_r:gcc_config_t to sid
libsepol.context_from_record: invalid security context: "system_u:system_r:gcc_config_t"
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:system_r:gcc_config_t to sid
libsepol.context_from_record: invalid security context: "system_u:system_r:gcc_config_t"
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:system_r:gcc_config_t to sid
libsepol.context_from_record: invalid security context: "system_u:system_r:gcc_config_t"
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:system_r:gcc_config_t to sid
libsepol.context_from_record: invalid security context: "system_u:system_r:gcc_config_t"
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:system_r:gcc_config_t to sid
libsepol.context_from_record: invalid security context: "system_u:system_r:gcc_config_t"
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:system_r:gcc_config_t to sid
libsepol.context_from_record: invalid security context: "system_u:system_r:gcc_config_t"
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:system_r:gcc_config_t to sid |
I assume, that this has to do with the next problem.
3. My syslog logs "SELinux: Context system_u:system_r:gcc_config_t would be invalid if enforcing" from time to time. This seems to happen independently from the occurring of the previous problem.
I have been searching the web for two weeks now, also a SELinux book could not help me to shed a light on this so far. Hence, any help would be really appreciated.
Best regards,
Jimini _________________ "The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu) |
|
Back to top |
|
|
Jimini l33t
Joined: 31 Oct 2006 Posts: 601 Location: Germany
|
Posted: Sat Apr 07, 2018 3:55 pm Post subject: |
|
|
Since I recently again got some of these errors, I googled - and found this thread. So I solved the problem with the neverallow rules by identifying processes, which violate against these conditions.
The other problems remain unsolved, so far.
Best Regards,
Jimini _________________ "The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu) |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|