François Valenduc a écrit :
Chris PeBenito a écrit :
On Sun, 2008-04-20 at 12:12 +0200, François Valenduc wrote:
[EMAIL PROTECTED] a écrit :
type=1400 audit(1208682664.167:223): avc: denied { read write } for
pid=29607 comm="hwclock" path="/var/log/faillog" dev=dm-6 ino=271083
scontext=root:system_r:hwclock_t tcontext=system_u:object_r:faillog_t
tclass=file
This is just an error about hwclock being unable to write to
"faillog" so
there must be something that goes wrong (making hwclock want to
write to
faillog).
I also got this error:
type=1400 audit(1208679707.497:84): avc: denied { read } for
pid=18454 comm="hwclock" path="/dev/urandom" dev=tmpfs ino=2059
scontext=root:system_r:hwclock_t
tcontext=system_u:object_r:urandom_device_t tclass=chr_file
However, I think I solved it by issuing the commands "setsebool -P
global_ssp 1" and "load_policy"
This is becouse you have the hardened toolchain, compiling
everything with
PIE/SSP by default. SSP want a random number (picked from
/dev/urandom)
when the binaries start. SELinux disables access to urandom per
default so
you have to (as you did with sebool) tell SELinux that your system is
compiled with SSP and thus the access to urandom should be permitted.
Yes, this has been solved with sebool. However, I still got the
second error (related to faillog). It also blocks distccd like this:
(even if the corresponding selinux policy is loaded):
type=1400 audit(1208681304.633:191): avc: denied { read write }
for pid=27886 comm="distccd" path="/var/log/faillog" dev=dm-6
ino=271083 scontext=root:system_r:distccd_t
tcontext=system_u:object_r:faillog_t tclass=file
Do you know how to solve this second type of errors ?
Thanks for your help.
Seems weird that either of these programs would be writing to faillog,
since that file is usually for logging login failures. Do you have any
idea why this might be happening on your system?
I also get other denials related to these two programs:
type=1400 audit(1208708112.397:275): avc: denied { read } for
pid=1935 comm="distccd" path="pipe:[15699]" dev=pipefs ino=15699
scontext=user_u:system_r:distccd_t
tcontext=system_u:system_r:local_login_t tclass=fifo_file
type=1400 audit(1208707984.676:266): avc: denied { read } for
pid=16744 comm="hwclock" path="pipe:[15699]" dev=pipefs ino=15699
scontext=user_u:system_r:hwclock_t
tcontext=system_u:system_r:local_login_t tclass=fifo_file
Maybe this is the real reason for the failure of these two programs.
François Valenduc
Finally I managed to get hwclock working. I am using LVM and I forgot to
install the corresponding policy. I didn't notice that it had not been
installed when I ran "emerge --newuse world" (after having switched to
the selinux profile). I also managed to get distcc working but only if I
use the "listen" options in "/etc/conf.d/distccd'. If I use "allow"
instead of "listen" to specify the authorized ip adresses, I get this error:
type=1400 audit(1208706789.868:111): avc: denied { read write } for
pid=9304 comm="distccd" name="3" dev=devpts ino=5
scontext=root:system_r:distccd_t tcontext=root:object_r:sshd_devpts_t
tclass=chr_file
type=1400 audit(1208706789.879:112): avc: denied { ioctl } for
pid=9304 comm="distccd" path="/dev/pts/3" dev=devpts ino=5
scontext=root:system_r:distccd_t tcontext=root:object_r:sshd_devpts_t
tclass=chr_file
Thanks for your help.
François Valenduc
--
gentoo-hardened@lists.gentoo.org mailing list
