On Sun, 2008-04-20 at 17:58 +0200, François Valenduc wrote:
> François Valenduc a écrit :
> > Chris PeBenito a écrit :
> >> On Sun, 2008-04-20 at 12:12 +0200, François Valenduc wrote:
> >>
> >>> [EMAIL PROTECTED] a écrit :
> >>>
> >>>>> type=1400 audit(1208682664.167:223): avc: denied { read write } for
> >>>>> pid=29607 comm="hwclock" path="/var/log/faillog" dev=dm-6 ino=271083
> >>>>> scontext=root:system_r:hwclock_t tcontext=system_u:object_r:faillog_t
> >>>>> tclass=file
> >>>>>
> >>>> This is just an error about hwclock being unable to write to
> >>>> "faillog" so
> >>>> there must be something that goes wrong (making hwclock want to
> >>>> write to
> >>>> faillog).
> >>>>
> >>>>
> >>>>> I also got this error:
> >>>>> type=1400 audit(1208679707.497:84): avc: denied { read } for
> >>>>> pid=18454 comm="hwclock" path="/dev/urandom" dev=tmpfs ino=2059
> >>>>> scontext=root:system_r:hwclock_t
> >>>>> tcontext=system_u:object_r:urandom_device_t tclass=chr_file
> >>>>>
> >>>>> However, I think I solved it by issuing the commands "setsebool -P
> >>>>> global_ssp 1" and "load_policy"
> >>>>>
> >>>> This is becouse you have the hardened toolchain, compiling
> >>>> everything with
> >>>> PIE/SSP by default. SSP want a random number (picked from
> >>>> /dev/urandom)
> >>>> when the binaries start. SELinux disables access to urandom per
> >>>> default so
> >>>> you have to (as you did with sebool) tell SELinux that your system is
> >>>> compiled with SSP and thus the access to urandom should be permitted.
> >>>>
> >>>>
> >>> Yes, this has been solved with sebool. However, I still got the
> >>> second error (related to faillog). It also blocks distccd like this:
> >>> (even if the corresponding selinux policy is loaded):
> >>> type=1400 audit(1208681304.633:191): avc: denied { read write }
> >>> for pid=27886 comm="distccd" path="/var/log/faillog" dev=dm-6
> >>> ino=271083 scontext=root:system_r:distccd_t
> >>> tcontext=system_u:object_r:faillog_t tclass=file
> >>>
> >>> Do you know how to solve this second type of errors ?
> >>> Thanks for your help.
> >>>
> >>
> >> Seems weird that either of these programs would be writing to faillog,
> >> since that file is usually for logging login failures. Do you have any
> >> idea why this might be happening on your system?
> >>
> >>
> >
> > I also get other denials related to these two programs:
> >
> > type=1400 audit(1208708112.397:275): avc: denied { read } for
> > pid=1935 comm="distccd" path="pipe:[15699]" dev=pipefs ino=15699
> > scontext=user_u:system_r:distccd_t
> > tcontext=system_u:system_r:local_login_t tclass=fifo_file
> >
> > type=1400 audit(1208707984.676:266): avc: denied { read } for
> > pid=16744 comm="hwclock" path="pipe:[15699]" dev=pipefs ino=15699
> > scontext=user_u:system_r:hwclock_t
> > tcontext=system_u:system_r:local_login_t tclass=fifo_file
> >
> > Maybe this is the real reason for the failure of these two programs.
> >
> > François Valenduc
> Finally I managed to get hwclock working. I am using LVM and I forgot to
> install the corresponding policy. I didn't notice that it had not been
> installed when I ran "emerge --newuse world" (after having switched to
> the selinux profile). I also managed to get distcc working but only if I
> use the "listen" options in "/etc/conf.d/distccd'. If I use "allow"
> instead of "listen" to specify the authorized ip adresses, I get this error:
>
> type=1400 audit(1208706789.868:111): avc: denied { read write } for
> pid=9304 comm="distccd" name="3" dev=devpts ino=5
> scontext=root:system_r:distccd_t tcontext=root:object_r:sshd_devpts_t
> tclass=chr_file
> type=1400 audit(1208706789.879:112): avc: denied { ioctl } for
> pid=9304 comm="distccd" path="/dev/pts/3" dev=devpts ino=5
> scontext=root:system_r:distccd_t tcontext=root:object_r:sshd_devpts_t
> tclass=chr_fileCan you paste the output of `sestatus -v`? -- Chris PeBenito <[EMAIL PROTECTED]> Developer, Hardened Gentoo Linux Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243
signature.asc
Description: This is a digitally signed message part
