Dne 20.2.2012 18:22, Sven Vermeulen napsal(a):
> On Mon, Feb 20, 2012 at 07:17:02AM +0100, Tomáš Dobrovolný wrote:
>> I think, that /dev/console has correct label (on --bind / /mn/gentoo) -
>>
>> crw-------. 1 root root system_u:object_r:console_device_t 5, 1 Feb 20
>> 01:34 /mnt/gentoo/dev/console
> Weird, your previous denial logs showed the following:
>
> type=1400 audit(1329556527.347:3): avc: denied { read write } for
>
> pid=1 comm="init" path="/dev/console" dev="rootfs" ino=99
>
> scontext=system_u:system_r:init_t tcontext=system_u:object_r:root_t
>
> tclass=chr_file
>
> Either the mislabeling then was already solved, or the /dev on your root
> file system isn't the same as the one that init found back then. Can you
> check if /dev/console has inode 99?
On my root fs /dev/console has inode 260611.
Inode 99 is /etc/init.d/udev. with system_u:object_r:initrc_exec_t
I try again turn off dontaudit semodule -DB, reboot and the errors are
still the same (same place, same inodes, same files):
VFS: Mounted root (ext4 filesystem) readonly on device 8:3.
Freeing unused kernel memory: 416k freed
grsec: mount of proc to /proc by /sbin/init[init:1] uid/euid:0/0
gid/egid:0/0, parent /[swapper:0] uid/euid:0/0 gid/egid:0/0
grsec: unmount of proc by /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0,
parent /[swapper:0] uid/euid:0/0 gid/egid:0/0
grsec: mount of selinuxfs to /selinux by /sbin/init[init:1] uid/euid:0/0
gid/egid:0/0, parent /[swapper:0] uid/euid:0/0 gid/egid:0/0
type=1404 audit(1329775199.304:2): enforcing=1 old_enforcing=0
auid=4294967295 ses=4294967295
SELinux: 2048 avtab hash slots, 25193 rules.
SELinux: 2048 avtab hash slots, 25193 rules.
SELinux: 6 users, 6 roles, 1368 types, 80 bools
SELinux: 81 classes, 25193 rules
SELinux: Completing initialization.
SELinux: Setting up existing superblocks.
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
SELinux: initialized (dev proc, type proc), uses genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev devtmpfs, type devtmpfs), uses transition SIDs
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
SELinux: initialized (dev anon_inodefs, type anon_inodefs), uses
genfs_contexts
SELinux: initialized (dev devpts, type devpts), uses transition SIDs
SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses transition SIDs
SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
SELinux: initialized (dev sda3, type ext4), uses xattr
type=1403 audit(1329775199.361:3): policy loaded auid=4294967295
ses=4294967295
type=1400 audit(1329775199.365:4): avc: denied { read write } for
pid=1 comm="init" path="/dev/console" dev="rootfs" ino=99
scontext=system_u:system_r:init_t tcontext=system_u:object_r:root_t
tclass=chr_file
type=1400 audit(1329775199.374:5): avc: denied { read write } for
pid=1 comm="init" path="/dev/console" dev="rootfs" ino=99
scontext=system_u:system_r:init_t tcontext=system_u:object_r:root_t
tclass=chr_file
type=1400 audit(1329775199.384:6): avc: denied { read write } for
pid=1 comm="init" path="/dev/console" dev="rootfs" ino=99
scontext=system_u:system_r:init_t tcontext=system_u:object_r:root_t
tclass=chr_file
type=1400 audit(1329775199.393:7): avc: denied { rlimitinh } for
pid=1 comm="init" scontext=system_u:system_r:kernel_t
tcontext=system_u:system_r:init_t tclass=process
type=1400 audit(1329775199.404:8): avc: denied { siginh } for pid=1
comm="init" scontext=system_u:system_r:kernel_t
tcontext=system_u:system_r:init_t tclass=process
type=1400 audit(1329775199.415:9): avc: denied { noatsecure } for
pid=1 comm="init" scontext=system_u:system_r:kernel_t
tcontext=system_u:system_r:init_t tclass=process
type=1400 audit(1329775199.427:10): avc: denied { getattr } for pid=1
comm="init" name="/" dev="selinuxfs" ino=1
scontext=system_u:system_r:init_t tcontext=system_u:object_r:security_t
tclass=filesystem
Is it correct, that rootfs is mounted without seclabel?
/proc/mounts:
rootfs / rootfs rw 0 0
/dev/root / ext4
rw,seclabel,relatime,user_xattr,acl,barrier=1,data=ordered 0 0
>> But for now I have one avc denials -- the /etc/init.d/sysctl cannot set
>> kernel parameters, but direct calling of syctl -p can. avc error is:
>> avc: denied { sys_admin } for pid=1860 comm="sysctl" capability=21
>> scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t
>> tclass=capabilty
> Hmm... for some reason, refpolicy has explicitly disabled the sys_admin
> capability for the initrc_t domain:
>
> allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
> allow initrc_t self:capability ~{ sys_admin sys_module };
> dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
>
> I'll need to check the commit history to see if there was a particular
> reason why it is explicitly not set.
>
> Wkr,
> Sven Vermeulen
>
Maybe to allow it to all init scripts is too strong. It will be better
to allow it only for specialized scripts ... only one /etc/init.d/sysctl ;-)
--
Thanks
Tomas Dobrovolny
