Sorry for disturbing anyone, but this really seems like a bug to me. Somehere - maybe in documentation, maybe somewhere else. I strictly followed SELinux conversion HOWTO using 2006.0 install cd and 2006.0-i686 stage (to get rid of new versions of glibc and gcc). I had emerged hardened-sources, compile and install them, emerged policies, load them, emerged patched packages, relabeled files, setup GRUB, rebooted and relabeled again and finally rebooted. Then i get a bunch of error messages in boot as everything was denied. So i tried to do all the stuff again, than i updated world with new USE flags, to have patched with selinux. But still error messages, after setting enforcing to 1 boot is impossible as init can't do nothing.
Created attachment 95739 [details] AVC messages from boot
emerge --info please
Sorry, i forgot. Here we go: Portage 2.1-r2 (selinux/2005.1/x86/hardened, gcc-3.4.6, glibc-2.3.6-r4, 2.6.16-hardened-r11 i686) ================================================================= System uname: 2.6.16-hardened-r11 i686 Intel(R) Pentium(R) 4 CPU 2.66GHz Gentoo Base System version 1.6.15 app-admin/eselect-compiler: [Not Present] dev-lang/python: 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=pentium4 -fomit-frame-pointer -pipe -msse2" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/terminfo" CXXFLAGS="-O2 -march=pentium4 -fomit-frame-pointer -pipe -msse2" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks metadata-transfer parallel-fetch sandbox selinux sfperms strict" GENTOO_MIRRORS="ftp://pandemonium.tiscali.de/pub/gentoo/ http://gentoo.ynet.sk/pub" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="apache2 berkdb crypt dlloader hardened mmx mysql ncurses nptl nptlonly pam php pic python readline selinux sse ssl tcpd unicode x86 zlib elibc_glibc input_devices_keyboard input_devices_mouse kernel_linux userland_GNU" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS
I made another try inside Virtual PC, with selinux profile (without hardened) and result was completely the same. Emerge info if someone is interested in it: Portage 2.1-r2 (selinux/2005.1/x86, gcc-3.4.4, glibc-2.3.5-r2, 2.6.16-hardened-r11 i686) ================================================================= System uname: 2.6.16-hardened-r11 i686 AMD Athlon(tm) 64 Processor 3200+ Gentoo Base System version 1.6.14 app-admin/eselect-compiler: [Not Present] dev-lang/python: 2.4.2 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1 sys-devel/gcc-config: 1.3.12-r6 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=athlon64 -fomit-frame-pointer -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/terminfo" CXXFLAGS="-O2 -march=athlon64 -fomit-frame-pointer -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks metadata-transfer parallel-fetch sandbox selinux sfperms strict" GENTOO_MIRRORS="ftp://pandemonium.tiscali.de/pub/gentoo/ http://gentoo.ynet.sk/pub" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="apache2 berkdb crypt mmx mysql ncurses nptl nptlonly pam php python readline selinux sse ssl tcpd unicode x86 zlib elibc_glibc input_devices_keyboard input_devices_mouse kernel_linux userland_GNU" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS
looks like you need to boot with udev off and relabel so the static device nodes in /dev are labeled.
Looks like you'te right! No problem with /dev now, only few messages like this: audit(1157318656.316:2): avc: denied { read } for pid=729 comm="hotplug" name="passwd" dev=hda3 ino=10486198 scontext=system_u:system_r:kernel_t tcontext=syst em_u:object_r:etc_t tclass=file audit(1157318656.320:3): avc: denied { getattr } for pid=729 comm="hotplug" name="passwd" dev=hda3 ino=10486198 scontext=system_u:system_r:kernel_t tcontext=s ystem_u:object_r:etc_t tclass=file audit(1157318656.380:4): avc: denied { ioctl } for pid=729 comm="hotplug" name="hotplug" dev=hda3 ino=12583273 scontext=system_u:system_r:kernel_t tcontext=sy stem_u:object_r:hotplug_exec_t tclass=file audit(1157318657.388:5): avc: denied { getcap } for pid=1 comm="init" scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t tclass=process audit(1157318657.392:6): avc: denied { setcap } for pid=1 comm="init" scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t tclass=process IBM TrackPoint firmware: 0x01, buttons: 0/0 input: TPPS/2 IBM TrackPoint as /class/input/input1 Adding 1952992k swap on /dev/hda2. Priority:-1 extents:1 across:1952992k SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs audit(1157318668.153:7): avc: denied { write } for pid=1326 comm="touch" name="resolv.conf" dev=hda3 ino=10614391 scontext=system_u:system_r:initrc_t tcontext =system_u:object_r:net_conf_t tclass=file audit(1157318668.169:8): avc: denied { read } for pid=1328 comm="grep" name="resolv.conf" dev=hda3 ino=10614391 scontext=system_u:system_r:initrc_t tcontext=s ystem_u:object_r:net_conf_t tclass=file eth0: Using EEPROM-set media 100baseTx-FDX. audit(1157318706.875:9): avc: denied { search } for pid=2048 comm="sshd" name="selinux" dev=hda3 ino=10718488 scontext=system_u:system_r:sshd_t tcontext=syste m_u:object_r:policy_config_t tclass=dir It seems i have to add this to policies by myself?
Could you please provide me with this last hint? I'll alter my policies if I have to. Thanks a lot.
allow init_t self:process { getcap setcap }; allow initrc_t net_conf_t:file { read write }; allow kernel_t etc_t:file { getattr read }; allow kernel_t hotplug_exec_t:file ioctl; dontaudit sshd_t policy_config_t:dir search;
Thank you. I think this bug can be closed, but i vote for adding info about udev to SELinux guide. Let me know if i can help somehow - i'm stopping my exploration of SELinux for a while, because i have to solve other things first :-( And it's also too complex for me to jump right into it (i'm using Linux on server for only about year and half) so I'll read some book, make some testing environment and do another try :-) Thank you guys for doing great job with Hardened Gentoo.
closing
