Boot of a current machine using selinux-1.4 profile with current (20030604) giving lots of denied messages on boot. Jun 25 20:36:00 selinux avc: denied { read write } for pid=1 exe=/sbin/init path=/dev/console dev=03:02 ino=701644 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t tclass=chr_file Jun 25 20:36:00 selinux avc: denied { ioctl } for pid=1 exe=/sbin/init path=/dev/tty0 dev=03:02 ino=701139 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t tclass=chr_file Jun 25 20:36:00 selinux avc: denied { read write } for pid=14 exe=/bin/bash path=/dev/console dev=03:02 ino=701644 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=chr_file Jun 25 20:36:00 selinux avc: denied { ioctl } for pid=16 exe=/sbin/consoletype path=/dev/console dev=03:02 ino=701644 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=chr_file Jun 25 20:36:00 selinux avc: denied { read write } for pid=22 exe=/bin/mount path=/dev/console dev=03:02 ino=701644 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:file_t tclass=chr_file Jun 25 20:36:00 selinux avc: denied { mount } for pid=110 exe=/bin/mount path=/ dev=00:07 ino=1 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:device_t tclass=filesystem Jun 25 20:36:00 selinux avc: denied { read write } for pid=154 exe=/sbin/devfsd path=/dev/console dev=03:02 ino=701644 scontext=system_u:system_r:devfsd_t tcontext=system_u:object_r:file_t tclass=chr_file Jun 25 20:36:00 selinux avc: denied { write } for pid=154 exe=/sbin/devfsd path=/log dev=00:07 ino=405 scontext=system_u:system_r:devfsd_t tcontext=system_u:object_r:device_t tclass=sock_file Jun 25 20:36:00 selinux avc: denied { read write } for pid=161 exe=/sbin/swapon path=/dev/console dev=03:02 ino=701644 scontext=system_u:system_r:fsadm_t tcontext=system_u:object_r:file_t tclass=chr_file Jun 25 20:36:00 selinux avc: denied { read write } for pid=179 exe=/bin/bash path=/dev/console dev=03:02 ino=701644 scontext=system_u:system_r:update_modules_t tcontext=system_u:object_r:file_t tclass=chr_file Jun 25 20:36:00 selinux avc: denied { ioctl } for pid=197 exe=/bin/mv path=/dev/console dev=03:02 ino=701644 scontext=system_u:system_r:update_modules_t tcontext=system_u:object_r:file_t tclass=chr_file Jun 25 20:36:00 selinux avc: denied { read write } for pid=204 exe=/sbin/depmod path=/dev/console dev=03:02 ino=701644 scontext=system_u:system_r:depmod_t tcontext=system_u:object_r:file_t tclass=chr_file Jun 25 20:36:00 selinux avc: denied { read write } for pid=267 exe=/sbin/insmod path=/dev/console dev=03:02 ino=701644 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:file_t tclass=chr_file Jun 25 20:36:00 selinux avc: denied { write } for pid=272 exe=/sbin/insmod path=/log dev=00:07 ino=405 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:device_t tclass=sock_file Jun 25 20:36:00 selinux avc: denied { read } for pid=271 exe=/bin/mount path=/filesystems dev=00:02 ino=4104 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:proc_t tclass=file Jun 25 20:36:00 selinux avc: denied { getattr } for pid=271 exe=/bin/mount path=/filesystems dev=00:02 ino=4104 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:proc_t tclass=file Jun 25 20:36:00 selinux avc: denied { write } for pid=274 exe=/usr/bin/logger path=/log dev=00:07 ino=405 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=sock_file Jun 25 20:36:00 selinux avc: denied { write } for pid=1 exe=/sbin/init path=/log dev=00:07 ino=405 scontext=system_u:system_r:init_t tcontext=system_u:object_r:device_t tclass=sock_file Jun 25 20:36:00 selinux avc: denied { rename } for pid=718 exe=/sbin/dhcpcd path=/etc/yp.conf dev=03:02 ino=164566 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_t tclass=file Jun 25 20:36:00 selinux avc: denied { write } for pid=718 exe=/sbin/dhcpcd path=/etc/dhcpc dev=03:02 ino=391283 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_dhcpc_t tclass=dir Jun 25 20:36:00 selinux avc: denied { add_name } for pid=718 exe=/sbin/dhcpcd path=/etc/dhcpc/dhcpcd-eth0.cache scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_dhcpc_t tclass=dir Jun 25 20:36:00 selinux avc: denied { create } for pid=718 exe=/sbin/dhcpcd path=/etc/dhcpc/dhcpcd-eth0.cache scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_dhcpc_t tclass=file Jun 25 20:36:00 selinux avc: denied { write } for pid=718 exe=/sbin/dhcpcd path=/etc/dhcpc/dhcpcd-eth0.cache dev=03:02 ino=390914 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_dhcpc_t tclass=file Jun 25 20:36:00 selinux avc: denied { remove_name } for pid=718 exe=/sbin/dhcpcd path=/etc/dhcpc/dhcpcd-eth0.info dev=03:02 ino=390955 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_dhcpc_t tclass=dir Jun 25 20:36:00 selinux avc: denied { rename } for pid=718 exe=/sbin/dhcpcd path=/etc/dhcpc/dhcpcd-eth0.info dev=03:02 ino=390955 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_dhcpc_t tclass=file Jun 25 20:36:00 selinux avc: denied { unlink } for pid=718 exe=/sbin/dhcpcd path=/etc/dhcpc/dhcpcd-eth0.info.old dev=03:02 ino=390915 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_dhcpc_t tclass=file Jun 25 20:36:00 selinux avc: denied { read } for pid=729 exe=/bin/mail path=/usr/sbin/sendmail dev=03:02 ino=344650 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:sendmail_exec_t tclass=lnk_file Jun 25 20:36:00 selinux avc: denied { read } for pid=729 exe=/usr/sbin/ssmtp path=/etc/resolv.conf dev=03:02 ino=162964 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:resolv_conf_t tclass=file Jun 25 20:36:00 selinux avc: denied { read } for pid=729 exe=/usr/sbin/ssmtp path=socket:[1742] dev=00:00 ino=1742 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=tcp_socket Jun 25 20:36:00 selinux avc: denied { write } for pid=729 exe=/usr/sbin/ssmtp path=socket:[1742] dev=00:00 ino=1742 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=tcp_socket Jun 25 20:36:00 selinux avc: denied { getattr } for pid=824 exe=/usr/sbin/syslog-ng path=/log dev=00:07 ino=405 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:device_t tclass=sock_file Jun 25 20:36:00 selinux avc: denied { unlink } for pid=824 exe=/usr/sbin/syslog-ng path=/log dev=00:07 ino=405 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:device_t tclass=sock_file Jun 25 20:36:00 selinux avc: denied { search } for pid=824 exe=/usr/sbin/syslog-ng dev=00:02 ino=1 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:proc_t tclass=dir Jun 25 20:36:00 selinux avc: denied { read write } for pid=824 exe=/usr/sbin/syslog-ng path=/kmsg dev=00:02 ino=4113 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:proc_kmsg_t tclass=file Jun 25 20:36:00 selinux avc: denied { append } for pid=824 exe=/usr/sbin/syslog-ng path=/vc/12 dev=00:07 ino=32 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tty_device_t tclass=chr_file Jun 25 20:36:00 selinux avc: denied { setattr } for pid=824 exe=/usr/sbin/syslog-ng path=/vc/12 dev=00:07 ino=32 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tty_device_t tclass=chr_file Jun 25 20:36:07 selinux avc: denied { read } for pid=917 exe=/usr/sbin/xinetd path=/usr/sbin/in.telnetd dev=03:02 ino=344083 scontext=system_u:system_r:inetd_t tcontext=system_u:object_r:rlogind_exec_t tclass=lnk_file Jun 25 20:37:07 selinux avc: denied { getattr } for pid=934 exe=/usr/sbin/sshd path=/pts/0 dev=00:07 ino=856 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:devpts_t tclass=chr_file Jun 25 20:37:07 selinux avc: denied { read write } for pid=934 exe=/usr/sbin/sshd path=/pts/0 dev=00:07 ino=856 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:devpts_t tclass=chr_file Jun 25 20:37:07 selinux avc: denied { ioctl } for pid=934 exe=/usr/sbin/sshd path=/pts/0 dev=00:07 ino=856 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:devpts_t tclass=chr_file Jun 25 20:37:07 selinux avc: denied { setattr } for pid=934 exe=/usr/sbin/sshd path=/pts/0 dev=00:07 ino=856 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:devpts_t tclass=chr_file Jun 25 20:37:07 selinux avc: denied { relabelfrom } for pid=934 exe=/usr/sbin/sshd path=/pts/0 dev=00:07 ino=856 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:devpts_t tclass=chr_file Jun 25 20:37:07 selinux avc: denied { relabelto } for pid=934 exe=/usr/sbin/sshd path=/pts/0 dev=00:07 ino=856 scontext=system_u:system_r:sshd_t tcontext=kronenpj:object_r:devpts_t tclass=chr_file Jun 25 20:37:07 selinux avc: denied { ioctl } for pid=934 exe=/usr/sbin/sshd path=/pts/0 dev=00:07 ino=856 scontext=system_u:system_r:sshd_t tcontext=kronenpj:object_r:devpts_t tclass=chr_file Jun 25 20:37:07 selinux avc: denied { read write } for pid=936 exe=/usr/sbin/sshd path=/pts/0 dev=00:07 ino=856 scontext=system_u:system_r:sshd_t tcontext=kronenpj:object_r:devpts_t tclass=chr_file Jun 25 20:37:07 selinux avc: denied { getattr } for pid=937 exe=/usr/sbin/sshd path=/pts/0 dev=00:07 ino=856 scontext=system_u:system_r:sshd_t tcontext=kronenpj:object_r:devpts_t tclass=chr_file Jun 25 20:37:07 selinux avc: denied { read write } for pid=938 exe=/bin/bash path=/pts/0 dev=00:07 ino=856 scontext=kronenpj:staff_r:staff_t tcontext=kronenpj:object_r:devpts_t tclass=chr_file Jun 25 20:37:07 selinux avc: denied { search } for pid=938 exe=/bin/bash path=/home/kronenpj dev=03:02 ino=654118 scontext=kronenpj:staff_r:staff_t tcontext=system_u:object_r:user_home_dir_t tclass=dir Jun 25 20:37:07 selinux avc: denied { getattr } for pid=938 exe=/bin/bash path=/home/kronenpj dev=03:02 ino=654118 scontext=kronenpj:staff_r:staff_t tcontext=system_u:object_r:user_home_dir_t tclass=dir Jun 25 20:37:07 selinux avc: denied { write } for pid=938 exe=/usr/X11R6/bin/xauth path=/home/kronenpj dev=03:02 ino=654118 scontext=kronenpj:staff_r:staff_t tcontext=system_u:object_r:user_home_dir_t tclass=dir Jun 25 20:37:07 selinux avc: denied { add_name } for pid=938 exe=/usr/X11R6/bin/xauth path=/home/kronenpj/.Xauthority-c scontext=kronenpj:staff_r:staff_t tcontext=system_u:object_r:user_home_dir_t tclass=dir Jun 25 20:37:07 selinux avc: denied { create } for pid=938 exe=/usr/X11R6/bin/xauth path=/home/kronenpj/.Xauthority-c scontext=kronenpj:staff_r:staff_t tcontext=kronenpj:object_r:user_home_dir_t tclass=file Jun 25 20:37:07 selinux avc: denied { link } for pid=938 exe=/usr/X11R6/bin/xauth path=/home/kronenpj/.Xauthority-c dev=03:02 ino=651616 scontext=kronenpj:staff_r:staff_t tcontext=kronenpj:object_r:user_home_dir_t tclass=file Jun 25 20:37:07 selinux avc: denied { write } for pid=938 exe=/usr/X11R6/bin/xauth path=/home/kronenpj/.Xauthority dev=03:02 ino=651622 scontext=kronenpj:staff_r:staff_t tcontext=kronenpj:object_r:user_home_dir_t tclass=file Jun 25 20:37:07 selinux avc: denied { read } for pid=938 exe=/usr/X11R6/bin/xauth path=/home/kronenpj/.Xauthority dev=03:02 ino=651622 scontext=kronenpj:staff_r:staff_t tcontext=kronenpj:object_r:user_home_dir_t tclass=file Jun 25 20:37:07 selinux avc: denied { getattr } for pid=938 exe=/usr/X11R6/bin/xauth path=/home/kronenpj/.Xauthority dev=03:02 ino=651622 scontext=kronenpj:staff_r:staff_t tcontext=kronenpj:object_r:user_home_dir_t tclass=file Jun 25 20:37:07 selinux avc: denied { remove_name } for pid=938 exe=/usr/X11R6/bin/xauth path=/home/kronenpj/.Xauthority dev=03:02 ino=651622 scontext=kronenpj:staff_r:staff_t tcontext=system_u:object_r:user_home_dir_t tclass=dir Jun 25 20:37:07 selinux avc: denied { unlink } for pid=938 exe=/usr/X11R6/bin/xauth path=/home/kronenpj/.Xauthority dev=03:02 ino=651622 scontext=kronenpj:staff_r:staff_t tcontext=kronenpj:object_r:user_home_dir_t tclass=file Jun 25 20:37:07 selinux avc: denied { ioctl } for pid=937 exe=/bin/bash path=/pts/0 dev=00:07 ino=856 scontext=kronenpj:staff_r:staff_t tcontext=kronenpj:object_r:devpts_t tclass=chr_file Jun 25 20:37:07 selinux avc: denied { read } for pid=937 exe=/bin/bash path=/home/kronenpj/.bash_profile dev=03:02 ino=651572 scontext=kronenpj:staff_r:staff_t tcontext=system_u:object_r:user_home_t tclass=file Jun 25 20:37:07 selinux avc: denied { getattr } for pid=937 exe=/bin/bash path=/home/kronenpj/.bash_profile dev=03:02 ino=651572 scontext=kronenpj:staff_r:staff_t tcontext=system_u:object_r:user_home_t tclass=file Jun 25 20:37:07 selinux avc: denied { read } for pid=937 exe=/bin/bash path=/home/kronenpj dev=03:02 ino=654118 scontext=kronenpj:staff_r:staff_t tcontext=system_u:object_r:user_home_dir_t tclass=dir Jun 25 20:37:07 selinux avc: denied { getattr } for pid=937 exe=/bin/bash path=/pts/0 dev=00:07 ino=856 scontext=kronenpj:staff_r:staff_t tcontext=kronenpj:object_r:devpts_t tclass=chr_file Jun 25 20:37:12 selinux avc: denied { read write } for pid=944 exe=/usr/bin/newrole path=/pts/0 dev=00:07 ino=856 scontext=kronenpj:staff_r:newrole_t tcontext=kronenpj:object_r:devpts_t tclass=chr_file Jun 25 20:37:12 selinux avc: denied { getattr } for pid=944 exe=/usr/bin/newrole path=/pts/0 dev=00:07 ino=856 scontext=kronenpj:staff_r:newrole_t tcontext=kronenpj:object_r:devpts_t tclass=chr_file Jun 25 20:37:12 selinux avc: denied { ioctl } for pid=944 exe=/usr/bin/newrole path=/pts/0 dev=00:07 ino=856 scontext=kronenpj:staff_r:newrole_t tcontext=kronenpj:object_r:devpts_t tclass=chr_file Jun 25 20:37:14 selinux avc: denied { relabelfrom } for pid=944 exe=/usr/bin/newrole path=/pts/0 dev=00:07 ino=856 scontext=kronenpj:staff_r:newrole_t tcontext=kronenpj:object_r:devpts_t tclass=chr_file Jun 25 20:37:14 selinux avc: denied { relabelto } for pid=944 exe=/usr/bin/newrole path=/pts/0 dev=00:07 ino=856 scontext=kronenpj:staff_r:newrole_t tcontext=kronenpj:object_r:devpts_t tclass=chr_file Jun 25 20:37:14 selinux avc: denied { read write } for pid=946 exe=/bin/bash path=/pts/0 dev=00:07 ino=856 scontext=kronenpj:sysadm_r:sysadm_t tcontext=kronenpj:object_r:devpts_t tclass=chr_file Jun 25 20:37:14 selinux avc: denied { ioctl } for pid=946 exe=/bin/bash path=/pts/0 dev=00:07 ino=856 scontext=kronenpj:sysadm_r:sysadm_t tcontext=kronenpj:object_r:devpts_t tclass=chr_file Jun 25 20:37:14 selinux avc: denied { getattr } for pid=946 exe=/bin/bash path=/pts/0 dev=00:07 ino=856 scontext=kronenpj:sysadm_r:sysadm_t tcontext=kronenpj:object_r:devpts_t tclass=chr_file Jun 25 20:37:15 selinux avc: denied { read write } for pid=949 exe=/bin/su path=/pts/0 dev=00:07 ino=856 scontext=kronenpj:sysadm_r:sysadm_su_t tcontext=kronenpj:object_r:devpts_t tclass=chr_file Jun 25 20:37:15 selinux avc: denied { ioctl } for pid=949 exe=/bin/su path=/pts/0 dev=00:07 ino=856 scontext=kronenpj:sysadm_r:sysadm_su_t tcontext=kronenpj:object_r:devpts_t tclass=chr_file
Ok, theres so many denials from various things, I'll try to adress as many of them as possible. Any file that is file_t is almost certainly not labeled correctly. Since they mostly have to do with /dev, I'll guess that devfs is not mounted at boot by the kernel. The /dev/log denials where it is device_t instead of devlog_t is covered by the quickstart faq. Youre logging in as the staff_r, but your home dir is not labeled properly as staff_home_dir_t/staff_home_t, see file_contexts/staff.fc We dont have a policy for xinetd in selinux-base-policy, so those arent addressed here. It doesnt appear that you have devpts mounted, resulting in the /dev/pts/* denials. The /proc/kmesg thing with syslog is fixed in the cvs policy. It looks you're doing xfree, that requires a policy too, and a patched xdm/gdm/kdm if you're using a graphical login. That doesnt address all of the denials, but that should help in removing some of them, so this list can go down to a more managable number.
You are correct on every count: DEVFS not mounted at boot, DEVPTS not enabled in kernel. I think these were the big ones. I also think my machine pre-dated the quickstart which explains why I hadn't done any of these things! :) I put the CVS policy on this morning so that should help. /dev/log was cached and not fixed in /etc/devfsd.conf. The last time I looked staff_t didn't exist so I didn't put anyone in staff.fc. The only thing I'm doing with X is xauth when I log in via SSH. I can cope with that part failing, as long as I can still get in :). I'm guessing that the /dev/pts missing caused the machine to panic and automagically reboot. There's a message saying why but I can't see it, too fast to reset. In permissive mode it's down to 18 denies: Jun 26 17:38:34 selinux avc: denied { search } for pid=14 exe=/bin/bash path=/bus dev=00:02 ino=4131 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:proc_hw_t tclass=dir Jun 26 17:38:34 selinux avc: denied { getattr } for pid=14 exe=/bin/bash path=/bus/usb dev=00:02 ino=4505 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:proc_hw_t tclass=dir Jun 26 17:38:34 selinux avc: denied { search } for pid=270 exe=/bin/mount path=/bus dev=00:02 ino=4131 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:proc_hw_t tclass=dir Jun 26 17:38:34 selinux avc: denied { mounton } for pid=270 exe=/bin/mount path=/bus/usb dev=00:02 ino=4505 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:proc_hw_t tclass=dir Jun 26 17:38:34 selinux avc: denied { write } for pid=707 exe=/sbin/dhcpcd path=/etc/dhcpc dev=03:02 ino=391283 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_dhcpc_t tclass=dir Jun 26 17:38:34 selinux avc: denied { add_name } for pid=707 exe=/sbin/dhcpcd path=/etc/dhcpc/dhcpcd-eth0.cache scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_dhcpc_t tclass=dir Jun 26 17:38:34 selinux avc: denied { create } for pid=707 exe=/sbin/dhcpcd path=/etc/dhcpc/dhcpcd-eth0.cache scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_dhcpc_t tclass=file Jun 26 17:38:34 selinux avc: denied { write } for pid=707 exe=/sbin/dhcpcd path=/etc/dhcpc/dhcpcd-eth0.cache dev=03:02 ino=390914 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_dhcpc_t tclass=file Jun 26 17:38:34 selinux avc: denied { remove_name } for pid=707 exe=/sbin/dhcpcd path=/etc/dhcpc/dhcpcd-eth0.info dev=03:02 ino=390915 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_dhcpc_t tclass=dir Jun 26 17:38:34 selinux avc: denied { rename } for pid=707 exe=/sbin/dhcpcd path=/etc/dhcpc/dhcpcd-eth0.info dev=03:02 ino=390915 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_dhcpc_t tclass=file Jun 26 17:38:34 selinux avc: denied { unlink } for pid=707 exe=/sbin/dhcpcd path=/etc/dhcpc/dhcpcd-eth0.info.old dev=03:02 ino=390955 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_dhcpc_t tclass=file Jun 26 17:38:34 selinux avc: denied { read } for pid=718 exe=/bin/mail path=/usr/sbin/sendmail dev=03:02 ino=344650 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:sendmail_exec_t tclass=lnk_file Jun 26 17:38:34 selinux avc: denied { read } for pid=718 exe=/usr/sbin/ssmtp path=/etc/resolv.conf dev=03:02 ino=162957 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:resolv_conf_t tclass=file Jun 26 17:38:34 selinux avc: denied { read } for pid=718 exe=/usr/sbin/ssmtp path=socket:[1596] dev=00:00 ino=1596 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=tcp_socket Jun 26 17:38:34 selinux avc: denied { write } for pid=718 exe=/usr/sbin/ssmtp path=socket:[1596] dev=00:00 ino=1596 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=tcp_socket Jun 26 17:38:34 selinux avc: denied { append } for pid=813 exe=/usr/sbin/syslog-ng path=/vc/12 dev=00:07 ino=32 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tty_device_t tclass=chr_file Jun 26 17:38:34 selinux avc: denied { setattr } for pid=813 exe=/usr/sbin/syslog-ng path=/vc/12 dev=00:07 ino=32 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tty_device_t tclass=chr_file Jun 26 17:38:41 selinux avc: denied { read } for pid=906 exe=/usr/sbin/xinetd path=/usr/sbin/in.telnetd dev=03:02 ino=344083 scontext=system_u:system_r:inetd_t tcontext=system_u:object_r:rlogind_exec_t tclass=lnk_file Context listings for some of the binaries listed above: selinux root # ls -a --context /bin/bash -rwxr-xr-x root root system_u:object_r:shell_exec_t /bin/bash selinux root # ls -a --context /proc/bus dr-xr-xr-x root root system_u:object_r:proc_hw_t . dr-xr-xr-x root root system_u:object_r:proc_t .. dr-xr-xr-x root root system_u:object_r:proc_hw_t pci dr-xr-xr-x root root system_u:object_r:unlabeled_t usb selinux root # ls --context /sbin/dhcpcd -rwxr-xr-x root root system_u:object_r:dhcpc_exec_t /sbin/dhcpcd selinux root # ls -a --context /etc/dhcpc/ drwxr-xr-x root root system_u:object_r:etc_dhcpc_t . drwxr-xr-x root root system_u:object_r:etc_t .. -rw------- root root system_u:object_r:etc_dhcpc_t dhcpcd-eth0.cache -rw-r--r-- root root system_u:object_r:etc_dhcpc_t dhcpcd-eth0.info -rw-r--r-- root root system_u:object_r:etc_dhcpc_t dhcpcd-eth0.info.old selinux root # ls -a --context /bin/mount -rwsr-xr-x root root system_u:object_r:mount_exec_t /bin/mount selinux root # ls --context /bin/mail -rwxr-xr-x root root system_u:object_r:bin_t /bin/mail selinux root # ls --context /usr/sbin/sendmail lrwxrwxrwx root root system_u:object_r:sendmail_exec_t /usr/sbin/sendmail selinux root # ls --context /usr/sbin/ssmtp -rwxr-xr-x root root system_u:object_r:sbin_t /usr/sbin/ssmtp selinux root # ls --context /etc/resolv.conf -rw-r--r-- root root system_u:object_r:resolv_conf_t /etc/resolv.conf selinux root # ls --context /usr/sbin/syslog-ng -rwxr-xr-x root root system_u:object_r:syslogd_exec_t /usr/sbin/syslog-ng selinux root # ls --context /dev/vc/12 crw------- root root system_u:object_r:tty_device_t /dev/vc/12 selinux root # ls --context /usr/sbin/xinetd -rwxr-xr-x root root system_u:object_r:inetd_exec_t /usr/sbin/xinetd selinux root # ls --context /usr/sbin/in.telnetd lrwxrwxrwx root root system_u:object_r:rlogind_exec_t /usr/sbin/in.telnetd Of course /usr/sbin/sendmail and /usr/sbin/in.telnetd are symbolic links.
It boots in enforcing mode now at least :) Thanks!
Ok, I put up a new cvs snapshot policy, http://cvs.gentoo.org/~pebenito/selinux-base-policy-cvs-20030626.tar.bz2. It should take care of the dhcpcd and /proc/bus/usb issues. The syslog writing to vc/12 can be taken care of by uncommenting a rule in syslogd.te (there is a comment about it, near the top). I also made a file context fix for ssmtp. I dont use any of these, so I cant verify them first :(
Down to 13 total but I'm filtering them to more "interesting" things. Some of the errors may be peculiar to my network. For instance, dhcp client wants to overwrite /etc/yp.conf and /etc/ntp.conf. I don't care if it succeeds or not so I've removed them. I don't know what to make of these. It doesn't seem to have impeded the system's ability to boot. Jun 27 14:39:19 selinux avc: denied { mount } for pid=270 exe=/bin/mount path =/ dev=00:0a ino=1 scontext=system_u:system_r:mount_t tcontext=system_u:object_r :proc_hw_t tclass=filesystem Jun 27 14:39:19 selinux avc: denied { mount } for pid=270 exe=/bin/mount path =/ dev=00:0a ino=1 scontext=system_u:system_r:mount_t tcontext=system_u:object_r :proc_hw_t tclass=filesystem However, I would like to see ssmtp succeed in it's purpose in life. I think a rule to allow it to access /etc/resolv.conf is reasonable. And it should be able to read it's stuff (/etc/ssmtp/revaliases). If policy let it search /root, POSIX wouldn't have so leaving it "broken" is ok with me. Jun 27 14:39:19 selinux avc: denied { read } for pid=722 exe=/usr/sbin/ssmtp path=/tmp/RscYEGZ0 (deleted) dev=03:02 ino=68666 scontext=system_u:system_r:syst em_mail_t tcontext=system_u:object_r:initrc_tmp_t tclass=file Jun 27 14:39:19 selinux avc: denied { read } for pid=722 exe=/usr/sbin/ssmtp path=/etc/resolv.conf dev=03:02 ino=162960 scontext=system_u:system_r:system_mai l_t tcontext=system_u:object_r:resolv_conf_t tclass=file Jun 27 14:39:19 selinux avc: denied { ioctl } for pid=722 exe=/usr/sbin/ssmtp path=/etc/ssmtp/revaliases dev=03:02 ino=263185 scontext=system_u:system_r:syst em_mail_t tcontext=system_u:object_r:etc_t tclass=file Jun 27 14:39:19 selinux avc: denied { search } for pid=722 exe=/usr/sbin/ssmt p path=/root dev=03:02 ino=163260 scontext=system_u:system_r:system_mail_t tcont ext=system_u:object_r:sysadm_home_dir_t tclass=dir This is strange but doesn't affect what I want to do with the machine. in.telnetd is a link to telnetd in /usr/sbin. It can be *easily* fixed by editing /etc/xinetd.d/telnetd to point to the right binary. I don't think any action is needed by policy unless /usr/sbin/telnetd isn't listed as equivalent to /usr/sbin/in.telnetd. Jun 27 14:39:27 selinux avc: denied { read } for pid=911 exe=/usr/sbin/xinetd path=/usr/sbin/in.telnetd dev=03:02 ino=344083 scontext=system_u:system_r:inetd _t tcontext=system_u:object_r:rlogind_exec_t tclass=lnk_file
And it looks like NTP has a new file to deal with: Jun 27 15:39:19 selinux avc: denied { write } for pid=826 exe=/usr/bin/ntpd path=/etc/ntp.drift.TEMP dev=03:02 ino=162964 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:etc_t tclass=file I have a feeling it's going to want to rename that file over to /etc/ntp.conf after it deletes the original.
Ok, I take care of the mount and ssmtp denials. Since ssmtp is sloppy and searches /root, and this is an ok denial, we use a dontaudit rule. dontaudit system_mail_t sysadm_home_dir_t:dir search; It'll still get denied, you just wont get a avc message. There are many sloppy programs that look at /root, so if you look a the policy, you'll see some with a line similar to the above. I'm wondering about ssmtp reading that /tmp file in the initrc_tmp_t type. Ntp will need its own policy. That file thats getting denied will be renamed to ntp.drift, btw. Are you actually running telnet on your system anyway? I removed rlogind.{te,fc} from the main policy because its so insecure, and its not in a stage 3 system.
What files are in /etc/ssmtp? Does revaliases contain mail aliases? If so, I'll change it to be etc_aliases_t.
set revaliases to etc_aliases_t, should fix that denial.