23501 – SELinux - Many avc: denied messages on boot.

Bug 23501 - SELinux - Many avc: denied messages on boot.

Summary: SELinux - Many avc: denied messages on boot.

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Unspecified (show other bugs)
Hardware:	x86 Linux

Importance:	High normal (vote)
Assignee:	Chris PeBenito (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2003-06-25 17:43 UTC by Paul Kronenwetter
Modified:	2003-07-20 10:12 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Paul Kronenwetter 2003-06-25 17:43:45 UTC

Boot of a current machine using selinux-1.4 profile with current (20030604)
giving lots of denied messages on boot.

Jun 25 20:36:00 selinux avc:  denied  { read write } for  pid=1 exe=/sbin/init
path=/dev/console dev=03:02 ino=701644 scontext=system_u:system_r:init_t
tcontext=system_u:object_r:file_t tclass=chr_file
Jun 25 20:36:00 selinux avc:  denied  { ioctl } for  pid=1 exe=/sbin/init
path=/dev/tty0 dev=03:02 ino=701139 scontext=system_u:system_r:init_t
tcontext=system_u:object_r:file_t tclass=chr_file
Jun 25 20:36:00 selinux avc:  denied  { read write } for  pid=14 exe=/bin/bash
path=/dev/console dev=03:02 ino=701644 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:file_t tclass=chr_file
Jun 25 20:36:00 selinux avc:  denied  { ioctl } for  pid=16
exe=/sbin/consoletype path=/dev/console dev=03:02 ino=701644
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t
tclass=chr_file
Jun 25 20:36:00 selinux avc:  denied  { read write } for  pid=22 exe=/bin/mount
path=/dev/console dev=03:02 ino=701644 scontext=system_u:system_r:mount_t
tcontext=system_u:object_r:file_t tclass=chr_file
Jun 25 20:36:00 selinux avc:  denied  { mount } for  pid=110 exe=/bin/mount
path=/ dev=00:07 ino=1 scontext=system_u:system_r:mount_t
tcontext=system_u:object_r:device_t tclass=filesystem
Jun 25 20:36:00 selinux avc:  denied  { read write } for  pid=154
exe=/sbin/devfsd path=/dev/console dev=03:02 ino=701644
scontext=system_u:system_r:devfsd_t tcontext=system_u:object_r:file_t
tclass=chr_file
Jun 25 20:36:00 selinux avc:  denied  { write } for  pid=154 exe=/sbin/devfsd
path=/log dev=00:07 ino=405 scontext=system_u:system_r:devfsd_t
tcontext=system_u:object_r:device_t tclass=sock_file
Jun 25 20:36:00 selinux avc:  denied  { read write } for  pid=161
exe=/sbin/swapon path=/dev/console dev=03:02 ino=701644
scontext=system_u:system_r:fsadm_t tcontext=system_u:object_r:file_t tclass=chr_file
Jun 25 20:36:00 selinux avc:  denied  { read write } for  pid=179 exe=/bin/bash
path=/dev/console dev=03:02 ino=701644
scontext=system_u:system_r:update_modules_t tcontext=system_u:object_r:file_t
tclass=chr_file
Jun 25 20:36:00 selinux avc:  denied  { ioctl } for  pid=197 exe=/bin/mv
path=/dev/console dev=03:02 ino=701644
scontext=system_u:system_r:update_modules_t tcontext=system_u:object_r:file_t
tclass=chr_file
Jun 25 20:36:00 selinux avc:  denied  { read write } for  pid=204
exe=/sbin/depmod path=/dev/console dev=03:02 ino=701644
scontext=system_u:system_r:depmod_t tcontext=system_u:object_r:file_t
tclass=chr_file
Jun 25 20:36:00 selinux avc:  denied  { read write } for  pid=267
exe=/sbin/insmod path=/dev/console dev=03:02 ino=701644
scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:file_t
tclass=chr_file
Jun 25 20:36:00 selinux avc:  denied  { write } for  pid=272 exe=/sbin/insmod
path=/log dev=00:07 ino=405 scontext=system_u:system_r:insmod_t
tcontext=system_u:object_r:device_t tclass=sock_file
Jun 25 20:36:00 selinux avc:  denied  { read } for  pid=271 exe=/bin/mount
path=/filesystems dev=00:02 ino=4104 scontext=system_u:system_r:mount_t
tcontext=system_u:object_r:proc_t tclass=file
Jun 25 20:36:00 selinux avc:  denied  { getattr } for  pid=271 exe=/bin/mount
path=/filesystems dev=00:02 ino=4104 scontext=system_u:system_r:mount_t
tcontext=system_u:object_r:proc_t tclass=file
Jun 25 20:36:00 selinux avc:  denied  { write } for  pid=274 exe=/usr/bin/logger
path=/log dev=00:07 ino=405 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:device_t tclass=sock_file
Jun 25 20:36:00 selinux avc:  denied  { write } for  pid=1 exe=/sbin/init
path=/log dev=00:07 ino=405 scontext=system_u:system_r:init_t
tcontext=system_u:object_r:device_t tclass=sock_file
Jun 25 20:36:00 selinux avc:  denied  { rename } for  pid=718 exe=/sbin/dhcpcd
path=/etc/yp.conf dev=03:02 ino=164566 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:etc_t tclass=file
Jun 25 20:36:00 selinux avc:  denied  { write } for  pid=718 exe=/sbin/dhcpcd
path=/etc/dhcpc dev=03:02 ino=391283 scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:etc_dhcpc_t tclass=dir
Jun 25 20:36:00 selinux avc:  denied  { add_name } for  pid=718 exe=/sbin/dhcpcd
path=/etc/dhcpc/dhcpcd-eth0.cache scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:etc_dhcpc_t tclass=dir
Jun 25 20:36:00 selinux avc:  denied  { create } for  pid=718 exe=/sbin/dhcpcd
path=/etc/dhcpc/dhcpcd-eth0.cache scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:etc_dhcpc_t tclass=file
Jun 25 20:36:00 selinux avc:  denied  { write } for  pid=718 exe=/sbin/dhcpcd
path=/etc/dhcpc/dhcpcd-eth0.cache dev=03:02 ino=390914
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_dhcpc_t
tclass=file
Jun 25 20:36:00 selinux avc:  denied  { remove_name } for  pid=718
exe=/sbin/dhcpcd path=/etc/dhcpc/dhcpcd-eth0.info dev=03:02 ino=390955
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_dhcpc_t tclass=dir
Jun 25 20:36:00 selinux avc:  denied  { rename } for  pid=718 exe=/sbin/dhcpcd
path=/etc/dhcpc/dhcpcd-eth0.info dev=03:02 ino=390955
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_dhcpc_t
tclass=file
Jun 25 20:36:00 selinux avc:  denied  { unlink } for  pid=718 exe=/sbin/dhcpcd
path=/etc/dhcpc/dhcpcd-eth0.info.old dev=03:02 ino=390915
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_dhcpc_t
tclass=file
Jun 25 20:36:00 selinux avc:  denied  { read } for  pid=729 exe=/bin/mail
path=/usr/sbin/sendmail dev=03:02 ino=344650 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:sendmail_exec_t tclass=lnk_file
Jun 25 20:36:00 selinux avc:  denied  { read } for  pid=729 exe=/usr/sbin/ssmtp
path=/etc/resolv.conf dev=03:02 ino=162964 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:resolv_conf_t tclass=file
Jun 25 20:36:00 selinux avc:  denied  { read } for  pid=729 exe=/usr/sbin/ssmtp
path=socket:[1742] dev=00:00 ino=1742 scontext=system_u:system_r:initrc_t
tcontext=system_u:system_r:initrc_t tclass=tcp_socket
Jun 25 20:36:00 selinux avc:  denied  { write } for  pid=729 exe=/usr/sbin/ssmtp
path=socket:[1742] dev=00:00 ino=1742 scontext=system_u:system_r:initrc_t
tcontext=system_u:system_r:initrc_t tclass=tcp_socket
Jun 25 20:36:00 selinux avc:  denied  { getattr } for  pid=824
exe=/usr/sbin/syslog-ng path=/log dev=00:07 ino=405
scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:device_t
tclass=sock_file
Jun 25 20:36:00 selinux avc:  denied  { unlink } for  pid=824
exe=/usr/sbin/syslog-ng path=/log dev=00:07 ino=405
scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:device_t
tclass=sock_file
Jun 25 20:36:00 selinux avc:  denied  { search } for  pid=824
exe=/usr/sbin/syslog-ng dev=00:02 ino=1 scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:proc_t tclass=dir
Jun 25 20:36:00 selinux avc:  denied  { read write } for  pid=824
exe=/usr/sbin/syslog-ng path=/kmsg dev=00:02 ino=4113
scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:proc_kmsg_t
tclass=file
Jun 25 20:36:00 selinux avc:  denied  { append } for  pid=824
exe=/usr/sbin/syslog-ng path=/vc/12 dev=00:07 ino=32
scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tty_device_t
tclass=chr_file
Jun 25 20:36:00 selinux avc:  denied  { setattr } for  pid=824
exe=/usr/sbin/syslog-ng path=/vc/12 dev=00:07 ino=32
scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tty_device_t
tclass=chr_file
Jun 25 20:36:07 selinux avc:  denied  { read } for  pid=917 exe=/usr/sbin/xinetd
path=/usr/sbin/in.telnetd dev=03:02 ino=344083
scontext=system_u:system_r:inetd_t tcontext=system_u:object_r:rlogind_exec_t
tclass=lnk_file
Jun 25 20:37:07 selinux avc:  denied  { getattr } for  pid=934
exe=/usr/sbin/sshd path=/pts/0 dev=00:07 ino=856
scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:devpts_t
tclass=chr_file
Jun 25 20:37:07 selinux avc:  denied  { read write } for  pid=934
exe=/usr/sbin/sshd path=/pts/0 dev=00:07 ino=856
scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:devpts_t
tclass=chr_file
Jun 25 20:37:07 selinux avc:  denied  { ioctl } for  pid=934 exe=/usr/sbin/sshd
path=/pts/0 dev=00:07 ino=856 scontext=system_u:system_r:sshd_t
tcontext=system_u:object_r:devpts_t tclass=chr_file
Jun 25 20:37:07 selinux avc:  denied  { setattr } for  pid=934
exe=/usr/sbin/sshd path=/pts/0 dev=00:07 ino=856
scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:devpts_t
tclass=chr_file
Jun 25 20:37:07 selinux avc:  denied  { relabelfrom } for  pid=934
exe=/usr/sbin/sshd path=/pts/0 dev=00:07 ino=856
scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:devpts_t
tclass=chr_file
Jun 25 20:37:07 selinux avc:  denied  { relabelto } for  pid=934
exe=/usr/sbin/sshd path=/pts/0 dev=00:07 ino=856
scontext=system_u:system_r:sshd_t tcontext=kronenpj:object_r:devpts_t
tclass=chr_file
Jun 25 20:37:07 selinux avc:  denied  { ioctl } for  pid=934 exe=/usr/sbin/sshd
path=/pts/0 dev=00:07 ino=856 scontext=system_u:system_r:sshd_t
tcontext=kronenpj:object_r:devpts_t tclass=chr_file
Jun 25 20:37:07 selinux avc:  denied  { read write } for  pid=936
exe=/usr/sbin/sshd path=/pts/0 dev=00:07 ino=856
scontext=system_u:system_r:sshd_t tcontext=kronenpj:object_r:devpts_t
tclass=chr_file
Jun 25 20:37:07 selinux avc:  denied  { getattr } for  pid=937
exe=/usr/sbin/sshd path=/pts/0 dev=00:07 ino=856
scontext=system_u:system_r:sshd_t tcontext=kronenpj:object_r:devpts_t
tclass=chr_file
Jun 25 20:37:07 selinux avc:  denied  { read write } for  pid=938 exe=/bin/bash
path=/pts/0 dev=00:07 ino=856 scontext=kronenpj:staff_r:staff_t
tcontext=kronenpj:object_r:devpts_t tclass=chr_file
Jun 25 20:37:07 selinux avc:  denied  { search } for  pid=938 exe=/bin/bash
path=/home/kronenpj dev=03:02 ino=654118 scontext=kronenpj:staff_r:staff_t
tcontext=system_u:object_r:user_home_dir_t tclass=dir
Jun 25 20:37:07 selinux avc:  denied  { getattr } for  pid=938 exe=/bin/bash
path=/home/kronenpj dev=03:02 ino=654118 scontext=kronenpj:staff_r:staff_t
tcontext=system_u:object_r:user_home_dir_t tclass=dir
Jun 25 20:37:07 selinux avc:  denied  { write } for  pid=938
exe=/usr/X11R6/bin/xauth path=/home/kronenpj dev=03:02 ino=654118
scontext=kronenpj:staff_r:staff_t tcontext=system_u:object_r:user_home_dir_t
tclass=dir
Jun 25 20:37:07 selinux avc:  denied  { add_name } for  pid=938
exe=/usr/X11R6/bin/xauth path=/home/kronenpj/.Xauthority-c
scontext=kronenpj:staff_r:staff_t tcontext=system_u:object_r:user_home_dir_t
tclass=dir
Jun 25 20:37:07 selinux avc:  denied  { create } for  pid=938
exe=/usr/X11R6/bin/xauth path=/home/kronenpj/.Xauthority-c
scontext=kronenpj:staff_r:staff_t tcontext=kronenpj:object_r:user_home_dir_t
tclass=file
Jun 25 20:37:07 selinux avc:  denied  { link } for  pid=938
exe=/usr/X11R6/bin/xauth path=/home/kronenpj/.Xauthority-c dev=03:02 ino=651616
scontext=kronenpj:staff_r:staff_t tcontext=kronenpj:object_r:user_home_dir_t
tclass=file
Jun 25 20:37:07 selinux avc:  denied  { write } for  pid=938
exe=/usr/X11R6/bin/xauth path=/home/kronenpj/.Xauthority dev=03:02 ino=651622
scontext=kronenpj:staff_r:staff_t tcontext=kronenpj:object_r:user_home_dir_t
tclass=file
Jun 25 20:37:07 selinux avc:  denied  { read } for  pid=938
exe=/usr/X11R6/bin/xauth path=/home/kronenpj/.Xauthority dev=03:02 ino=651622
scontext=kronenpj:staff_r:staff_t tcontext=kronenpj:object_r:user_home_dir_t
tclass=file
Jun 25 20:37:07 selinux avc:  denied  { getattr } for  pid=938
exe=/usr/X11R6/bin/xauth path=/home/kronenpj/.Xauthority dev=03:02 ino=651622
scontext=kronenpj:staff_r:staff_t tcontext=kronenpj:object_r:user_home_dir_t
tclass=file
Jun 25 20:37:07 selinux avc:  denied  { remove_name } for  pid=938
exe=/usr/X11R6/bin/xauth path=/home/kronenpj/.Xauthority dev=03:02 ino=651622
scontext=kronenpj:staff_r:staff_t tcontext=system_u:object_r:user_home_dir_t
tclass=dir
Jun 25 20:37:07 selinux avc:  denied  { unlink } for  pid=938
exe=/usr/X11R6/bin/xauth path=/home/kronenpj/.Xauthority dev=03:02 ino=651622
scontext=kronenpj:staff_r:staff_t tcontext=kronenpj:object_r:user_home_dir_t
tclass=file
Jun 25 20:37:07 selinux avc:  denied  { ioctl } for  pid=937 exe=/bin/bash
path=/pts/0 dev=00:07 ino=856 scontext=kronenpj:staff_r:staff_t
tcontext=kronenpj:object_r:devpts_t tclass=chr_file
Jun 25 20:37:07 selinux avc:  denied  { read } for  pid=937 exe=/bin/bash
path=/home/kronenpj/.bash_profile dev=03:02 ino=651572
scontext=kronenpj:staff_r:staff_t tcontext=system_u:object_r:user_home_t tclass=file
Jun 25 20:37:07 selinux avc:  denied  { getattr } for  pid=937 exe=/bin/bash
path=/home/kronenpj/.bash_profile dev=03:02 ino=651572
scontext=kronenpj:staff_r:staff_t tcontext=system_u:object_r:user_home_t tclass=file
Jun 25 20:37:07 selinux avc:  denied  { read } for  pid=937 exe=/bin/bash
path=/home/kronenpj dev=03:02 ino=654118 scontext=kronenpj:staff_r:staff_t
tcontext=system_u:object_r:user_home_dir_t tclass=dir
Jun 25 20:37:07 selinux avc:  denied  { getattr } for  pid=937 exe=/bin/bash
path=/pts/0 dev=00:07 ino=856 scontext=kronenpj:staff_r:staff_t
tcontext=kronenpj:object_r:devpts_t tclass=chr_file
Jun 25 20:37:12 selinux avc:  denied  { read write } for  pid=944
exe=/usr/bin/newrole path=/pts/0 dev=00:07 ino=856
scontext=kronenpj:staff_r:newrole_t tcontext=kronenpj:object_r:devpts_t
tclass=chr_file
Jun 25 20:37:12 selinux avc:  denied  { getattr } for  pid=944
exe=/usr/bin/newrole path=/pts/0 dev=00:07 ino=856
scontext=kronenpj:staff_r:newrole_t tcontext=kronenpj:object_r:devpts_t
tclass=chr_file
Jun 25 20:37:12 selinux avc:  denied  { ioctl } for  pid=944
exe=/usr/bin/newrole path=/pts/0 dev=00:07 ino=856
scontext=kronenpj:staff_r:newrole_t tcontext=kronenpj:object_r:devpts_t
tclass=chr_file
Jun 25 20:37:14 selinux avc:  denied  { relabelfrom } for  pid=944
exe=/usr/bin/newrole path=/pts/0 dev=00:07 ino=856
scontext=kronenpj:staff_r:newrole_t tcontext=kronenpj:object_r:devpts_t
tclass=chr_file
Jun 25 20:37:14 selinux avc:  denied  { relabelto } for  pid=944
exe=/usr/bin/newrole path=/pts/0 dev=00:07 ino=856
scontext=kronenpj:staff_r:newrole_t tcontext=kronenpj:object_r:devpts_t
tclass=chr_file
Jun 25 20:37:14 selinux avc:  denied  { read write } for  pid=946 exe=/bin/bash
path=/pts/0 dev=00:07 ino=856 scontext=kronenpj:sysadm_r:sysadm_t
tcontext=kronenpj:object_r:devpts_t tclass=chr_file
Jun 25 20:37:14 selinux avc:  denied  { ioctl } for  pid=946 exe=/bin/bash
path=/pts/0 dev=00:07 ino=856 scontext=kronenpj:sysadm_r:sysadm_t
tcontext=kronenpj:object_r:devpts_t tclass=chr_file
Jun 25 20:37:14 selinux avc:  denied  { getattr } for  pid=946 exe=/bin/bash
path=/pts/0 dev=00:07 ino=856 scontext=kronenpj:sysadm_r:sysadm_t
tcontext=kronenpj:object_r:devpts_t tclass=chr_file
Jun 25 20:37:15 selinux avc:  denied  { read write } for  pid=949 exe=/bin/su
path=/pts/0 dev=00:07 ino=856 scontext=kronenpj:sysadm_r:sysadm_su_t
tcontext=kronenpj:object_r:devpts_t tclass=chr_file
Jun 25 20:37:15 selinux avc:  denied  { ioctl } for  pid=949 exe=/bin/su
path=/pts/0 dev=00:07 ino=856 scontext=kronenpj:sysadm_r:sysadm_su_t
tcontext=kronenpj:object_r:devpts_t tclass=chr_file

Comment 1 Chris PeBenito (RETIRED) gentoo-dev

2003-06-26 11:37:47 UTC

Ok, theres so many denials from various things, I'll try to adress as many of them as possible.

Any file that is file_t is almost certainly not labeled correctly.  Since they mostly have to do with /dev, I'll guess that devfs is not mounted at boot by the kernel.

The /dev/log denials where it is device_t instead of devlog_t is covered by the quickstart faq.

Youre logging in as the staff_r, but your home dir is not labeled properly as staff_home_dir_t/staff_home_t, see file_contexts/staff.fc

We dont have a policy for xinetd in selinux-base-policy, so those arent addressed here.

It doesnt appear that you have devpts mounted, resulting in the /dev/pts/* denials.

The /proc/kmesg thing with syslog is fixed in the cvs policy.

It looks you're doing xfree, that requires a policy too, and a patched xdm/gdm/kdm if you're using a graphical login.

That doesnt address all of the denials, but that should help in removing some of them, so this list can go down to a more managable number.

Comment 2 Paul Kronenwetter 2003-06-26 14:54:24 UTC

You are correct on every count: DEVFS not mounted at boot, DEVPTS not enabled in kernel.  I think these were the big ones.  I also think my machine pre-dated the quickstart which explains why I hadn't done any of these things! :)

I put the CVS policy on this morning so that should help.
/dev/log was cached and not fixed in /etc/devfsd.conf.
The last time I looked staff_t didn't exist so I didn't put anyone in staff.fc.

The only thing I'm doing with X is xauth when I log in via SSH.  I can cope with
that part failing, as long as I can still get in :).

I'm guessing that the /dev/pts missing caused the machine to panic and automagically reboot.  There's a message saying why but I can't see it, too fast to reset.

In permissive mode it's down to 18 denies:
Jun 26 17:38:34 selinux avc:  denied  { search } for  pid=14 exe=/bin/bash path=/bus dev=00:02 ino=4131 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:proc_hw_t tclass=dir
Jun 26 17:38:34 selinux avc:  denied  { getattr } for  pid=14 exe=/bin/bash path=/bus/usb dev=00:02 ino=4505 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:proc_hw_t tclass=dir
Jun 26 17:38:34 selinux avc:  denied  { search } for  pid=270 exe=/bin/mount path=/bus dev=00:02 ino=4131 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:proc_hw_t tclass=dir
Jun 26 17:38:34 selinux avc:  denied  { mounton } for  pid=270 exe=/bin/mount path=/bus/usb dev=00:02 ino=4505 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:proc_hw_t tclass=dir
Jun 26 17:38:34 selinux avc:  denied  { write } for  pid=707 exe=/sbin/dhcpcd path=/etc/dhcpc dev=03:02 ino=391283 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_dhcpc_t tclass=dir
Jun 26 17:38:34 selinux avc:  denied  { add_name } for  pid=707 exe=/sbin/dhcpcd path=/etc/dhcpc/dhcpcd-eth0.cache scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_dhcpc_t tclass=dir
Jun 26 17:38:34 selinux avc:  denied  { create } for  pid=707 exe=/sbin/dhcpcd path=/etc/dhcpc/dhcpcd-eth0.cache scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_dhcpc_t tclass=file
Jun 26 17:38:34 selinux avc:  denied  { write } for  pid=707 exe=/sbin/dhcpcd path=/etc/dhcpc/dhcpcd-eth0.cache dev=03:02 ino=390914 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_dhcpc_t tclass=file
Jun 26 17:38:34 selinux avc:  denied  { remove_name } for  pid=707 exe=/sbin/dhcpcd path=/etc/dhcpc/dhcpcd-eth0.info dev=03:02 ino=390915 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_dhcpc_t tclass=dir
Jun 26 17:38:34 selinux avc:  denied  { rename } for  pid=707 exe=/sbin/dhcpcd path=/etc/dhcpc/dhcpcd-eth0.info dev=03:02 ino=390915 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_dhcpc_t tclass=file
Jun 26 17:38:34 selinux avc:  denied  { unlink } for  pid=707 exe=/sbin/dhcpcd path=/etc/dhcpc/dhcpcd-eth0.info.old dev=03:02 ino=390955 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_dhcpc_t tclass=file
Jun 26 17:38:34 selinux avc:  denied  { read } for  pid=718 exe=/bin/mail path=/usr/sbin/sendmail dev=03:02 ino=344650 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:sendmail_exec_t tclass=lnk_file
Jun 26 17:38:34 selinux avc:  denied  { read } for  pid=718 exe=/usr/sbin/ssmtp path=/etc/resolv.conf dev=03:02 ino=162957 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:resolv_conf_t tclass=file
Jun 26 17:38:34 selinux avc:  denied  { read } for  pid=718 exe=/usr/sbin/ssmtp path=socket:[1596] dev=00:00 ino=1596 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=tcp_socket
Jun 26 17:38:34 selinux avc:  denied  { write } for  pid=718 exe=/usr/sbin/ssmtp path=socket:[1596] dev=00:00 ino=1596 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=tcp_socket
Jun 26 17:38:34 selinux avc:  denied  { append } for  pid=813 exe=/usr/sbin/syslog-ng path=/vc/12 dev=00:07 ino=32 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tty_device_t tclass=chr_file
Jun 26 17:38:34 selinux avc:  denied  { setattr } for  pid=813 exe=/usr/sbin/syslog-ng path=/vc/12 dev=00:07 ino=32 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tty_device_t tclass=chr_file
Jun 26 17:38:41 selinux avc:  denied  { read } for  pid=906 exe=/usr/sbin/xinetd path=/usr/sbin/in.telnetd dev=03:02 ino=344083 scontext=system_u:system_r:inetd_t tcontext=system_u:object_r:rlogind_exec_t tclass=lnk_file

Context listings for some of the binaries listed above:
selinux root # ls -a --context /bin/bash
-rwxr-xr-x  root     root     system_u:object_r:shell_exec_t   /bin/bash
selinux root # ls -a --context /proc/bus
dr-xr-xr-x  root     root     system_u:object_r:proc_hw_t      .
dr-xr-xr-x  root     root     system_u:object_r:proc_t         ..
dr-xr-xr-x  root     root     system_u:object_r:proc_hw_t      pci
dr-xr-xr-x  root     root     system_u:object_r:unlabeled_t    usb
selinux root # ls --context /sbin/dhcpcd 
-rwxr-xr-x  root     root     system_u:object_r:dhcpc_exec_t   /sbin/dhcpcd
selinux root # ls -a --context /etc/dhcpc/
drwxr-xr-x  root     root     system_u:object_r:etc_dhcpc_t    .
drwxr-xr-x  root     root     system_u:object_r:etc_t          ..
-rw-------  root     root     system_u:object_r:etc_dhcpc_t    dhcpcd-eth0.cache
-rw-r--r--  root     root     system_u:object_r:etc_dhcpc_t    dhcpcd-eth0.info
-rw-r--r--  root     root     system_u:object_r:etc_dhcpc_t    dhcpcd-eth0.info.old
selinux root # ls -a --context /bin/mount
-rwsr-xr-x  root     root     system_u:object_r:mount_exec_t   /bin/mount
selinux root # ls --context /bin/mail
-rwxr-xr-x  root     root     system_u:object_r:bin_t          /bin/mail
selinux root # ls --context /usr/sbin/sendmail 
lrwxrwxrwx  root     root     system_u:object_r:sendmail_exec_t /usr/sbin/sendmail
selinux root # ls --context /usr/sbin/ssmtp 
-rwxr-xr-x  root     root     system_u:object_r:sbin_t         /usr/sbin/ssmtp
selinux root # ls --context /etc/resolv.conf
-rw-r--r--  root     root     system_u:object_r:resolv_conf_t  /etc/resolv.conf
selinux root # ls --context /usr/sbin/syslog-ng
-rwxr-xr-x  root     root     system_u:object_r:syslogd_exec_t /usr/sbin/syslog-ng
selinux root # ls --context /dev/vc/12         
crw-------  root     root     system_u:object_r:tty_device_t   /dev/vc/12
selinux root # ls --context /usr/sbin/xinetd
-rwxr-xr-x  root     root     system_u:object_r:inetd_exec_t   /usr/sbin/xinetd
selinux root # ls --context /usr/sbin/in.telnetd
lrwxrwxrwx  root     root     system_u:object_r:rlogind_exec_t /usr/sbin/in.telnetd

Of course /usr/sbin/sendmail and /usr/sbin/in.telnetd are symbolic links.

Comment 3 Paul Kronenwetter 2003-06-26 14:59:55 UTC

It boots in enforcing mode now at least :)
Thanks!

Comment 4 Chris PeBenito (RETIRED) gentoo-dev

2003-06-26 16:41:42 UTC

Ok, I put up a new cvs snapshot policy, http://cvs.gentoo.org/~pebenito/selinux-base-policy-cvs-20030626.tar.bz2.  It should take care of the dhcpcd and /proc/bus/usb issues.  The syslog writing to vc/12 can be taken care of by uncommenting a rule in syslogd.te (there is a comment about it, near the top).  I also made a file context fix for ssmtp.  I dont use any of these, so I cant verify them first :(

Comment 5 Paul Kronenwetter 2003-06-27 12:12:30 UTC

Down to 13 total but I'm filtering them to more "interesting" things.  Some of the errors may be peculiar to my network.  For instance, dhcp client wants to overwrite /etc/yp.conf and /etc/ntp.conf.  I don't care if it succeeds or not so I've removed them.

I don't know what to make of these.  It doesn't seem to have impeded the system's ability to boot.
Jun 27 14:39:19 selinux avc:  denied  { mount } for  pid=270 exe=/bin/mount path
=/ dev=00:0a ino=1 scontext=system_u:system_r:mount_t tcontext=system_u:object_r
:proc_hw_t tclass=filesystem
Jun 27 14:39:19 selinux avc:  denied  { mount } for  pid=270 exe=/bin/mount path
=/ dev=00:0a ino=1 scontext=system_u:system_r:mount_t tcontext=system_u:object_r
:proc_hw_t tclass=filesystem

However, I would like to see ssmtp succeed in it's purpose in life.  I think a rule to allow it to access /etc/resolv.conf is reasonable.  And it should be able to read it's stuff (/etc/ssmtp/revaliases).  If policy let it search /root, POSIX wouldn't have so leaving it "broken" is ok with me.
Jun 27 14:39:19 selinux avc:  denied  { read } for  pid=722 exe=/usr/sbin/ssmtp
path=/tmp/RscYEGZ0 (deleted) dev=03:02 ino=68666 scontext=system_u:system_r:syst
em_mail_t tcontext=system_u:object_r:initrc_tmp_t tclass=file
Jun 27 14:39:19 selinux avc:  denied  { read } for  pid=722 exe=/usr/sbin/ssmtp
path=/etc/resolv.conf dev=03:02 ino=162960 scontext=system_u:system_r:system_mai
l_t tcontext=system_u:object_r:resolv_conf_t tclass=file
Jun 27 14:39:19 selinux avc:  denied  { ioctl } for  pid=722 exe=/usr/sbin/ssmtp
 path=/etc/ssmtp/revaliases dev=03:02 ino=263185 scontext=system_u:system_r:syst
em_mail_t tcontext=system_u:object_r:etc_t tclass=file
Jun 27 14:39:19 selinux avc:  denied  { search } for  pid=722 exe=/usr/sbin/ssmt
p path=/root dev=03:02 ino=163260 scontext=system_u:system_r:system_mail_t tcont
ext=system_u:object_r:sysadm_home_dir_t tclass=dir

This is strange but doesn't affect what I want to do with the machine.  in.telnetd is a link to telnetd in /usr/sbin.  It can be *easily* fixed by editing /etc/xinetd.d/telnetd to point to the right binary.  I don't think any action is needed by policy unless /usr/sbin/telnetd isn't listed as equivalent to /usr/sbin/in.telnetd.
Jun 27 14:39:27 selinux avc:  denied  { read } for  pid=911 exe=/usr/sbin/xinetd
 path=/usr/sbin/in.telnetd dev=03:02 ino=344083 scontext=system_u:system_r:inetd
_t tcontext=system_u:object_r:rlogind_exec_t tclass=lnk_file

Comment 6 Paul Kronenwetter 2003-06-27 12:46:08 UTC

And it looks like NTP has a new file to deal with:
Jun 27 15:39:19 selinux avc:  denied  { write } for  pid=826 exe=/usr/bin/ntpd path=/etc/ntp.drift.TEMP dev=03:02 ino=162964 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:etc_t tclass=file

I have a feeling it's going to want to rename that file over to /etc/ntp.conf after it deletes the original.

Comment 7 Chris PeBenito (RETIRED) gentoo-dev

2003-06-28 08:45:07 UTC

Ok, I take care of the mount and ssmtp denials.  Since ssmtp is sloppy and searches /root, and this is an ok denial, we use a dontaudit rule.

dontaudit system_mail_t sysadm_home_dir_t:dir search;

It'll still get denied, you just wont get a avc message.  There are many sloppy programs that look at /root, so if you look a the policy, you'll see some with a line similar to the above.  I'm wondering about ssmtp reading that /tmp file in the initrc_tmp_t type.

Ntp will need its own policy.  That file thats getting denied will be renamed to ntp.drift, btw.

Are you actually running telnet on your system anyway?  I removed rlogind.{te,fc} from the main policy because its so insecure, and its not in a stage 3 system.

Comment 8 Chris PeBenito (RETIRED) gentoo-dev

2003-06-28 15:33:13 UTC

What files are in /etc/ssmtp?  Does revaliases contain mail aliases?  If so, I'll change it to be etc_aliases_t.

Comment 9 Chris PeBenito (RETIRED) gentoo-dev

2003-07-20 10:12:29 UTC

set revaliases to etc_aliases_t, should fix that denial.