Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 293742 - sec-policy/selinux-base-policy doesn't handle various base apps
Summary: sec-policy/selinux-base-policy doesn't handle various base apps
Status: VERIFIED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: x86 Linux
: High major (vote)
Assignee: Sven Vermeulen (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on: 388875
Blocks:
  Show dependency tree
 
Reported: 2009-11-19 16:17 UTC by Nick Kossifidis
Modified: 2011-12-25 16:55 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Avc log when using selinux-base-policy-20080525.ebuild (avc.log.20080525,11.69 KB, text/plain)
2009-11-19 16:21 UTC, Nick Kossifidis 		Details
Same when using selinux-base-policy-2.20090814.ebuild (avc.log.20090814,11.43 KB, text/plain)
2009-11-19 16:21 UTC, Nick Kossifidis 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Nick Kossifidis 2009-11-19 16:17:51 UTC 
I just installed hardened gentoo and switched to selinux hardened profile to play with selinux. I used the server profile (strict) for the kernel (grsec + pax + selinux) and followed the handbook. My system is very minimal and only runs a bridge (with dhcp) for now and ebtables + iptables (it also has openvpn installed but it's disabled). I ran selinux on debug mode (permisive) and got lots of warning messages from avc that it won't allow bash_profile to run, or iptables/ebtables to read the configuration files (already mentioned on #211374), or dhcp to work etc. I enabled the enforce mode and i couldn't use my system !

It seems that something is missing from base-policy, i checked both the default (stable) ebuild and the latest one. All my filesystems are ext3, i relabeled them multiple times (also when switching base-policy ebuilds) using rlpkg -a without success. I'm sorry i can't be more helpfull right now but i had to switch to a non selinux kernel so that bridge/ebtables/iptables can work.

Note: I had to disable avc stats from kernel because i stepped on #292010

Reproducible: Always

Steps to Reproduce:
1. set up a hardened gentoo box with only iptables/ebtables/dhcp and a bridge running
2. switch to an selinux enabled kernel and follow the selinux handbook (switch to selinux hardened profile etc)
3. relabel everything, reboot and check out /var/log/avc.log

Actual Results:  
Too many warnings (denials) related to various packages/apps.
System unusable on enforcing mode

Expected Results:  
No warnings (at least not denials), usable system.

Portage 2.1.6.13 (selinux/2007.0/x86/hardened, gcc-4.3.4, glibc-2.9_p20081201-r2, 2.6.28-hardened-r9 i686)
=================================================================
System uname: Linux-2.6.28-hardened-r9-i686-Intel-R-_Pentium-R-_4_CPU_3.20GHz-with-gentoo-1.12.11.1
Timestamp of tree: Tue, 03 Nov 2009 12:45:03 +0000
app-shells/bash:     4.0_p28
dev-lang/python:     2.6.2-r1
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.63-r1
sys-devel/automake:  1.9.6-r2, 1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6a
virtual/os-headers:  2.6.27-r2
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=pentium4 -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-O2 -march=pentium4 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks fixpackages loadpolicy parallel-fetch protect-owned sandbox selinux sesandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://ftp.cc.uoc.gr/mirrors/linux/gentoo/ "
LDFLAGS="-Wl,-O1"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="berkdb bzip2 cli cracklib crypt dri hardened iconv mmx modules mudflap ncurses nls nptl openmp pam pcre perl pic pkcs11 pppd python readline reflection selinux session spl sse sse2 ssl tcpd unicode x86 xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 1 Nick Kossifidis 2009-11-19 16:21:08 UTC 
Created attachment 210631 [details]
Avc log when using selinux-base-policy-20080525.ebuild

Avc log when using selinux-base-policy-20080525.ebuild. It's just after reboot + login.
Comment 2 Nick Kossifidis 2009-11-19 16:21:57 UTC 
Created attachment 210632 [details]
Same when using selinux-base-policy-2.20090814.ebuild
Comment 3 Maxim Britov 2009-11-20 08:08:55 UTC 
I think setsebool -P global_ssp 1 
should fix several avc.
Comment 4 Chris PeBenito (RETIRED) gentoo-dev 2009-12-16 02:09:03 UTC 
also looks like ebtables needs a policy.  I am not familiar with that program, so I need more info in case it might work with an existing policy.
Comment 5 Sven Vermeulen 2011-07-24 10:19:02 UTC 
Looks as if ebtables and iptables are quite similar (especially concerning their SELinux policy requirements). Doesn't the following work?

~# semanage fcontext -a -t iptables_exec_t "/sbin/ebtables(.*)?"
~# rlpkg ebtables

This will mark ebtables to run within the iptables_t domain.
Comment 6 Sven Vermeulen (RETIRED) gentoo-dev 2011-08-14 15:38:49 UTC 
Support of ebtables (and ebtables-restore) is in 20110726, currently available in the hardened-dev overlay
Comment 7 Sven Vermeulen (RETIRED) gentoo-dev 2011-08-29 09:24:41 UTC 
In portage tree (~arch)
Comment 8 Nick Kossifidis 2011-09-11 08:34:17 UTC 
Sven here are my tests from 23/Jul, unfortunately I can't test ebtables since our setup here has changed but there are a few other changes regarding the base-policy and tools (after all this bug report is not about ebtalbes only). Please check them out because there was no interest on the list...

1) For start check out /lib/rc/sh/init.sh, in svcdir_restorecon() it
tries to run /usr/sbin/selinuxenabled but in case /usr is on a
different partition it won't work (and rc_svcdir will remain
mis-labeled, resulting extra avc denials) because it gets called
before mount. It seems weird that packages like
sys-apps/policycoreutils, sys-libs/libselinux etc are located under
/usr, after all they are linked with libraries under /lib not /usr/lib
and are system tools, not user-related. In my case I solved this one
by just checking if /sbin/restorecon exists (it's what udev-mount also
does), I don't know if it's the correct solution but it works so far.


2) In order for restorecon to relabel rc_svcdir the following rule is needed
allow setfiles_t initrc_t:dir relabelto;
or else I get this:
avc:  denied  { relabelto } for  pid=979 comm="restorecon" name="/"
dev=tmpfs ino=2054 scontext=system_u:system_r:setfiles_t
tcontext=system_u:object_r:initrc_t tclass=dir


3) Even with the correct labels I still got denials for rc operations
on rc_svcdir:
can't mount tmpfs under rc_svcdir...
avc:  denied  { associate } for  pid=979 comm="restorecon" name="/"
dev=tmpfs ino=2054 scontext=system_u:object_r:initrc_t
tcontext=system_u:object_r:tmpfs_t tclass=filesystem
avc:  denied  { associate } for  pid=13300 comm="rc" name="krunlevel"
scontext=system_u:object_r:initrc_t tcontext=system_u:object_r:tmpfs_t
tclass=filesystem

and various other operations under rc_svcdir (removed duplicates)...
avc:  denied  { write } for  pid=980 comm="cp" name="/" dev=tmpfs
ino=2054 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:initrc_t tclass=dir
avc:  denied  { add_name } for  pid=980 comm="cp" name="depconfig"
scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:initrc_t tclass=dir
avc:  denied  { create } for  pid=980 comm="cp" name="depconfig"
scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:initrc_t tclass=file
avc:  denied  { setattr } for  pid=980 comm="cp" name="depconfig"
dev=tmpfs ino=2066 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:initrc_t tclass=file
avc:  denied  { create } for  pid=960 comm="rc" name="starting"
scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:initrc_t tclass=dir
avc:  denied  { remove_name } for  pid=960 comm="rc"
name="rc.stopping" dev=tmpfs ino=42
scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:initrc_t tclass=dir
avc:  denied  { unlink } for  pid=2129 comm="rc" name="local"
dev=tmpfs ino=4514 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:initrc_t tclass=file
avc:  denied  { rmdir } for  pid=1935 comm="rc" name="rc.starting"
dev=tmpfs ino=3842 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:initrc_t tclass=dir
avc:  denied  { unlink } for  pid=13455 comm="rc" name="local"
dev=tmpfs ino=4077 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:initrc_t tclass=lnk_file

the following rules should fix that:
allow initrc_t tmpfs_t:filesystem associate;
allow initrc_t self:dir { write remove_name create add_name rmdir };
allow initrc_t self:file { create unlink setattr };
allow initrc_t self:lnk_file { create unlink };


4) More rc stuff under /tmp /var/lib /var/log /var/run...
avc:  denied  { setattr } for  pid=1538 comm="chmod" name="/" dev=sda5
ino=2 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:tmp_t tclass=dir
avc:  denied  { create } for  pid=1550 comm="mkdir" name=".test.1403"
scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:var_log_t tclass=dir
avc:  denied  { rmdir } for  pid=1551 comm="rmdir" name=".test.1403"
dev=sda6 ino=210166 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:var_log_t tclass=dir
avc:  denied  { add_name } for  pid=1556 comm="runscript.sh"
name="unicode" scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:lib_t tclass=dir
avc:  denied  { create } for  pid=1556 comm="runscript.sh"
name="unicode" scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:lib_t tclass=file
avc:  denied  { write } for  pid=1556 comm="runscript.sh"
name="unicode" dev=sda2 ino=80888 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:lib_t tclass=file
avc:  denied  { write } for  pid=1424 comm="rm" name="console"
dev=sda2 ino=80915 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:lib_t tclass=dir
avc:  denied  { remove_name } for  pid=1424 comm="rm"
name="default8x16.psfu.gz" dev=sda2 ino=80899
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t
tclass=dir
avc:  denied  { unlink } for  pid=1424 comm="rm"
name="default8x16.psfu.gz" dev=sda2 ino=80899
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t
tclass=file
avc:  denied  { create } for  pid=1425 comm="mkdir" name=".test.1418"
scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:var_run_t tclass=dir
avc:  denied  { unlink } for  pid=1534 comm="rm" name="syslog-ng.ctl"
dev=sda6 ino=80809 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:devlog_t tclass=sock_file

the following rules should be ok:
allow initrc_t tmp_t:dir setattr;
allow initrc_t lib_t:dir { write remove_name add_name };
allow initrc_t lib_t:file { write create unlink };
allow initrc_t var_log_t:dir { create rmdir };
allow initrc_t var_run_t:dir create;
allow initrc_t devlog_t:sock_file unlink;


5) Fuser-related (ran by bootmisc and rc-mount.sh), I don't know why
this runs under initrc_t but getattr is not a big deal I guess, I'm
not sure however about the execmod:
avc:  denied  { execmod } for  pid=1433 comm="fuser" path="/bin/fuser"
dev=sda2 ino=185930 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:bin_t tclass=file
avc:  denied  { getattr } for  pid=1492 comm="fuser"
path="socket:[2273]" dev=sockfs ino=2273
scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:udev_t
tclass=unix_stream_socket
avc:  denied  { getattr } for  pid=1493 comm="fuser"
path="socket:[2274]" dev=sockfs ino=2274
scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:udev_t
tclass=netlink_kobject_uevent_socket
avc:  denied  { getattr } for  pid=1526 comm="fuser"
path="/sys/kernel/debug" dev=debugfs ino=1
scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:debugfs_t tclass=dir

the following rules hide this but I'm not sure if it's the correct
approach, maybe we should modify bootmisc/rc-mount.sh:
allow initrc_t bin_t:file execmod;
allow initrc_t debugfs_t:dir getattr;
allow initrc_t udev_t:netlink_kobject_uevent_socket getattr;
allow initrc_t udev_t:unix_stream_socket getattr;


6) Udhcp-related (ran by udhcpc-hook.sh and net), again I'm not sure
what's the right thing to do here, I think dhcp client shouldn't run
under initrc_t:
avc:  denied  { create } for  pid=1844 comm="busybox"
scontext=system_u:system_r:initrc_t
tcontext=system_u:system_r:initrc_t tclass=rawip_socket
avc:  denied  { ioctl } for  pid=1844 comm="busybox"
path="socket:[33897]" dev=sockfs ino=33897
scontext=system_u:system_r:initrc_t
tcontext=system_u:system_r:initrc_t tclass=rawip_socket
avc:  denied  { name_bind } for  pid=1844 comm="busybox" src=68
scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:dhcpc_port_t tclass=udp_socket
avc:  denied  { node_bind } for  pid=1844 comm="busybox" src=68
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:node_t
tclass=udp_socket

the following rules clean it up
allow initrc_t self:rawip_socket { create ioctl };
allow initrc_t dhcpc_port_t:udp_socket name_bind;
allow initrc_t node_t:udp_socket node_bind;

switching to dhclient instead results these denials:
avc:  denied  { name_bind } for  pid=1825 comm="dhclient" src=65059
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:port_t
tclass=udp_socket
avc:  denied  { read write } for  pid=1827 comm="ifconfig"
path="socket:[3855]" dev=sockfs ino=3855
scontext=system_u:system_r:ifconfig_t
tcontext=system_u:system_r:dhcpc_t tclass=udp_socket
avc:  denied  { read write } for  pid=1845 comm="hostname"
path="socket:[3767]" dev=sockfs ino=3767
scontext=system_u:system_r:hostname_t
tcontext=system_u:system_r:dhcpc_t tclass=udp_socket

this runs under dhcpc_t so the first one seems ok and ifconfig /
hostname are meant to tweak network settings (instead of initrc_t) so
I stayed with dhclient and there are the rules to hide the above and
get a working dhcp:
allow dhcpc_t port_t:udp_socket name_bind;
allow ifconfig_t dhcpc_t:udp_socket { read write };
allow hostname_t dhcpc_t:udp_socket { read write };


7) Udev-related
avc:  denied  { read } for  pid=1056 comm="udevd" name="30" dev=tmpfs
ino=2727 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:udev_tbl_t tclass=lnk_file
avc:  denied  { unlink } for  pid=1309 comm="udevd" name="30"
dev=tmpfs ino=2727 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:udev_tbl_t tclass=lnk_file
avc:  denied  { open } for  pid=1309 comm="udevd" name="root"
dev=tmpfs ino=2707 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:udev_tbl_t tclass=dir
avc:  denied  { relabelto } for  pid=1055 comm="udevd" name=".udev"
dev=tmpfs ino=2077 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:udev_tbl_t tclass=dir
avc:  denied  { search } for  pid=1055 comm="udevd" name=".udev"
dev=tmpfs ino=2077 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:udev_tbl_t tclass=dir
avc:  denied  { write } for  pid=1055 comm="udevd" name=".udev"
dev=tmpfs ino=2077 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:udev_tbl_t tclass=dir
avc:  denied  { add_name } for  pid=1055 comm="udevd" name="queue.tmp"
scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:udev_tbl_t tclass=dir
avc:  denied  { remove_name } for  pid=1055 comm="udevd"
name="queue.tmp" dev=tmpfs ino=2231 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:udev_tbl_t tclass=dir
avc:  denied  { getattr } for  pid=1056 comm="udevd" path="/dev/.udev"
dev=tmpfs ino=2077 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:udev_tbl_t tclass=dir
avc:  denied  { create } for  pid=1056 comm="udevd" name="data"
scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:udev_tbl_t tclass=dir
avc:  denied  { read } for  pid=1089 comm="udevadm" name=".udev"
dev=tmpfs ino=158 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:udev_tbl_t tclass=dir
avc:  denied  { create } for  pid=1103 comm="udevd" name="4"
scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:udev_tbl_t tclass=lnk_file

these seem ok since they are marked as udev_tbl_t so these rules should be ok
allow udev_t udev_tbl_t:dir { search read create write getattr
relabelto remove_name open add_name };
allow udev_t udev_tbl_t:lnk_file { read create unlink };


8) Cron-related, these come from logrotate.cron and makewhatis
avc:  denied  { read } for  pid=7385 comm="syslog-ng"
path="pipe:[21161]" dev=pipefs ino=21161
scontext=system_u:system_r:syslogd_t
tcontext=system_u:system_r:crond_t tclass=fifo_file
avc:  denied  { use } for  pid=7385 comm="syslog-ng" path="/dev/null"
dev=tmpfs ino=154 scontext=system_u:system_r:syslogd_t
tcontext=system_u:system_r:logrotate_t tclass=fd
avc:  denied  { create } for  pid=11730 comm="mkdir"
name="whatis.tmp.dir.11727"
scontext=system_u:system_r:system_cronjob_t
tcontext=system_u:object_r:tmp_t tclass=dir
avc:  denied  { rmdir } for  pid=11778 comm="rm"
name="whatis.tmp.dir.11727" dev=sda5 ino=7825
scontext=system_u:system_r:system_cronjob_t
tcontext=system_u:object_r:tmp_t tclass=dir

makewhatis looks ok since it works on tmp_t and it seems ok I think
for syslogd_t to have read access to cron's fifo_file but I'm not sure
for logrotate_t file descriptor, anyway here are the rules for this:
allow system_cronjob_t tmp_t:dir { create rmdir };
allow syslogd_t crond_t:fifo_file read;
allow syslogd_t logrotate_t:fd use;


9) Sendmail-related, these come from sendmail when trying to put mail
on user's home folder
avc:  denied  { append } for  pid=5240 comm="sendmail"
name="dead.letter" dev=sda2 ino=161795
scontext=system_u:system_r:system_mail_t
tcontext=root:object_r:user_home_t tclass=file
avc:  denied  { open } for  pid=5240 comm="sendmail"
name="dead.letter" dev=sda2 ino=161795
scontext=system_u:system_r:system_mail_t
tcontext=root:object_r:user_home_t tclass=file
avc:  denied  { getattr } for  pid=5240 comm="sendmail"
path="/root/dead.letter" dev=sda2 ino=161795
scontext=system_u:system_r:system_mail_t
tcontext=root:object_r:user_home_t tclass=file

I think open getattr and append are ok (no create/write) so these
rules should do it:
allow system_mail_t user_home_t:file { getattr open append };


10) Apache2 tries to open a tcp port to communicate with the client
and this is what happens:
avc:  denied  { name_connect } for  pid=5279 comm="apache2" dest=18083
ipaddr=x.x.x.x scontext=system_u:system_r:httpd_t
tcontext=system_u:object_r:port_t tclass=tcp_socket

the following should be ok:
allow httpd_t port_t:tcp_socket name_connect;


11) Finaly i get denials similar to this one from syslog:
avc:  denied  { syslog } for  pid=1948 comm="syslog-ng" capability=34
scontext=system_u:system_r:syslogd_t
tcontext=system_u:system_r:syslogd_t tclass=capability2

and this rule should fix them:
allow syslogd_t self:capability2 syslog;

but i get an error when i try to load it using semodule -i...


I also got a few more denials related to su and newrole and I'm trying
to figure out if it's my mistake or bad policies, I'll let you know.


Again thanks a lot for your work and if there is anything I can do to
help let me know ;-)
Comment 9 Nick Kossifidis 2011-10-10 23:20:46 UTC 
O.K. I upgraded/relabeled everything, current base policy is 20110726-r4 and here is what I get per command during boot...

rc

{ write } comm="rc" name="/" dev=tmpfs ino=251 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=dir 
{ add_name } comm="rc" name="krunlevel" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=dir   
{ create } comm="rc" name="krunlevel" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=file   
{ write } comm="rc" name="krunlevel" dev=tmpfs ino=7713 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=file 
{ create } comm="rc" name="rc.stopping" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=dir   
{ lock } comm="rc" path="/lib/rc/init.d/exclusive/local" dev=tmpfs ino=7715 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=file 
{ create } comm="rc" name="local" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=lnk_file   
{ remove_name } comm="rc" name="local" dev=tmpfs ino=5615 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=dir 
{ unlink } comm="rc" name="local" dev=tmpfs ino=5615 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=lnk_file 
{ create } comm="rc" name="starting" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=dir   
{ remove_name } comm="rc" name="rc.stopping" dev=tmpfs ino=207 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=dir 
{ create } comm="rc" name="net.eth0" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=lnk_file   
{ unlink } comm="rc" name="net.eth0" dev=tmpfs ino=5240 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=lnk_file 
{ write } comm="rc" name="daemons" dev=tmpfs ino=202 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=dir 
{ add_name } comm="rc" name="vixie-cron" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=dir   
{ create } comm="rc" name="vixie-cron" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=dir   
{ remove_name } comm="rc" name="vixie-cron" dev=tmpfs ino=5645 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=dir 
{ unlink } comm="rc" name="vixie-cron" dev=tmpfs ino=5638 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=file 
{ create } comm="rc" name="local" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=file 

mount (note I have selinux-automount installed just in case)

{ write } comm="mount" name="/" dev=tmpfs ino=187 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:lib_t tclass=dir
{ write } comm="mount" name="/" dev=sda3 ino=2 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:home_root_t tclass=dir
{ write } comm="mount" name="/" dev=sda7 ino=2 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:usr_t tclass=dir
{ write } comm="mount" name="/" dev=sda6 ino=2 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:var_t tclass=dir
{ mounton } comm="mount" path="/selinux" dev=selinuxfs ino=1 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:security_t tclass=dir
{ write } comm="mount" name="/" dev=usbfs ino=2689 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:usbfs_t tclass=dir
{ write } comm="mount" name="/" dev=binfmt_misc ino=1 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir

cp/mkdir

{ write } comm="cp" name="/" dev=tmpfs ino=187 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=dir
{ add_name } comm="cp" name="depconfig" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=dir
{ create } comm="cp" name="depconfig" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=file
{ write } comm="cp" name="depconfig" dev=tmpfs ino=193 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=file
{ setattr } comm="cp" name="depconfig" dev=tmpfs ino=193 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=file
{ create } comm="mkdir" name=".test.1679" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:var_run_t tclass=dir

udevd

{ read } comm="udevd" name="31" dev=tmpfs ino=826 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t tclass=lnk_file 
{ unlink } comm="udevd" name="31" dev=tmpfs ino=826 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t tclass=lnk_file 
{ open } comm="udevd" name="root" dev=tmpfs ino=808 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t tclass=dir 

syslog-ng

{ unlink } comm="rm" name="syslog-ng.ctl" dev=sda6 ino=80813 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:devlog_t tclass=sock_file 
{ setcap } comm="syslog-ng" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=process    
{ getcap } comm="syslog-ng" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=process    
{ getcap } comm="syslog-ng" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=process    
{ setcap } comm="syslog-ng" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=process  

hostname

{ read write } comm="hostname" path="socket:[4357]" dev=sockfs ino=4357 scontext=system_u:system_r:hostname_t tcontext=system_u:system_r:dhcpc_t tclass=udp_socket


This is what audit2allow gives me...

#============= hostname_t ==============
allow hostname_t dhcpc_t:udp_socket { read write };
(same as in previous report)

#============= initrc_t ==============
allow initrc_t devlog_t:sock_file unlink;
allow initrc_t lib_t:dir { write remove_name create add_name };
allow initrc_t lib_t:file { write lock create unlink setattr };
allow initrc_t lib_t:lnk_file { create unlink };
allow initrc_t tmp_t:dir setattr;
allow initrc_t usr_t:file { execute execute_no_trans };
allow initrc_t var_run_t:dir create;

#============= mount_t ==============
allow mount_t binfmt_misc_fs_t:dir write;
allow mount_t home_root_t:dir write;
allow mount_t lib_t:dir write;
allow mount_t security_t:dir mounton;
allow mount_t usbfs_t:dir write;
allow mount_t usr_t:dir write;
allow mount_t var_t:dir write;

#============= syslogd_t ==============
allow syslogd_t self:process { getcap setcap };

#============= udev_t ==============
allow udev_t udev_tbl_t:dir open;
allow udev_t udev_tbl_t:lnk_file { read unlink };

Also when I login via ssh and do su/newrole I get...

{ read } comm="bash" name=".bash_history" dev=sda2 ipaddr=x.x.x.x scontext=staff_u:staff_r:staff_t tcontext=root:object_r:user_home_t tclass=file
{ open } comm="bash" name=".bash_history" dev=sda2 ino=161607 ipaddr=x.x.x.x scontext=staff_u:staff_r:staff_t tcontext=root:object_r:user_home_t
tclass=file
{ dac_read_search } comm="newrole" capability=2 ipaddr=x.x.x.x scontext=staff_u:staff_r:newrole_t tcontext=staff_u:staff_r:newrole_t tclass=capability

audit2allow gives me

#============= staff_t ==============
allow staff_t user_home_t:file { read open };

that's wrong and probably because ssh runs as root and

#============= newrole_t ==============
allow newrole_t self:capability dac_read_search;

that I think it's correct

In general the situation has improved a lot, well done :-)
Comment 10 Sven Vermeulen (RETIRED) gentoo-dev 2011-10-11 18:41:37 UTC 
Thanks; I'll carefully investigate the various entries and report back
Comment 11 Sven Vermeulen (RETIRED) gentoo-dev 2011-10-13 15:44:53 UTC 
Okay, let's start with the "rc" command here. It looks like most of the AVC denials are about working with /lib/rc/init.d. This location should be labeled "initrc_state_t" instead of "lib_t". 

Can you check and see why this isn't the case?

(1.) Does "matchpathcon /lib/rc/init.d" state lib_t or initrc_state_t ?
(2.) How is your mount line for /lib/rc/init.d ?
(3.) What is the return code of /usr/sbin/selinuxenabled? Because it is /lib64/rc/sh/init.sh which restorecon's the content

Second, on the mount trying to write on the mounted directories - do you have quota enabled by any chance?
Comment 12 Nick Kossifidis 2011-10-14 12:46:19 UTC 
1) None of those (and I did rlpkg -a + restorecond is running). Note I'm on "strict" policy (permissive mode) and did a world update recently.

astropeleki mick # matchpathcon /lib/rc/init.d/
/lib/rc/init.d	system_u:object_r:initrc_t

2)
LABEL=Root              /               ext3            defaults                0 1

3) astropeleki mick # /usr/sbin/selinuxenabled 
astropeleki mick # echo $?
0

but note that /usr is on a separate partition and during boot it's not available to /lib/rc/sh/init.sh (check 1 on comment#8). Since the update my "fix" is not there, I'll skip /usr/sbin/selinuxenabled check and see if restorecon will do the work.

I have quota support on the kernel but nothing else.
Comment 13 Nick Kossifidis 2011-10-14 13:28:06 UTC 
Some more infos...

ls -Z /lib/rc/init.d lists all files as lib_t unless I disable the check on svcdir_restorecon() and force restorecon at boot time (then they are listed as initrc_t).

When I do that here is what I get...

{ read } comm="rc" name="ld.so.cache" dev=sda2 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=file
{ open } comm="rc" name="ld.so.cache" dev=sda2 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=file
{ create } comm="rc" name="local" scontext=system_u:system_r:initrc_t tclass=lnk_file
{ unlink } comm="rc" name="local" dev=tmpfs scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:initrc_t tclass=lnk_file
{ unlink } comm="rc" name="urandom" dev=tmpfs scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:initrc_t tclass=file
{ create } comm="rc" name="udev-postmount" scontext=system_u:system_r:initrc_t tclass=file
{ write } comm="rc" name="stopping" dev=tmpfs scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:initrc_t tclass=dir
{ remove_name } comm="rc" name="swap" dev=tmpfs scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:initrc_t tclass=dir
{ add_name } comm="rc" name="restorecond" scontext=system_u:system_r:initrc_t tclass=dir
{ rmdir } comm="rc" name="restorecond" dev=tmpfs scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:initrc_t tclass=dir
{ read } comm="init" name="ld.so.cache" dev=sda2 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t tclass=file
{ open } comm="init" name="ld.so.cache" dev=sda2 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t tclass=file
{ getattr } comm="init" path="/etc/ld.so.cache" dev=sda2 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t tclass=file
{ read } comm="rc" name="ld.so.cache" dev=sda2 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=file
{ open } comm="rc" name="ld.so.cache" dev=sda2 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=file
{ write } comm="mount" name="/" dev=tmpfs scontext=system_u:system_r:mount_t tcontext=system_u:object_r:lib_t tclass=dir
{ read } comm="restorecon" name="ld.so.cache" dev=sda2 scontext=system_u:system_r:setfiles_t tcontext=system_u:object_r:file_t tclass=file
{ open } comm="restorecon" name="ld.so.cache" dev=sda2 scontext=system_u:system_r:setfiles_t tcontext=system_u:object_r:file_t tclass=file
{ read } comm="hwclock" name="ld.so.cache" dev=sda2 scontext=system_u:system_r:hwclock_t tcontext=system_u:object_r:file_t tclass=file
{ open } comm="hwclock" name="ld.so.cache" dev=sda2 scontext=system_u:system_r:hwclock_t tcontext=system_u:object_r:file_t tclass=file
{ getattr } comm="hwclock" path="/etc/ld.so.cache" dev=sda2 scontext=system_u:system_r:hwclock_t tcontext=system_u:object_r:file_t tclass=file
{ read } comm="udevd" name="31" dev=tmpfs scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t tclass=lnk_file
{ unlink } comm="udevd" name="31" dev=tmpfs scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t tclass=lnk_file
{ open } comm="udevd" name="root" dev=tmpfs scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t tclass=dir
{ write } comm="mount" name="/" dev=sda3 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:home_root_t tclass=dir
{ write } comm="mount" name="/" dev=sda7 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:usr_t tclass=dir
{ write } comm="mount" name="/" dev=sda6 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:var_t tclass=dir
{ mounton } comm="mount" path="/selinux" dev=selinuxfs scontext=system_u:system_r:mount_t tcontext=system_u:object_r:security_t tclass=dir
{ read write pid=2011 comm="ifconfig" path="socket:[3884]" ino=3884 scontext=system_u:system_r:ifconfig_t tcontext=system_u:system_r:dhcpc_t tclass=udp_sock$
{ read write pid=2015 comm="hostname" path="socket:[3884]" ino=3884 scontext=system_u:system_r:hostname_t tcontext=system_u:system_r:dhcpc_t tclass=udp_sock$
{ read } comm="eend" name="ld.so.cache" dev=sda2 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=file
{ open } comm="eend" name="ld.so.cache" dev=sda2 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=file
{ write } comm="mount" name="/" dev=usbfs scontext=system_u:system_r:mount_t tcontext=system_u:object_r:usbfs_t tclass=dir
{ write } comm="mount" name="/" dev=binfmt_misc scontext=system_u:system_r:mount_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir
{ read } comm="syslog-ng" name="ld.so.cache" dev=sda2 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:file_t tclass=file
{ open } comm="syslog-ng" name="ld.so.cache" dev=sda2 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:file_t tclass=file
{ getattr } comm="syslog-ng" path="/etc/ld.so.cache" dev=sda2 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:file_t tclass=file
{ setcap } comm="syslog-ng" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t
{ read } comm="ntpdate" name="ld.so.cache" dev=sda2 scontext=system_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=file
{ open } comm="ntpdate" name="ld.so.cache" dev=sda2 scontext=system_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=file
{ getattr } comm="ntpdate" path="/etc/ld.so.cache" dev=sda2 scontext=system_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=file
{ write } comm="rc" name="started" dev=tmpfs scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:initrc_t tclass=dir
{ add_name } comm="rc" name="ntp-client" scontext=system_u:system_r:initrc_t tclass=dir
{ remove_name } comm="rc" name="ntp-client" dev=tmpfs scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:initrc_t tclass=dir
{ create } comm="rc" name="restorecond" scontext=system_u:system_r:initrc_t tclass=dir
{ read } comm="udevadm" name="ld.so.cache" dev=sda2 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_t tclass=file
{ open } comm="udevadm" name="ld.so.cache" dev=sda2 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_t tclass=file
{ getattr } comm="udevadm" path="/etc/ld.so.cache" dev=sda2 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_t tclass=file


this is what audit2allow gives me...

#============= hostname_t ==============
allow hostname_t dhcpc_t:udp_socket { read write };

#============= hwclock_t ==============
allow hwclock_t file_t:file { read getattr open };

#============= ifconfig_t ==============
allow ifconfig_t dhcpc_t:udp_socket { read write };

#============= init_t ==============
allow init_t file_t:file { read getattr open };

#============= initrc_t ==============
allow initrc_t file_t:file { read open };
allow initrc_t self:dir { write remove_name create add_name };

#============= mount_t ==============
allow mount_t binfmt_misc_fs_t:dir write;
allow mount_t home_root_t:dir write;
allow mount_t lib_t:dir write;
allow mount_t security_t:dir mounton;
allow mount_t usbfs_t:dir write;
allow mount_t usr_t:dir write;
allow mount_t var_t:dir write;

#============= ntpd_t ==============
allow ntpd_t file_t:file { read getattr open };

#============= setfiles_t ==============
allow setfiles_t file_t:file { read open };

#============= syslogd_t ==============
allow syslogd_t file_t:file { read getattr open };
allow syslogd_t self:process setcap;

#============= udev_t ==============
allow udev_t file_t:file { read getattr open };
allow udev_t udev_tbl_t:dir open;
allow udev_t udev_tbl_t:lnk_file { read unlink };
Comment 14 Sven Vermeulen (RETIRED) gentoo-dev 2011-10-19 13:24:48 UTC 
That's still incorrect (label initrc_t), the files should be labeled initrc_state_t. What are the first denials you see when you boot which are causing a boot failure?

Perhaps it might be interesting to boot in enforcing mode and look at what is failing. It is often a single cause that is prohibiting all future aspects to work correctly.
Comment 15 Nick Kossifidis 2011-10-19 20:29:50 UTC 
After emerge -vaeDN world ls -Z was correct on /lib/rc/init.d (initrc_state_t) but after rlpkg -a it switched back to initrc_t (that's if I run restorecon after boot because as I said during boot it doesn't run due to missing selinuxenabled).

Anyway since this machine is not that "clean", i set up a virtual machine from scratch without separate /usr. This is avc.log on reboot (clean logs and reboot, first 2 lines are just after I issue the reboot command) + scp the log to another machine (with sysadm_r role) with latest policies (sec-policy/selinux-* + selinux tools etc in keywords).

{ getcap } comm="syslog-ng" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=process    
{ setcap } comm="syslog-ng" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=process    
{ read write pid=1 comm="init" name="tty0" dev=vda1 ino=242440 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t tclass=chr_file
{ open } comm="init" name="tty0" dev=vda1 ino=242440 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t tclass=chr_file 
{ ioctl } comm="init" path="/dev/tty0" dev=vda1 ino=242440 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t tclass=chr_file 
{ read write pid=1022 comm="rc" name="console" dev=vda1 ino=242417 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=chr_file
{ open } comm="init-early.sh" name="tty" dev=vda1 ino=242652 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=chr_file 
{ ioctl } comm="kbd_mode" path="/dev/console" dev=vda1 ino=242417 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=chr_file 
{ getattr } comm="rc" path="/dev/console" dev=vda1 ino=242417 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=chr_file 
{ read write pid=1032 comm="mount" name="console" dev=vda1 ino=242417 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:file_t tclass=chr_file
{ read } comm="udevd" name="5" dev=tmpfs ino=1917 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t tclass=lnk_file 
{ unlink } comm="udevd" name="5" dev=tmpfs ino=1917 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t tclass=lnk_file 
{ open } comm="udevd" name="root" dev=tmpfs ino=1903 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t tclass=dir 
{ write } comm="mount" name="/" dev=vda2 ino=2 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:home_root_t tclass=dir 
{ write } comm="mount" name="/" dev=vda4 ino=2 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:var_t tclass=dir 
{ write } comm="rm" name="console" dev=vda1 ino=210111 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=dir 
{ remove_name } comm="rm" name="keymap" dev=vda1 ino=210116 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=dir 
{ unlink } comm="rm" name="keymap" dev=vda1 ino=210116 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=file 
{ create } comm="mkdir" name=".test.1388" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:var_run_t tclass=dir   
{ create } comm="busybox" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=rawip_socket    
{ ioctl } comm="busybox" path="socket:[3309]" dev=sockfs ino=3309 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=rawip_socket 
{ create } comm="busybox" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=packet_socket    
{ bind } comm="busybox" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=packet_socket    
{ setopt } comm="busybox" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=packet_socket    
{ write } comm="busybox" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=packet_socket    
{ read } comm="busybox" path="socket:[3320]" dev=sockfs ino=3320 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=packet_socket 
{ setcap } comm="syslog-ng" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=process    
{ getcap } comm="syslog-ng" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=process    
{ search } comm="ssh" name="files" dev=vda1 ino=299668 scontext=root:sysadm_r:ssh_t tcontext=system_u:object_r:file_context_t tclass=dir 
{ read } comm="ssh" name="file_contexts" dev=vda1 ino=299689 scontext=root:sysadm_r:ssh_t tcontext=system_u:object_r:file_context_t tclass=file 
{ open } comm="ssh" name="file_contexts" dev=vda1 ino=299689 scontext=root:sysadm_r:ssh_t tcontext=system_u:object_r:file_context_t tclass=file 
{ getattr } comm="ssh" path="/etc/selinux/strict/contexts/files/file_contexts" dev=vda1 ino=299689 scontext=root:sysadm_r:ssh_t tcontext=system_u:object_r:file_context_t tclass=file 
{ write } comm="ssh" name="context" dev=selinuxfs ino=5 scontext=root:sysadm_r:ssh_t tcontext=system_u:object_r:security_t tclass=file 
{ check_context } comm="ssh" scontext=root:sysadm_r:ssh_t tcontext=system_u:object_r:security_t tclass=security    
{ setfscreate } comm="ssh" scontext=root:sysadm_r:ssh_t tcontext=root:sysadm_r:ssh_t tclass=process    


audit2allow gives me


#============= init_t ==============
allow init_t file_t:chr_file { read write ioctl open };

#============= initrc_t ==============
allow initrc_t file_t:chr_file { read write ioctl open getattr };
allow initrc_t lib_t:dir { write remove_name };
allow initrc_t lib_t:file unlink;
allow initrc_t self:packet_socket { write bind create read setopt };
allow initrc_t self:rawip_socket { create ioctl };
allow initrc_t var_run_t:dir create;

#============= mount_t ==============
allow mount_t file_t:chr_file { read write };
allow mount_t home_root_t:dir write;
allow mount_t var_t:dir write;

#============= ssh_t ==============
allow ssh_t file_context_t:dir search;
allow ssh_t file_context_t:file { read getattr open };
allow ssh_t security_t:file write;
allow ssh_t security_t:security check_context;
allow ssh_t self:process setfscreate;

#============= syslogd_t ==============
allow syslogd_t self:process { getcap setcap };

#============= udev_t ==============
allow udev_t udev_tbl_t:dir open;
allow udev_t udev_tbl_t:lnk_file { read unlink };


I tried to switch to enforcing mode but i get a segfault when init starts and nothing happens, I can send you a screenshot if you want.
Comment 16 Sven Vermeulen (RETIRED) gentoo-dev 2011-10-23 11:05:07 UTC 
Looks like your /dev isn't properly labeled, which is also why you get a segfault. Make sure that

(1.) udev is build with USE="selinux", 
(2.) that your /dev (not the tmpfs one) is properly labeled (using the setfiles commands as outlined in the installation instructions)

As long as you notice "file_t" as context for files in /dev, we need to focus on this.
Comment 17 Sven Vermeulen (RETIRED) gentoo-dev 2011-10-23 17:26:07 UTC 
I also notice some messages that get me thinking that you are using an initrd or initramfs. If you are, make sure that it is SELinux-aware (i.e. the init, device manager, ...)
Comment 18 Nick Kossifidis 2011-10-26 14:38:35 UTC 
Cool that helped a lot ! I relabeled (non-tmpfs) /dev and /lib again and added the udev fstab line (missed that part) here is what I get now...


avc: denied { write } for pid=1038 comm="mount" name="/" dev=tmpfs ino=1330 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:initrc_state_t tclass=dir 
avc: denied { write } for pid=1081 comm="mount" name="/" dev=tmpfs ino=1410 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:device_t tclass=dir 
avc: denied { read } for pid=1116 comm="rc" name="utmp" dev=vda1 ino=368247 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=file 
avc: denied { open } for pid=1116 comm="rc" name="utmp" dev=vda1 ino=368247 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=file 
avc: denied { lock } for pid=1116 comm="rc" path="/var/run/utmp" dev=vda1 ino=368247 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=file 
avc: denied { relabelto } for pid=1116 comm="udevd" name=".udev" dev=tmpfs ino=1420 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t tclass=dir 
avc: denied { write } for pid=1116 comm="udevd" name=".udev" dev=tmpfs ino=1420 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t tclass=dir 
avc: denied { add_name } for pid=1116 comm="udevd" name="queue.tmp" scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t tclass=dir   
avc: denied { read } for pid=1372 comm="mount" name="mtab" dev=vda1 ino=299053 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:mnt_t tclass=file 
avc: denied { open } for pid=1372 comm="mount" name="mtab" dev=vda1 ino=299053 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:mnt_t tclass=file 
avc: denied { write } for pid=1372 comm="mount" name="/" dev=vda2 ino=2 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:home_root_t tclass=dir 
avc: denied { write } for pid=1372 comm="mount" name="mtab" dev=vda1 ino=299053 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:mnt_t tclass=file 
avc: denied { add_name } for pid=1372 comm="mount" name="mtab~1372" scontext=system_u:system_r:mount_t tcontext=system_u:object_r:mnt_t tclass=dir   
avc: denied { create } for pid=1372 comm="mount" name="mtab~1372" scontext=system_u:system_r:mount_t tcontext=system_u:object_r:mnt_t tclass=file   
avc: denied { link } for pid=1372 comm="mount" name="mtab~1372" dev=vda1 ino=299040 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:mnt_t tclass=file 
avc: denied { lock } for pid=1372 comm="mount" path="/etc/mtab~" dev=vda1 ino=299040 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:mnt_t tclass=file 
avc: denied { remove_name } for pid=1372 comm="mount" name="mtab~1372" dev=vda1 ino=299040 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:mnt_t tclass=dir 
avc: denied { unlink } for pid=1372 comm="mount" name="mtab~1372" dev=vda1 ino=299040 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:mnt_t tclass=file 
avc: denied { getattr } for pid=1806 comm="ssh" path="/lib" dev=vda1 ino=210081 scontext=root:sysadm_r:ssh_t tcontext=system_u:object_r:mnt_t tclass=dir 


audit2allow gives me


#============= initrc_t ==============
allow initrc_t file_t:file { read lock open };

#============= mount_t ==============
allow mount_t device_t:dir write;
allow mount_t home_root_t:dir write;
allow mount_t initrc_state_t:dir write;
allow mount_t mnt_t:dir { remove_name add_name };
allow mount_t mnt_t:file { write link read lock create unlink open };

#============= ssh_t ==============
allow ssh_t mnt_t:dir getattr;

#============= udev_t ==============
allow udev_t udev_tbl_t:dir { write relabelto add_name };
Comment 19 Nick Kossifidis 2011-10-26 14:39:36 UTC 
I don't use initramfs, I don't even have module support on the kernel image.
Comment 20 Sven Vermeulen (RETIRED) gentoo-dev 2011-10-26 18:37:05 UTC 
I'm going to assume that the mount-write operations are cosmetic and not necessary. The next AVC denial to focus on is the following:

avc: denied { read } for pid=1116 comm="rc" name="utmp" dev=vda1 ino=368247
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t
tclass=file 

Can you try and find out what "utmp" file rc is trying to read? I'm guessing /var/run/utmp (which should be initrc_var_run_t). You can find this out by using "find /some/path -xdev -inum 368247" where /some/path is the mount point for /dev/vda1 (I'm guessing /). Or just "ls -i /var/run/utmp" and see if the inode is 368247.

If that's the file, try finding out why it is labeled file_t and if restorecon relabels it towards initrc_var_run_t. If it does, you might want to relabel your entire file system (rlpkg -a -r)?
Comment 21 Nick Kossifidis 2011-10-27 23:55:51 UTC 
O.K. I relabeled everything (rlpkg -a -r + setfiles)...

Here is what I get from audit2allow...

#============= init_t ==============
allow init_t mnt_t:dir search;

#============= initrc_t ==============
allow initrc_t lib_t:dir { write add_name };
allow initrc_t lib_t:file { write create };
allow initrc_t self:packet_socket { write bind create setopt };
allow initrc_t self:rawip_socket { create ioctl };

#============= mount_t ==============
allow mount_t binfmt_misc_fs_t:dir write;
allow mount_t device_t:dir write;
allow mount_t fusefs_t:dir write;
allow mount_t home_root_t:dir write;
allow mount_t initrc_state_t:dir write;
allow mount_t var_t:dir write;

#============= syslogd_t ==============
allow syslogd_t self:process { getcap setcap };
allow syslogd_t var_lib_t:file { read getattr unlink open };

#============= udev_t ==============
allow udev_t udev_tbl_t:dir { write getattr relabelto remove_name open add_name };
allow udev_t udev_tbl_t:lnk_file { read create unlink };



1) About init_t it comes from this...

{ search } comm="init" name="dev" dev=vda1 ino=242401 scontext=system_u:system_r:init_t tcontext=system_u:object_r:mnt_t tclass=dir

...on early boot (it's the first message on the log after reboot)

Inode 242401 is the nont-tmpfs /dev directory on /dev/vda1 (my root partition).



2) I verified mount_t, inodes point to "." on each partition...

{ write } comm="mount" name="/" dev=tmpfs ino=1365 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:initrc_state_t tclass=dir
{ write } comm="mount" name="/" dev=tmpfs ino=1447 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:device_t tclass=dir
{ write } comm="mount" name="/" dev=fusectl ino=1 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:fusefs_t tclass=dir
{ write } comm="mount" name="/" dev=vda2 ino=2 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:home_root_t tclass=dir
{ write } comm="mount" name="/" dev=vda4 ino=2 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:var_t tclass=dir
{ write } comm="mount" name="/" dev=binfmt_misc ino=1 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir

1365 -> /lib/rc/init.d/
1447 -> /dev
2 -> /var
2 -> /home
...

I don't know if it's cosmetic or not or what is it trying to write there, I'll try and see in enforcing mode if this becomes a problem. The different labels are a result of non-labeling the /var, /home etc dirs on / (/dev/vda1). Since we label everything after /var and /home are mounted, the labels are not present on /. I tried setting rootcontext on fstab to var_t, home_root_t etc but it didn't change anything. I'll try and set the labels manually with setfiles and see if these messages disappear...



3) So let's focus on initrc_t stuff...

a) packet_socket and rawip_socket come from busybox...

{ create } comm="busybox" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=rawip_socket   
{ ioctl } comm="busybox" path="socket:[3323]" dev=sockfs ino=3323 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=rawip_socket
{ create } comm="busybox" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=packet_socket   
{ bind } comm="busybox" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=packet_socket   
{ setopt } comm="busybox" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=packet_socket   
{ write } comm="busybox" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=packet_socket 

...when trying to get an IP address using Busybox's DHCP

Doesn't look like a labeling issue since contexts match (I'll try to use dhclient again and see if it's ok).

b) lib_t stuff comes when rc tries to do stuff inside /lib/rc...

{ write } comm="rm" name="console" dev=vda1 ino=210111 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=dir
{ add_name } comm="runscript.sh" name="unicode" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=dir  
{ create } comm="runscript.sh" name="unicode" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=file  
{ write } comm="runscript.sh" name="unicode" dev=vda1 ino=210099 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t tclass=file

unicode is /lib/rc/console/unicode and it's being created on boot from /etc/init.d/termencoding script without being labeled correctly. I checked with matchpathcon and there is no rule for /lib/rc/console/unicode or /console etc, matchpathcon returns lib_t.

Also about /var/run/utmp I don't get any errors from that anymore (and after checking with matchpathcon it's labeled fine) BUT it might happen on /etc/init.d/bootmisc when during start() it calls mkutmp on /var/run/utmp (although I don't see a setattr from chmod etc). It's the only script that touches /var/run/utmp and it doesn't check/relabel /var/run/utmp before that.



4) About syslogd_t, I don't know why it can't getcap/setcap on itself or why this rule is missing but the file it's trying to play with is /var/lib/misc/syslog-ng.persist...

{ read } comm="syslog-ng" name="syslog-ng.persist" dev=vda4 ino=8144 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_lib_t tclass=file
{ open } comm="syslog-ng" name="syslog-ng.persist" dev=vda4 ino=8144 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_lib_t tclass=file
{ getattr } comm="syslog-ng" path="/var/lib/misc/syslog-ng.persist" dev=vda4 ino=8144 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_lib_t tclass=file
{ unlink } comm="syslog-ng" name="syslog-ng.persist" dev=vda4 ino=8144 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_lib_t tclass=file

...that is labeled var_lib_t instead of syslogd_t and matchpathcon agrees so there is no rule to mark it syslogd_t.



5) Udev denials come from when udev tries to do stuff inside /dev (the tmpfs one) such as creating /dev/root and various links + /dev/.udev*...

{ relabelto } comm="udevd" name=".udev" dev=tmpfs ino=1457 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t tclass=dir
{ write } comm="udevd" name=".udev" dev=tmpfs ino=1457 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t tclass=dir
{ add_name } comm="udevd" name="queue.tmp" scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t tclass=dir  
{ remove_name } comm="udevd" name="queue.tmp" dev=tmpfs ino=1615 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t tclass=dir
{ getattr } comm="udevd" path="/dev/.udev" dev=tmpfs ino=1457 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t tclass=dir
{ create } comm="udevd" name="4" scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t tclass=lnk_file  
{ read } comm="udevd" name="31" dev=tmpfs ino=2532 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t tclass=lnk_file
{ unlink } comm="udevd" name="31" dev=tmpfs ino=2532 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t tclass=lnk_file
{ open } comm="udevd" name="root" dev=tmpfs ino=2520 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t tclass=dir

...and I have no idea what to do here.

Thanks a lot for your time and infos, they helped a lot ;-)
Comment 22 Nick Kossifidis 2011-10-28 00:41:01 UTC 
I mounted /dev/vda1 (my root partition without /dev, /var, /tmp, /home etc mounted on top) on /mnt and relabeled it using setfiles (just in case I did a chroot inside), then to be on the safe side I run rlpkg -a -r (with everything mounted -outside chroot).

So I guess I got rid of any problems due to missing labels on /dev/vda1, here is what audit2allow gives me now...

#============= initrc_t ==============
allow initrc_t lib_t:dir add_name;
allow initrc_t lib_t:file { write create };
allow initrc_t self:packet_socket { read create };
allow initrc_t self:rawip_socket { create ioctl };
allow initrc_t tmp_t:dir setattr;
allow initrc_t var_log_t:dir { create rmdir };

#============= mount_t ==============
allow mount_t binfmt_misc_fs_t:dir write;
allow mount_t device_t:dir write;
allow mount_t initrc_state_t:dir write;

#============= syslogd_t ==============
allow syslogd_t self:process { getcap setcap };
allow syslogd_t var_lib_t:file { read getattr unlink open };

#============= udev_t ==============
allow udev_t udev_tbl_t:dir { write getattr relabelto read remove_name create add_name };
allow udev_t udev_tbl_t:lnk_file create;


The init_t thing is gone and mount_t stuff now only reports the virtual partitions (those on tmpfs and binfmt_misc). Seems much better.


allow initrc_t tmp_t:dir setattr;
allow initrc_t var_log_t:dir { create rmdir };

Are new and come from these...

{ setattr } comm="chmod" name="/" dev=vda3 ino=2 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:tmp_t tclass=dir
{ create } comm="mkdir" name=".test.1390" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:var_log_t tclass=dir  
{ rmdir } comm="rmdir" name=".test.1390" dev=vda4 ino=16285 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:var_log_t tclass=dir

...it just creates and deletes a dir on /tmp, probably comes from bootmisc's dir_writeable. Other scripts do the same trick with files to figure out if a dir is writeable: fsck, root, udev-postmount. Btw /dev/vda3 is /tmp, I don't know how it ended up being labeled as var_log_t. Maybe in enforcing mode this will make bootmisc think that a dir is not writeable, I'll check it out...


Sorry for the burst :P
Comment 23 Sven Vermeulen (RETIRED) gentoo-dev 2011-10-29 18:38:09 UTC 
It looks indeed as if it comes from the dir_writeable function in bootmisc. The policy doesn't allow initrc_t to change attributes for tmp_t (but as long as your tmp_t has the rights privileges to begin with, this shouldn't matter). 

However, the use of var_log_t there is for vda4, which I guess is your /var(/log) location. Bootmisc has some activities on that location as well (mainly to dump "dmesg" output in /var/log/dmesg).

I'll open a separate bug on this and have it block this one (so separate the jitter from the data ;-) I'll do the same for the other issues that I can deduce from your denial information.
Comment 24 Sven Vermeulen (RETIRED) gentoo-dev 2011-10-29 18:44:13 UTC 
On the udev stuff, which udev version do you use? Mine is 164-r2 and doesn't need to relabel any directory (/dev/.udev) to udev_tbl_t, only the files therein (which is allowed by policy).

If you have a 171-r* one, perhaps that one is trying to relabel the directory as well.
Comment 25 Nick Kossifidis 2011-11-17 20:20:00 UTC 
Yup udev version is 171-r2, sorry for the delayed answer... Do you want me to downgrade and see how it goes ?
Comment 26 Sven Vermeulen (RETIRED) gentoo-dev 2011-11-17 20:46:50 UTC 
You can, but eventually that version will become stable so I'll test that version anyhow.

Are you running the entire system in ~arch, or just a couple of packages (and if so, which ones)? I'll clone a guest and try to reproduce then.
Comment 27 Nick Kossifidis 2011-11-17 21:14:11 UTC 
package.keywords:

sys-apps/portage ~*
app-admin/paxtest

# SELinux
sys-apps/policycoreutils
app-admin/setools
sys-libs/libselinux
sys-apps/util-linux
sys-auth/pambase
sys-apps/sed
sys-apps/coreutils
sys-process/psmisc
sys-apps/sysvinit
sys-process/vixie-cron
sys-apps/shadow
sys-apps/portage
app-admin/syslog-ng
sec-policy/selinux-*
sys-libs/gpm
net-misc/dhcp
net-misc/ntp
net-ftp/vsftpd
app-admin/logrotate
sys-libs/glibc
sys-libs/pam
sys-fs/udev
sys-apps/openrc
sys-apps/busybox
net-misc/openvpn
net-nds/openldap
net-misc/openssh
net-firewall/ipsec-tools
net-dns/bind
www-servers/apache
dev-db/mysql

sys-libs/libsepol ~x86
sys-libs/libsemanage ~x86
app-emulation/qemu-kvm ~x86

package.use:

net-nds/openldap minimal
net-misc/dhcp -server

USE flags:

#System-wide
USE="sse sse2 sse3 mmx unicode cjk nptl -fortran mpi openmp mpi-trheads threads bzip2 lzma bash-completion caps pam X509 fuse
cracklib crypt gzip iconv lm-sensors lzo nls posix usb skey zlib -suid mime ieee1394 acl smp syslog ncurses lvm lvm2 -X"

#Network related
USE="${USE} ipv6 iproute2 ssl gnutls tls curl dhclient"

#Language support
USE="${USE} perl python java php libffi tidy xml"

#Smartcard support
USE="${USE} pkcs11 smartcard pcsc-lite opensc"

#APACHE support
USE="${USE} apache2"

#MYSQL support
USE="${USE} mysql"

#LDAP support
USE="${USE} ldap openldap ldap-sasl sasl"

#SAMBA support
USE="${USE} samba"

#PDF/Latex support
USE="${USE} pdf poppler djvu dvi ttf fontforge latex truetype"

#Image formats
USE="${USE} jpeg jpeg2k png svg tiff exif imagemagick gd"


NOTE: That's what I've used on the server I used to play with (now a desktop :P), I just copied the files to the VM, it doesn't mean I run apache or anything else, it's just the base system with no aditional services running...
Comment 28 Sven Vermeulen (RETIRED) gentoo-dev 2011-12-09 20:44:25 UTC 
Okay, with udev ~arch I also get the denial (relabelto for .udev directory) but it doesn't fail (the boot process still continues regardless). I'll keep an eye out to see if this is needed somewhere or not.

The { write } on the mountpoint directories can be ignored, I'll have it dontaudited on the next release (not needed).

If busybox provides DHCP client features, we should see if it can run in its own domain (and then allow DHCP). We shouldn't use initrc_t for that then.

Are there any other denials we need to focus on here (lots of comments with lots of text, so I'm kind-of getting lost here ;-)
Comment 29 Sven Vermeulen (RETIRED) gentoo-dev 2011-12-25 16:55:17 UTC 
Okay, going to mark this one as fixed. If you still have issues with something, I recommend to make a bugreport for each issue (not for a set of issues) so that we can better track them. See also http://www.gentoo.org/proj/en/hardened/selinux-bugreporting.xml