Description Paweł Hajdan, Jr. (RETIRED) 2012-05-08 07:42:14 UTC

I'm getting following AVC denials:

[    6.138101] type=1400 audit(1336469569.137:98): avc:  denied  { rlimitinh } for  pid=1268 comm="modprobe" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:insmod_t tclass=process
[    6.138116] type=1400 audit(1336469569.137:99): avc:  denied  { siginh } for  pid=1268 comm="modprobe" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:insmod_t tclass=process
[    6.138186] type=1400 audit(1336469569.137:100): avc:  denied  { noatsecure } for  pid=1268 comm="modprobe" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:insmod_t tclass=process
[    6.141630] type=1400 audit(1336469569.140:101): avc:  denied  { rlimitinh } for  pid=1269 comm="modprobe" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:insmod_t tclass=process
[    6.141641] type=1400 audit(1336469569.140:102): avc:  denied  { siginh } for  pid=1269 comm="modprobe" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:insmod_t tclass=process
[    6.141675] type=1400 audit(1336469569.140:103): avc:  denied  { noatsecure } for  pid=1269 comm="modprobe" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:insmod_t tclass=process
[    6.166931] type=1400 audit(1336469569.165:104): avc:  denied  { rlimitinh } for  pid=1273 comm="modprobe" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:insmod_t tclass=process
[    6.166943] type=1400 audit(1336469569.165:105): avc:  denied  { siginh } for  pid=1273 comm="modprobe" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:insmod_t tclass=process
[    6.167011] type=1400 audit(1336469569.165:106): avc:  denied  { noatsecure } for  pid=1273 comm="modprobe" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:insmod_t tclass=process
[    6.169661] type=1400 audit(1336469569.168:107): avc:  denied  { rlimitinh } for  pid=1274 comm="modprobe" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:insmod_t tclass=process
[   17.534615] type=1400 audit(1336469581.159:269): avc:  denied  { rlimitinh } for  pid=1976 comm="hostname" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:hostname_t tclass=process
[   17.534625] type=1400 audit(1336469581.159:270): avc:  denied  { siginh } for  pid=1976 comm="hostname" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:hostname_t tclass=process
[   17.534669] type=1400 audit(1336469581.159:271): avc:  denied  { noatsecure } for  pid=1976 comm="hostname" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:hostname_t tclass=process
[   94.272585] type=1400 audit(1336469657.897:287): avc:  denied  { rlimitinh } for  pid=2065 comm="login" scontext=system_u:system_r:getty_t tcontext=system_u:system_r:local_login_t tclass=process
[   94.272597] type=1400 audit(1336469657.897:288): avc:  denied  { siginh } for  pid=2065 comm="login" scontext=system_u:system_r:getty_t tcontext=system_u:system_r:local_login_t tclass=process
[   94.272646] type=1400 audit(1336469657.897:289): avc:  denied  { noatsecure } for  pid=2065 comm="login" scontext=system_u:system_r:getty_t tcontext=system_u:system_r:local_login_t tclass=process
[   94.306836] type=1400 audit(1336469657.931:291): avc:  denied  { rlimitinh } for  pid=2071 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t tcontext=system_u:system_r:chkpwd_t tclass=process
[   94.306846] type=1400 audit(1336469657.931:292): avc:  denied  { siginh } for  pid=2071 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t tcontext=system_u:system_r:chkpwd_t tclass=process
[   94.306894] type=1400 audit(1336469657.931:293): avc:  denied  { noatsecure } for  pid=2071 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t tcontext=system_u:system_r:chkpwd_t tclass=process
[  322.612648] type=1400 audit(1336469886.237:347): avc:  denied  { rlimitinh } for  pid=2262 comm="gcc-config" scontext=unconfined_u:unconfined_r:portage_t tcontext=unconfined_u:unconfined_r:gcc_config_t tclass=process
[  322.612660] type=1400 audit(1336469886.237:348): avc:  denied  { siginh } for  pid=2262 comm="gcc-config" scontext=unconfined_u:unconfined_r:portage_t tcontext=unconfined_u:unconfined_r:gcc_config_t tclass=process
[  322.612709] type=1400 audit(1336469886.237:349): avc:  denied  { noatsecure } for  pid=2262 comm="gcc-config" scontext=unconfined_u:unconfined_r:portage_t tcontext=unconfined_u:unconfined_r:gcc_config_t tclass=process

Corresponding audit2allow output:

allow dhcpc_t hostname_t:process { siginh rlimitinh noatsecure };
allow getty_t local_login_t:process { siginh rlimitinh noatsecure };
allow local_login_t chkpwd_t:process { siginh rlimitinh noatsecure };
allow portage_t gcc_config_t:process { siginh rlimitinh noatsecure };
allow udev_t insmod_t:process { siginh rlimitinh noatsecure };

I'm running in enforcing mode, and nothing seems broken by those denials.

# qlist -IvC sec-policy
sec-policy/selinux-base-2.20120215-r7
sec-policy/selinux-base-policy-2.20120215-r7
sec-policy/selinux-consolekit-2.20120215
sec-policy/selinux-dbus-2.20120215
sec-policy/selinux-desktop-2.20110726
sec-policy/selinux-dhcp-2.20120215-r5
sec-policy/selinux-gnupg-2.20101213-r2
sec-policy/selinux-gpg-2.20120215
sec-policy/selinux-java-2.20120215
sec-policy/selinux-mono-2.20120215
sec-policy/selinux-mplayer-2.20120215
sec-policy/selinux-ntp-2.20120215
sec-policy/selinux-policykit-2.20120215
sec-policy/selinux-vmware-2.20120215
sec-policy/selinux-wine-2.20120215
sec-policy/selinux-wm-2.20120215
sec-policy/selinux-xfs-2.20120215
sec-policy/selinux-xserver-2.20120215

Portage 2.1.10.49 (hardened/linux/amd64/selinux, gcc-4.5.3, glibc-2.14.1-r3, 3.2.2-hardened-r1 x86_64)
=================================================================
System uname: Linux-3.2.2-hardened-r1-x86_64-Intel-R-_Core-TM-2_Duo_CPU_P8700_@_2.53GHz-with-gentoo-2.0.3
Timestamp of tree: Fri, 04 May 2012 10:30:01 +0000
app-shells/bash:          4.2_p20
dev-lang/python:          2.7.2-r3, 3.2.2
dev-util/cmake:           2.8.6-r4
dev-util/pkgconfig:       0.26
sys-apps/baselayout:      2.0.3
sys-apps/openrc:          0.9.8.4
sys-apps/sandbox:         2.5
sys-devel/autoconf:       2.13, 2.68
sys-devel/automake:       1.11.1
sys-devel/binutils:       2.21.1-r1
sys-devel/gcc:            4.5.3-r2
sys-devel/gcc-config:     1.5-r2
sys-devel/libtool:        2.4-r1
sys-devel/make:           3.82-r1
sys-kernel/linux-headers: 3.1 (virtual/os-headers)
sys-libs/glibc:           2.14.1-r3
Repositories: gentoo x-portage
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests binpkg-logs distlocks ebuild-locks fixlafiles news parallel-fetch protect-owned sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"
FFLAGS=""
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X alsa amd64 berkdb bzip2 cli consolekit cracklib crypt cups cxx dbus dri gdbm gdu gudev hardened iconv icu jpeg justify libkms mmx modules mudflap multilib ncurses nls nptl nptlonly open_perms openmp pam pax_kernel pcre policykit pppd python readline selinux session sse sse2 ssl startup-notification sysfs tcpd thunar udev unicode urandom xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="intel vesa vmware" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON