Package: selinux-policy-default Version: 2:2.20110726-11 I'm using smartmontools and the daemon needs to read and write into it's lib directory /var/lib/smartmontools. This directory is not labeled, so i get the following denies:
Oct 14 19:29:27 debian kernel: [ 18.444435] type=1400 audit(1350235767.006:11): avc: denied { read } for pid=2386 comm="smartd" name="smartd.SAMSUNG_SP0812N-S00MJ10X928870.ata.state" dev=dm-0 ino=917609 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file Oct 14 19:29:27 debian kernel: [ 18.444456] type=1400 audit(1350235767.006:12): avc: denied { open } for pid=2386 comm="smartd" name="smartd.SAMSUNG_SP0812N-S00MJ10X928870.ata.state" dev=dm-0 ino=917609 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file Oct 14 19:29:27 debian kernel: [ 18.444488] type=1400 audit(1350235767.006:13): avc: denied { getattr } for pid=2386 comm="smartd" path="/var/lib/smartmontools/smartd.SAMSUNG_SP0812N-S00MJ10X928870.ata.state" dev=dm-0 ino=917609 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file i use .fc file /var/lib/smartmontools(/.*)? gen_context(system_u:object_r:fsdaemon_var_lib_t,s0) .te file type fsdaemon_var_lib_t; files_type(fsdaemon_var_lib_t) allow fsdaemon_t var_lib_t:dir search_dir_perms; manage_dirs_pattern(fsdaemon_t, fsdaemon_var_lib_t, fsdaemon_var_lib_t) manage_files_pattern(fsdaemon_t, fsdaemon_var_lib_t, fsdaemon_var_lib_t) to avoid this. When relabeling manually with restorecond i get the following denies: setfiles_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:setfiles_t:s0-s0:c0.c1023 tclass=netlink_audit_socket /var/log/syslog:Oct 5 17:35:50 debian kernel: [ 2826.667177] type=1400 audit(1349451350.806:159): avc: denied { write } for pid=5240 comm="restorecon" scontext=staff_u:sysadm_r:setfiles_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:setfiles_t:s0-s0:c0.c1023 tclass=netlink_audit_socket /var/log/syslog:Oct 5 17:35:50 debian kernel: [ 2826.667259] type=1400 audit(1349451350.806:160): avc: denied { nlmsg_relay } for pid=5240 comm="restorecon" scontext=staff_u:sysadm_r:setfiles_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:setfiles_t:s0-s0:c0.c1023 tclass=netlink_audit_socket /var/log/syslog:Oct 5 17:35:50 debian kernel: [ 2826.667336] type=1400 audit(1349451350.806:161): avc: denied { audit_write } for pid=5240 comm="restorecon" capability=29 scontext=staff_u:sysadm_r:setfiles_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:setfiles_t:s0-s0:c0.c1023 tclass=capability /var/log/syslog:Oct 5 17:35:50 debian kernel: [ 2826.667696] type=1400 audit(1349451350.806:162): avc: denied { read } for pid=5240 comm="restorecon" scontext=staff_u:sysadm_r:setfiles_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:setfiles_t:s0-s0:c0.c1023 tclass=netlink_audit_socket While booting i get these denies: Oct 14 19:29:23 debian kernel: [ 7.465566] type=1400 audit(1350235756.026:3): avc: denied { read write } for pid=581 comm="hostname" name="tty1" dev=devtmpfs ino=1201 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file Oct 14 19:29:23 debian kernel: [ 8.116923] type=1400 audit(1350235756.678:4): avc: denied { read write } for pid=647 comm="swapon" name="tty1" dev=devtmpfs ino=1201 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file Oct 14 19:29:23 debian kernel: [ 11.908177] type=1400 audit(1350235760.470:5): avc: denied { read write } for pid=1257 comm="swapon" name="tty1" dev=devtmpfs ino=1201 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file Oct 14 19:29:23 debian kernel: [ 13.505206] type=1400 audit(1350235762.066:6): avc: denied { read write } for pid=1532 comm="ip" name="tty1" dev=devtmpfs ino=1201 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file I'm not using users in unconfined context so my config is: semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles root sysadm SystemLow SystemLow-SystemHigh staff_r sysadm_r system_r staff_u user SystemLow SystemLow-SystemHigh staff_r sysadm_r sysadm_u sysadm SystemLow SystemLow-SystemHigh sysadm_r system_u user SystemLow SystemLow-SystemHigh system_r unconfined_u user SystemLow SystemLow unconfined_r user_u user SystemLow SystemLow user_r semanage login -l Login Name SELinux User MLS/MCS Range __default__ user_u SystemLow systemuser staff_u SystemLow-SystemHigh root staff_u SystemLow-SystemHigh system_u system_u SystemLow-SystemHigh When running with this config, i am not able to su from systemuser to root in enforced modus because of this denies: /var/log/syslog:Oct 5 14:41:00 debian kernel: [ 1957.455462] type=1400 audit(1349440860.398:127): avc: denied { search } for pid=3114 comm="su" name="/" dev=sysfs ino=1 scontext=staff_u:staff_r:staff_su_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir /var/log/syslog:Oct 5 14:42:48 debian kernel: [ 2065.949967] type=1400 audit(1349440968.892:194): avc: denied { search } for pid=3214 comm="su" name="/" dev=sysfs ino=1 scontext=staff_u:staff_r:staff_su_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir /var/log/syslog:Oct 5 15:26:31 debian kernel: [ 4688.219894] type=1400 audit(1349443591.161:240): avc: denied { signal } for pid=3214 comm="su" scontext=staff_u:staff_r:staff_su_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process /var/log/syslog:Oct 5 16:52:50 debian kernel: [ 246.233184] type=1400 audit(1349448770.375:43): avc: denied { search } for pid=2579 comm="su" name="/" dev=sysfs ino=1 scontext=staff_u:staff_r:staff_su_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir /var/log/syslog:Oct 5 18:52:58 debian kernel: [ 7454.686219] type=1400 audit(1349455978.827:710): avc: denied { signal } for pid=2579 comm="su" scontext=staff_u:staff_r:staff_su_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process /var/log/syslog:Oct 5 19:27:36 debian kernel: [ 90.957618] type=1400 audit(1349458056.264:13): avc: denied { search } for pid=2587 comm="su" name="/" dev=sysfs ino=1 scontext=staff_u:staff_r:staff_su_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir /var/log/syslog:Oct 5 20:00:45 debian kernel: [ 2080.568903] type=1400 audit(1349460045.873:25): avc: denied { signal } for pid=2588 comm="su" scontext=staff_u:staff_r:staff_su_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process /var/log/syslog:Oct 5 20:02:00 debian kernel: [ 36.429997] type=1400 audit(1349460120.545:11): avc: denied { search } for pid=2593 comm="su" name="/" dev=sysfs ino=1 scontext=staff_u:staff_r:staff_su_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir /var/log/syslog:Oct 5 20:02:00 debian kernel: [ 36.430069] type=1400 audit(1349460120.545:12): avc: denied { getattr } for pid=2593 comm="su" name="/" dev=dm-0 ino=2 scontext=staff_u:staff_r:staff_su_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem /var/log/syslog:Oct 5 20:02:00 debian kernel: [ 36.430369] type=1400 audit(1349460120.545:13): avc: denied { search } for pid=2593 comm="su" name="/" dev=sysfs ino=1 scontext=staff_u:staff_r:staff_su_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir /var/log/syslog:Oct 5 20:02:05 debian kernel: [ 41.386092] type=1400 audit(1349460125.496:14): avc: denied { search } for pid=2594 comm="su" name="/" dev=sysfs ino=1 scontext=staff_u:staff_r:staff_su_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir /var/log/syslog:Oct 5 20:02:05 debian kernel: [ 41.386171] type=1400 audit(1349460125.496:15): avc: denied { getattr } for pid=2594 comm="su" name="/" dev=dm-0 ino=2 scontext=staff_u:staff_r:staff_su_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem /var/log/syslog:Oct 5 20:02:05 debian kernel: [ 41.386443] type=1400 audit(1349460125.496:16): avc: denied { search } for pid=2594 comm="su" name="/" dev=sysfs ino=1 scontext=staff_u:staff_r:staff_su_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir /var/log/syslog:Oct 5 20:02:12 debian kernel: [ 47.961754] type=1400 audit(1349460132.076:17): avc: denied { search } for pid=2595 comm="su" name="/" dev=sysfs ino=1 scontext=staff_u:staff_r:staff_su_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir /var/log/syslog:Oct 5 20:02:12 debian kernel: [ 47.961813] type=1400 audit(1349460132.076:18): avc: denied { getattr } for pid=2595 comm="su" name="/" dev=dm-0 ino=2 scontext=staff_u:staff_r:staff_su_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem /var/log/syslog:Oct 5 20:02:12 debian kernel: [ 47.962074] type=1400 audit(1349460132.076:19): avc: denied { search } for pid=2595 comm="su" name="/" dev=sysfs ino=1 scontext=staff_u:staff_r:staff_su_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir /var/log/syslog:Oct 5 20:03:32 debian kernel: [ 128.496202] type=1400 audit(1349460212.611:21): avc: denied { search } for pid=2708 comm="su" name="/" dev=sysfs ino=1 scontext=staff_u:staff_r:staff_su_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir /var/log/syslog:Oct 5 20:14:53 debian kernel: [ 809.008708] type=1400 audit(1349460893.123:166): avc: denied { read } for pid=3075 comm="su" name="shadow" dev=dm-0 ino=132290 scontext=staff_u:staff_r:staff_su_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file In particular staff_su_t needs to read /etc/shadow. I use the following to allow su, but maybe it's to permissive: allow staff_su_t fs_t:filesystem getattr; allow staff_su_t staff_t:process signal; allow staff_su_t sysfs_t:dir search_dir_perms; auth_can_read_shadow_passwords(staff_su_t) auth_tunable_read_shadow(staff_su_t) Best regards, Christian Göttsche -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 3.2.0-3-686-pae (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages selinux-policy-default depends on: ii libpam-modules 1.1.3-7.1 ii libselinux1 2.1.9-5 ii libsepol1 2.1.4-3 ii policycoreutils 2.1.10-9 ii python 2.7.3~rc2-1 Versions of packages selinux-policy-default recommends: ii checkpolicy 2.1.8-2 ii setools 3.3.7-3 Versions of packages selinux-policy-default suggests: pn logcheck <none> pn syslog-summary <none> -- Configuration Files: /etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission denied: u'/etc/selinux/default/modules/active/file_contexts.local' -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org