Package: selinux-policy-refpolicy-targeted Version: 0.0.20061018-2 Severity: wishlist
I'm only just wrapping my head around selinux policies, but during boot
I get a whole bunch of avc notices from different daemons like this:
Jan 6 00:13:33 localhost kernel: audit(1168002812.497:4): avc: denied { read
} for pid=2273 comm="syslogd" name="resolv.conf" dev=tmpfs ino=6462
scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=file
Jan 6 00:13:33 localhost kernel: audit(1168002812.497:5): avc: denied {
getattr } for pid=2273 comm="syslogd" name="resolv.conf" dev=tmpfs ino=6462
scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=file
Which seems to me to be because resolvconf makes /etc/resolv.conf a
symlink to /etc/resolvconf/run/resolv.conf where /etc/resolvconf/run
is itself a symlink to /dev/shm/resolvconf.
The correctness of this symlinking aside (I think this is the sort of
thing that /lib/init/rw/ is intended for) this means resolv.conf is
picking up device_t rather than what it's supposed to have
(resolv_conf_t?).
Resolvconf itself generates the following avc notices:
Jan 6 00:15:13 localhost kernel: audit(1168002913.017:25): avc: denied {
write } for pid=3437 comm="resolvconf" name="interface" dev=tmpfs ino=6435
scontext=user_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=dir
Jan 6 00:15:13 localhost kernel: audit(1168002913.017:26): avc: denied {
add_name } for pid=3437 comm="resolvconf" name="wlan0_new.3437"
scontext=user_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=dir
Jan 6 00:15:13 localhost kernel: audit(1168002913.017:27): avc: denied {
create } for pid=3437 comm="resolvconf" name="wlan0_new.3437"
scontext=user_u:system_r:dhcpc_t:s0 tcontext=user_u:object_r:device_t:s0
tclass=file
Jan 6 00:15:13 localhost kernel: audit(1168002913.017:28): avc: denied {
write } for pid=3437 comm="resolvconf" name="wlan0_new.3437" dev=tmpfs
ino=443447 scontext=user_u:system_r:dhcpc_t:s0
tcontext=user_u:object_r:device_t:s0 tclass=file
Jan 6 00:15:13 localhost kernel: audit(1168002913.021:29): avc: denied {
getattr } for pid=3439 comm="mv" name="wlan0_new.3437" dev=tmpfs ino=443447
scontext=user_u:system_r:dhcpc_t:s0 tcontext=user_u:object_r:device_t:s0
tclass=file
Jan 6 00:15:13 localhost kernel: audit(1168002913.021:30): avc: denied {
remove_name } for pid=3439 comm="mv" name="wlan0_new.3437" dev=tmpfs
ino=443447 scontext=user_u:system_r:dhcpc_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=dir
Jan 6 00:15:13 localhost kernel: audit(1168002913.021:31): avc: denied {
rename } for pid=3439 comm="mv" name="wlan0_new.3437" dev=tmpfs ino=443447
scontext=user_u:system_r:dhcpc_t:s0 tcontext=user_u:object_r:device_t:s0
tclass=file
Jan 6 00:15:13 localhost kernel: audit(1168002913.021:32): avc: denied {
getattr } for pid=3437 comm="resolvconf" name="enable-updates" dev=tmpfs
ino=6436 scontext=user_u:system_r:dhcpc_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=file
Jan 6 00:15:13 localhost kernel: audit(1168002913.025:33): avc: denied {
execute } for pid=3437 comm="run-parts" name="bind" dev=hda3 ino=2852423
scontext=user_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:etc_t:s0
tclass=file
Jan 6 00:15:13 localhost kernel: audit(1168002913.037:34): avc: denied {
execute_no_trans } for pid=3440 comm="run-parts" name="bind" dev=hda3
ino=2852423 scontext=user_u:system_r:dhcpc_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=file
Jan 6 00:15:13 localhost kernel: audit(1168002913.065:35): avc: denied {
execute_no_trans } for pid=3458 comm="libc" name="list-records" dev=hda3
ino=3424259 scontext=user_u:system_r:dhcpc_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=file
Jan 6 00:15:13 localhost kernel: audit(1168002913.077:36): avc: denied { read
} for pid=3460 comm="sed" name="wlan0" dev=tmpfs ino=443447
scontext=user_u:system_r:dhcpc_t:s0 tcontext=user_u:object_r:device_t:s0
tclass=file
Jan 6 00:15:13 localhost kernel: audit(1168002913.085:37): avc: denied {
append } for pid=3463 comm="libc" name="resolv.conf_new.3456" dev=tmpfs
ino=443479 scontext=user_u:system_r:dhcpc_t:s0
tcontext=user_u:object_r:device_t:s0 tclass=file
Jan 6 00:15:13 localhost kernel: audit(1168002913.097:38): avc: denied { read
} for pid=3467 comm="cat" name="resolv.conf" dev=tmpfs ino=6462
scontext=user_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=file
Jan 6 00:15:13 localhost kernel: audit(1168002913.109:39): avc: denied {
unlink } for pid=3468 comm="mv" name="resolv.conf" dev=tmpfs ino=6462
scontext=user_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=file
(That's wlan0 coming up with dhclient3, for reference)
This leads me to believe that resolvconf probably needs
its own domain (nothing else should be modifying files in
/dev/shm/resolvconf) so that only resolvconf and the things
it calls can modify things in /dev/shm/resolvconf, and things
like dhcpt_t can transition into that domain running resolvconf.
Presumably the files being created should all be resolv_conf_t,
so that things that need to do DNS lookups can read them. Or at
least the resulting resolv.conf should be...
I was going to have a go at writing my own policy for this, but
once I got into having to relabel things and add a domain etc,
I decided I'd better throw this up onto the BTS first.
If there's some kind of policy-writing tutorial I've overlooked,
I'd be interested to know.
-- System Information:
Debian Release: 4.0
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-686
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Versions of packages selinux-policy-refpolicy-targeted depends on:
ii libpam-modules 0.79-4 Pluggable Authentication Modules f
ii libselinux1 1.32-3 SELinux shared libraries
ii policycoreutils 1.32-1 SELinux core policy utilities
ii python 2.4.4-2 An interactive high-level object-o
Versions of packages selinux-policy-refpolicy-targeted recommends:
ii checkpolicy 1.32-1 SELinux policy compiler
pn setools <none> (no description available)
-- no debconf information
--
Paul "TBBle" Hampson, [EMAIL PROTECTED]
Shorter .sig for a more eco-friendly paperless office.
pgpBTdDFHHOKb.pgp
Description: PGP signature
