Dear list,
I am trying to implement SELinux strict policy on a fresh gentoo
hardened system.
Versions:
sec-policy/selinux-base-policy 20070928
Obviously, the SELinux base policy even does not provide rules for those
devices initialized at bootup.
When doing "dmesg | grep avc" I see lots of access denials
[ 5.227966] type=1400 audit(1238350085.227:3): avc: denied { read
write } for pid=1 comm="init" path="/dev/console" dev=sda4 ino=426558
scontext=system_u:system_r:init_t tcontext=root:object_r:file_t
tclass=chr_file
[ 5.233747] type=1400 audit(1238350085.233:4): avc: denied
{ ioctl } for pid=1 comm="init" path="/dev/tty0" dev=sda4 ino=413527
scontext=system_u:system_r:init_t tcontext=root:object_r:file_t
tclass=chr_file
[ 5.308967] type=1400 audit(1238350085.308:5): avc: denied { read
write } for pid=806 comm="rc" name="console" dev=sda4 ino=426558
scontext=system_u:system_r:initrc_t tcontext=root:object_r:file_t
tclass=chr_file
[ 5.716816] type=1400 audit(1238350085.716:6): avc: denied { read
write } for pid=808 comm="consoletype" name="console" dev=sda4
ino=426558 scontext=system_u:system_r:consoletype_t
tcontext=root:object_r:file_t tclass=chr_file
[ 5.718371] type=1400 audit(1238350085.718:7): avc: denied
{ search } for pid=808 comm="consoletype" name="dev" dev=sda4
ino=337142 scontext=system_u:system_r:consoletype_t
tcontext=root:object_r:file_t tclass=dir
[ 5.719875] type=1400 audit(1238350085.719:8): avc: denied
{ getattr } for pid=808 comm="consoletype" path="/dev/console" dev=sda4
ino=426558 scontext=system_u:system_r:consoletype_t
tcontext=root:object_r:file_t tclass=chr_file
[ 5.720133] type=1400 audit(1238350085.719:9): avc: denied
{ ioctl } for pid=808 comm="consoletype" path="/dev/console" dev=sda4
ino=426558 scontext=system_u:system_r:consoletype_t
tcontext=root:object_r:file_t tclass=chr_file
[ 5.786111] type=1400 audit(1238350085.785:10): avc: denied
{ ioctl } for pid=811 comm="stty" path="/dev/console" dev=sda4
ino=426558 scontext=system_u:system_r:initrc_t
tcontext=root:object_r:file_t tclass=chr_file
[ 5.840322] type=1400 audit(1238350085.840:11): avc: denied
{ getattr } for pid=806 comm="bash" path="/dev/null" dev=sda4
ino=415908 scontext=system_u:system_r:initrc_t
tcontext=root:object_r:file_t tclass=chr_file
[ 5.872433] type=1400 audit(1238350085.872:12): avc: denied { read
write } for pid=815 comm="dmesg" name="console" dev=sda4 ino=426558
scontext=system_u:system_r:dmesg_t tcontext=root:object_r:file_t
tclass=chr_file
[ 5.886838] type=1400 audit(1238350085.886:13): avc: denied { read
write } for pid=818 comm="mount" name="console" dev=sda4 ino=426558
scontext=system_u:system_r:mount_t tcontext=root:object_r:file_t
tclass=chr_file
1. What am I doing wrong? Does a policy exist for those cases and I did
not install it?
2. If not so, how can I get rid of these since I understand that these
denials would prevent my system from booting once the audit mode is
left?
box ~ # sestatus -v
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 24
Policy from config file: strict
Process contexts:
Current context: root:sysadm_r:sysadm_t
Init context: system_u:system_r:init_t
/sbin/agetty system_u:system_r:getty_t
/usr/sbin/sshd system_u:system_r:sshd_t
File contexts:
Controlling term: root:object_r:sysadm_devpts_t
/sbin/init system_u:object_r:init_exec_t
/sbin/agetty system_u:object_r:getty_exec_t
/bin/login system_u:object_r:login_exec_t
/sbin/rc system_u:object_r:initrc_exec_t
/sbin/runscript.sh system_u:object_r:initrc_exec_t
/usr/sbin/sshd system_u:object_r:sshd_exec_t
/sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t
/etc/passwd system_u:object_r:etc_t
/etc/shadow system_u:object_r:shadow_t
/bin/sh system_u:object_r:bin_t ->
system_u:object_r:shell_exec_t
/bin/bash system_u:object_r:shell_exec_t
/usr/bin/newrole system_u:object_r:newrole_exec_t
/lib/libc.so.6 system_u:object_r:lib_t ->
system_u:object_r:shlib_t
/lib/ld-linux.so.2 system_u:object_r:lib_t ->
system_u:object_r:ld_so_t
Thanks in advance!
Dominik
