From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-hardened+bounces-2860-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1Nctwh-0005c9-Q2
	for garchives@archives.gentoo.org; Thu, 04 Feb 2010 05:08:04 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 5D4A2E0894;
	Thu,  4 Feb 2010 05:06:38 +0000 (UTC)
Received: from mail-ew0-f215.google.com (mail-ew0-f215.google.com [209.85.219.215])
	by pigeon.gentoo.org (Postfix) with ESMTP id 20012E0894
	for <gentoo-hardened@lists.gentoo.org>; Thu,  4 Feb 2010 05:06:38 +0000 (UTC)
Received: by ewy7 with SMTP id 7so361110ewy.10
        for <gentoo-hardened@lists.gentoo.org>; Wed, 03 Feb 2010 21:06:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlemail.com; s=gamma;
        h=domainkey-signature:received:received:date:from:to:subject
         :message-id:x-mailer:mime-version:content-type
         :content-transfer-encoding;
        bh=iQuSxT5IHFcnkM0MLqBwrPN68XM4NLzdM5L5GgunLYE=;
        b=jYtecnyOxAmGb9IccIX6RZ8J9/yKuKXMRWJCPIa/rLB2ACJypefKNhCP/JVYT8/6bW
         YArBcG11iT0d1Px2k6Fh7DCQPpBQ9/Plmqxs57pS2cJ9sTjOQhn0ccHEEONcOftvRyK6
         lZx9qns8dPm89vAVv4CcUmQBOyjJXz00Jmjy4=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=googlemail.com; s=gamma;
        h=date:from:to:subject:message-id:x-mailer:mime-version:content-type
         :content-transfer-encoding;
        b=a8jioqKBBIEsid+9QFd35m7ek/vRNg+oyN72pEh/ILOMTR8hUqQ/gl4vEpJZc8iHzu
         SMvQxMFisMCJsN22VdwmLwKcOx9tPg1MMHkP2hN4qshHlupSsf25dbjSGkKCF+1G1uKy
         97vwhNoK7x9tYZ3JPZMx5I3eAnNw+7kkGfOIc=
Received: by 10.213.96.68 with SMTP id g4mr2965243ebn.77.1265259990033;
        Wed, 03 Feb 2010 21:06:30 -0800 (PST)
Received: from box (cpc4-brad12-0-0-cust35.barn.cable.virginmedia.com [62.31.39.36])
        by mx.google.com with ESMTPS id 16sm294243ewy.2.2010.02.03.21.06.29
        (version=SSLv3 cipher=RC4-MD5);
        Wed, 03 Feb 2010 21:06:29 -0800 (PST)
Date: Thu, 4 Feb 2010 05:05:21 +0000
From: Jonathan <winelauncher.jonathan@googlemail.com>
To: gentoo-hardened@lists.gentoo.org
Subject: [gentoo-hardened] Selinux on a desktop system (targeted mode)
Message-ID: <20100204050521.62b200ab@box>
X-Mailer: Claws Mail 3.7.2 (GTK+ 2.16.6; x86_64-pc-linux-gnu)
Precedence: bulk
List-Post: <mailto:gentoo-hardened@lists.gentoo.org>
List-Help: <mailto:gentoo-hardened+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-hardened+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-hardened+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-hardened.gentoo.org>
X-BeenThere: gentoo-hardened@lists.gentoo.org
Reply-to: gentoo-hardened@lists.gentoo.org
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Archives-Salt: e1cf913b-95d1-408f-a6b7-9c271ae9e4b5
X-Archives-Hash: 809d03079253a09b85284342b3afbdb7

I'm trying to get Selinux to work on my desktop system, but I can not passed Udev in enforcing mode.
I have removed the date, time and type=1400 from all the log lines.

audit(1264997163.292:3): avc:  denied  { execute_no_trans } for  pid=1010 comm="udevd" path="/lib64/udev/input_id" dev=sda6 ino=2395672 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file
audit(1264997163.317:4): avc:  denied  { signal } for  pid=1004 comm="udevd" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:initrc_t tclass=process
audit(1264997163.929:5): avc:  denied  { read } for  pid=1004 comm="udevd" path="anon_inode:[signalfd]" dev=anon_inodefs ino=373 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:anon_inodefs_t tclass=file
audit(1264997164.072:6): avc:  denied  { search } for  pid=1184 comm="lvm" name="950" dev=proc ino=1979 scontext=system_u:system_r:lvm_t tcontext=system_u:system_r:initrc_t tclass=dir
audit(1264997164.072:7): avc:  denied  { read } for  pid=1184 comm="lvm" name="cmdline" dev=proc ino=3832 scontext=system_u:system_r:lvm_t tcontext=system_u:system_r:initrc_t tclass=file
audit(1264997164.165:8): avc:  denied  { getattr } for  pid=1184 comm="lvm" path="/dev/shm" dev=tmpfs ino=1907 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:home_root_t tclass=dir
audit(1264997164.165:9): avc:  denied  { read } for  pid=1184 comm="lvm" name="shm" dev=tmpfs ino=1907 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:home_root_t tclass=dir
audit(1264997164.319:10): avc:  denied  { read write } for  pid=1212 comm="fsck" name="tty1" dev=tmpfs ino=1887 scontext=system_u:system_r:fsadm_t tcontext=system_u:object_r:tty_device_t tclass=chr_file
audit(1264997168.627:22): avc:  denied  { read write } for  pid=1365 comm="dmesg" name="tty1" dev=tmpfs ino=1887 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:tty_device_t tclass=chr_file

As you can see it's all down hill from the first error. Is this because I'm over riding a profile mask on the multilib use flag?

I'm running a AMD64 two core system using Gnome and the Slim login manager.
My Udev version is 151-r1. I was using the stable version and I was getting the same errors.
The profile I am using is Selinux/2007.0/Amd64.
My kernel is 2.6.31-gentoo-r10.
I used the Gentoo Selinux handbook[1] to setup well... Selinux, some parts of the hand book are years out of date.


[1] http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml