[gentoo-hardened] Selinux on a desktop system (targeted mode)

[gentoo-hardened] Selinux on a desktop system (targeted mode)

[Jonathan]

I'm trying to get Selinux to work on my desktop system, but I can not passed Udev in enforcing mode.
I have removed the date, time and type=1400 from all the log lines.

audit(1264997163.292:3): avc:  denied  { execute_no_trans } for  pid=1010 comm="udevd" path="/lib64/udev/input_id" dev=sda6 ino=2395672 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file
audit(1264997163.317:4): avc:  denied  { signal } for  pid=1004 comm="udevd" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:initrc_t tclass=process
audit(1264997163.929:5): avc:  denied  { read } for  pid=1004 comm="udevd" path="anon_inode:[signalfd]" dev=anon_inodefs ino=373 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:anon_inodefs_t tclass=file
audit(1264997164.072:6): avc:  denied  { search } for  pid=1184 comm="lvm" name="950" dev=proc ino=1979 scontext=system_u:system_r:lvm_t tcontext=system_u:system_r:initrc_t tclass=dir
audit(1264997164.072:7): avc:  denied  { read } for  pid=1184 comm="lvm" name="cmdline" dev=proc ino=3832 scontext=system_u:system_r:lvm_t tcontext=system_u:system_r:initrc_t tclass=file
audit(1264997164.165:8): avc:  denied  { getattr } for  pid=1184 comm="lvm" path="/dev/shm" dev=tmpfs ino=1907 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:home_root_t tclass=dir
audit(1264997164.165:9): avc:  denied  { read } for  pid=1184 comm="lvm" name="shm" dev=tmpfs ino=1907 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:home_root_t tclass=dir
audit(1264997164.319:10): avc:  denied  { read write } for  pid=1212 comm="fsck" name="tty1" dev=tmpfs ino=1887 scontext=system_u:system_r:fsadm_t tcontext=system_u:object_r:tty_device_t tclass=chr_file
audit(1264997168.627:22): avc:  denied  { read write } for  pid=1365 comm="dmesg" name="tty1" dev=tmpfs ino=1887 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:tty_device_t tclass=chr_file

As you can see it's all down hill from the first error. Is this because I'm over riding a profile mask on the multilib use flag?

I'm running a AMD64 two core system using Gnome and the Slim login manager.
My Udev version is 151-r1. I was using the stable version and I was getting the same errors.
The profile I am using is Selinux/2007.0/Amd64.
My kernel is 2.6.31-gentoo-r10.
I used the Gentoo Selinux handbook[1] to setup well... Selinux, some parts of the hand book are years out of date.


[1] http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml

Re: [gentoo-hardened] Selinux on a desktop system (targeted mode)

[Chris Richards]

 From what I've seen, current Selinux policy has a number of 'issues', 
mainly because it is based on a reference policy that is now almost 2 
years old.  If you are willing to wait a bit, I would recommend running 
with Selinux in 'Permissive' mode for the time being.  I am doing a lot 
of testing and working with PeBenito to get the current v2ref policy 
whipped into shape so that we can deploy it on Gentoo.  It will 
necessitate an upgrade process and recompiling some stuff, but in my 
testing so far it seems to be working fairly nicely.

I don't know when PeBenito plans to release the v2ref policy on Gentoo, 
but I've gotten the impression from talking to him that he'd rather it 
be sooner than later, if at all possible (that's just my impression, 
though; I wouldn't presume to speak for him).

Later,
Chris

On 02/03/2010 11:05 PM, Jonathan wrote:
> I'm trying to get Selinux to work on my desktop system, but I can not passed Udev in enforcing mode.
> I have removed the date, time and type=1400 from all the log lines.
>
> audit(1264997163.292:3): avc:  denied  { execute_no_trans } for  pid=1010 comm="udevd" path="/lib64/udev/input_id" dev=sda6 ino=2395672 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file
> audit(1264997163.317:4): avc:  denied  { signal } for  pid=1004 comm="udevd" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:initrc_t tclass=process
> audit(1264997163.929:5): avc:  denied  { read } for  pid=1004 comm="udevd" path="anon_inode:[signalfd]" dev=anon_inodefs ino=373 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:anon_inodefs_t tclass=file
> audit(1264997164.072:6): avc:  denied  { search } for  pid=1184 comm="lvm" name="950" dev=proc ino=1979 scontext=system_u:system_r:lvm_t tcontext=system_u:system_r:initrc_t tclass=dir
> audit(1264997164.072:7): avc:  denied  { read } for  pid=1184 comm="lvm" name="cmdline" dev=proc ino=3832 scontext=system_u:system_r:lvm_t tcontext=system_u:system_r:initrc_t tclass=file
> audit(1264997164.165:8): avc:  denied  { getattr } for  pid=1184 comm="lvm" path="/dev/shm" dev=tmpfs ino=1907 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:home_root_t tclass=dir
> audit(1264997164.165:9): avc:  denied  { read } for  pid=1184 comm="lvm" name="shm" dev=tmpfs ino=1907 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:home_root_t tclass=dir
> audit(1264997164.319:10): avc:  denied  { read write } for  pid=1212 comm="fsck" name="tty1" dev=tmpfs ino=1887 scontext=system_u:system_r:fsadm_t tcontext=system_u:object_r:tty_device_t tclass=chr_file
> audit(1264997168.627:22): avc:  denied  { read write } for  pid=1365 comm="dmesg" name="tty1" dev=tmpfs ino=1887 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:tty_device_t tclass=chr_file
>
> As you can see it's all down hill from the first error. Is this because I'm over riding a profile mask on the multilib use flag?
>
> I'm running a AMD64 two core system using Gnome and the Slim login manager.
> My Udev version is 151-r1. I was using the stable version and I was getting the same errors.
> The profile I am using is Selinux/2007.0/Amd64.
> My kernel is 2.6.31-gentoo-r10.
> I used the Gentoo Selinux handbook[1] to setup well... Selinux, some parts of the hand book are years out of date.
>
>
> [1] http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml
>
>
>