On Fri, Sep 25, 2009 at 03:35:52PM +0000, tarnait wrote:
Hi,
I'm new to SElinux and I'm a bit careful with it, so up till now I want to run it
in permissive mode. After reading a lot's of docs I fixed most of my problems, but
there are still some errors in audit.log. Now I would like to ask you to review this
errors and give me feedback if this rules are safe to add to my policy or not. In summary
is my understanding correct that:
O auditctl, ifconfig, iptables-restor, dmesg and pppd try to write to the console,
O pppd searches something in the root home directory ??!,
O and iptables writes to a socket?
if I would add this policy to the module wouldn't it be too much (e.g. could for
example pppd access all my files?)
Thanks for the answers,
Kind Regards, Tibor
type=AVC msg=audit(1253870573.883:13): avc: denied { read write } for pid=877
comm="auditctl" name="console" dev=sda1 ino=15533
scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=chr_file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this
access.
type=AVC msg=audit(1253870574.190:15): avc: denied { read write } for pid=918
comm="ifconfig" name="console" dev=sda1 ino=15533
scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=chr_file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this
access.
type=AVC msg=audit(1253870574.264:16): avc: denied { read write } for pid=921
comm="pppd" name="console" dev=sda1 ino=15533
scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=chr_file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this
access.
The rules above should not be allowed because the /dev/console has an invalid type
(file_t)
This signals a labelling issue:
http://docs.fedoraproject.org/selinux-user-guide/f11/en-US/sect-Security-...
type=AVC msg=audit(1253870574.325:17): avc: denied { search } for pid=921
comm="pppd" name="root" dev=sda1 ino=12
scontext=system_u:system_r:pppd_t:s0
tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this
access.
This also *may* be a labelling issue. pppd wants to search /root dir. /root dir has type
unconfined_home_dir_t. see if this is correct:
matchpathcon /root
restorecon -R /root
/root usually has type admin_home_t and i do not see any good reason why pppd should be
able to search it. misconfiguration/misusage maybe?
type=AVC msg=audit(1253870574.401:18): avc: denied { read write }
for pid=929 comm="iptables-restor" name="console" dev=sda1 ino=15533
scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=chr_file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this
access.
type=AVC msg=audit(1253870576.482:19): avc: denied { read write } for pid=1087
comm="dmesg" name="console" dev=sda1 ino=15533
scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=chr_file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this
access.
type=AVC msg=audit(1253870578.829:20): avc: denied { read write } for pid=1242
comm="iptables" path="socket:[3131]" dev=sockfs ino=3131
scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:pppd_t:s0
tclass=packet_socket
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this
access.
Not sure about this one. Maybe signals a leaked file descriptor? I can tell
you that on my configuration this access is not allowed.
What distro, kernel and selinux version are you using?
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list