On Sat, 10 Jul 2004 16:57, Richard Hally <rhallyx(a)mindspring.com> wrote:
Jul 10 02:44:08 new2 richard: now doing logrotate
Jul 10 02:44:16 new2 kernel: audit(1089441856.765:0): avc: denied {
transition } for pid=4105 exe=/bin/bash path=/etc/rc.d/init.d/cups
dev=hda2 ino=864571 scontext=root:sysadm_r:logrotate_t
tcontext=root:system_r:initrc_t tclass=process
The role sysadm_r is not permitted to have domain initrc_t. The options for
solving this are 1:
role sysadm_r types initrc_t;
2:
role_transition sysadm_r initrc_exec_t system_r;
domain_auto_trans(sysadm_t, initrc_exec_t, initrc_t)
3:
role_transition sysadm_r logrotate_exec_t system_r;
In option 2 the domain_auto_trans() is needed to prevent the
command /etc/init.d/whatever from ending up in the context
root:system_r:sysadm_t which is not a valid context.
The problem with option 1 is that initrc_t then launches other domains so it
doesn't work.
Steve, what do you think about option 2 vs option 3?
Jul 10 02:44:16 new2 kernel: audit(1089441856.773:0): avc: denied
{
use } for pid=4107 exe=/sbin/consoletype path=/dev/null dev=hda2
ino=1064669 scontext=root:system_r:consoletype_t
tcontext=root:sysadm_r:logrotate_t tclass=fd
I guess we need a dontaudit rule for that as there is:
can_exec(logrotate_t, consoletype_exec_t)
So I put the following in logrotate.te:
dontaudit consoletype_t logrotate_t:fd use;
Jul 10 02:44:16 new2 cups: cupsd shutdown succeeded
Jul 10 02:44:16 new2 kernel: audit(1089441856.913:0): avc: denied {
ioctl } for pid=4114 exe=/usr/bin/python path=/dev/pts/0 dev=devpts
ino=2 scontext=root:system_r:cupsd_t
tcontext=root:object_r:sysadm_devpts_t tclass=chr_file
Jul 10 02:44:16 new2 kernel: audit(1089441856.914:0): avc: denied {
getattr } for pid=4114 exe=/usr/bin/python path=/dev/pts/0 dev=devpts
ino=2 scontext=root:system_r:cupsd_t
tcontext=root:object_r:sysadm_devpts_t tclass=chr_file
The attached patch takes care of that.
Jul 10 02:44:17 new2 kernel: audit(1089441857.053:0): avc: denied
{
read } for pid=4121 exe=/bin/bash name=.bashrc dev=hda2 ino=130311
scontext=root:system_r:cupsd_t tcontext=root:object_r:staff_home_t
tclass=file
In enforcing mode access to the parent directory is denied and that file will
never be accessed.
Jul 10 02:44:17 new2 kernel: audit(1089441857.056:0): avc: denied
{
read } for pid=4123 exe=/usr/bin/id name=config dev=hda2 ino=914871
scontext=root:system_r:cupsd_t
tcontext=system_u:object_r:selinux_config_t tclass=file
Maybe we should change id to read /proc/self/attr/current directly? We don't
want to have to put in allow or dontaudit rules for every shell script that
runs "id".
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page