selinux-policy-strict-1.23.14-2 - glitches...

Tom London selinux at gmail.com
Tue May 3 14:17:45 UTC 2005 

Running strict/enforcing, latest rawhide.

The following crop up with today's updates:

0. Early boot denials:
May  3 06:42:12 fedora kernel: security:  3 users, 6 roles, 1333
types, 63 boolsMay  3 06:42:12 fedora kernel: security:  55 classes,
342123 rules
May  3 06:42:12 fedora kernel: SELinux:  Completing initialization.
May  3 06:42:12 fedora kernel: SELinux:  Setting up existing superblocks.
May  3 06:42:12 fedora kernel: audit(1115102485.415:0): avc:  denied 
{ read } for  name=proc dev=hda2 ino=3407873
scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
May  3 06:42:12 fedora kernel: audit(1115102485.416:0): avc:  denied 
{ search } for  name=/ dev=hda2 ino=2
scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
May  3 06:42:12 fedora last message repeated 3 times
May  3 06:42:12 fedora kernel: SELinux: initialized (dev hda2, type
ext3), uses xattr

Also, init seems to be doing a PID scan:
May  3 06:42:13 fedora kernel: audit(1115102490.729:0): avc:  denied 
{ read } for  name=stat dev=proc ino=65550
scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:init_t
tclass=file
May  3 06:42:13 fedora kernel: audit(1115102490.730:0): avc:  denied 
{ read } for  name=stat dev=proc ino=31916046
scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:init_t
tclass=file
May  3 06:42:13 fedora kernel: audit(1115102490.730:0): avc:  denied 
{ read } for  name=stat dev=proc ino=32505870
scontext=system_u:system_r:kernel_t
tcontext=system_u:system_r:initrc_t tclass=file
May  3 06:42:13 fedora kernel: audit(1115102490.730:0): avc:  denied 
{ read } for  name=stat dev=proc ino=36175886
scontext=system_u:system_r:kernel_t
tcontext=system_u:system_r:hotplug_t tclass=file
<<<SNIP>>>

1.  privoxy is non functional:
May  3 06:42:53 fedora kernel: audit(1115127773.695:0): avc:  denied 
{ name_bind } for  src=8118 scontext=system_u:system_r:privoxy_t
tcontext=system_u:object_r:http_cache_port_t tclass=tcp_socket
so suggest adding
allow privoxy_t http_cache_port_t:tcp_socket name_bind;
to privoxy.te

2.  trouble starting ptal. I can't tell if this is a missing
transition to  ptal_t, or just  a missing entry in net_contexts. 
Help?
May  3 06:42:21 fedora kernel: audit(1115127741.848:0): avc:  denied 
{ name_bind } for  src=5703 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May  3 06:42:21 fedora kernel: audit(1115127741.849:0): avc:  denied 
{ name_bind } for  src=5704 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May  3 06:42:21 fedora kernel: audit(1115127741.849:0): avc:  denied 
{ name_bind } for  src=5705 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May  3 06:42:21 fedora kernel: audit(1115127741.849:0): avc:  denied 
{ name_bind } for  src=5706 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May  3 06:42:21 fedora kernel: audit(1115127741.849:0): avc:  denied 
{ name_bind } for  src=5707 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May  3 06:42:21 fedora kernel: audit(1115127741.849:0): avc:  denied 
{ name_bind } for  src=5708 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May  3 06:42:21 fedora kernel: audit(1115127741.849:0): avc:  denied 
{ name_bind } for  src=5709 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May  3 06:42:21 fedora kernel: audit(1115127741.849:0): avc:  denied 
{ name_bind } for  src=5710 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May  3 06:42:21 fedora kernel: audit(1115127741.849:0): avc:  denied 
{ name_bind } for  src=5711 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May  3 06:42:21 fedora kernel: audit(1115127741.849:0): avc:  denied 
{ name_bind } for  src=5712 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May  3 06:42:21 fedora kernel: audit(1115127741.849:0): avc:  denied 
{ name_bind } for  src=5713 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May  3 06:42:21 fedora kernel: audit(1115127741.849:0): avc:  denied 
{ name_bind } for  src=5714 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May  3 06:42:21 fedora kernel: audit(1115127741.849:0): avc:  denied 
{ name_bind } for  src=5715 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May  3 06:42:21 fedora ptal-photod:
ptal-photod(mlc:usb:PSC_900_Series): bind(tcpPort=5729) failed,
errno=13!

Also:
May  3 06:42:22 fedora kernel: audit(1115127741.921:0): avc:  denied 
{ write } for  name=rhgb-console dev=ramfs ino=5658
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t
tclass=fifo_file
May  3 06:42:25 fedora ptal-mlcd: ERROR at ExMgr.cpp:2525,
dev=<mlc:usb:PSC_900_Series>, pid=2372, e=1, t=1115127745        
Couldn't find device!
May  3 06:42:25 fedora kernel: audit(1115127745.660:0): avc:  denied 
{ write } for  name=001 dev=usbfs ino=4489
scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:usbfs_t
tclass=file
May  3 06:42:25 fedora kernel: audit(1115127745.660:0): avc:  denied 
{ write } for  name=001 dev=usbfs ino=4489
scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:usbfs_t
tclass=file
May  3 06:42:25 fedora kernel: audit(1115127745.660:0): avc:  denied 
{ write } for  name=001 dev=usbfs ino=4473
scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:usbfs_t
tclass=file
May  3 06:42:25 fedora kernel: audit(1115127745.661:0): avc:  denied 
{ write } for  name=001 dev=usbfs ino=4473
scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:usbfs_t
tclass=file
May  3 06:42:25 fedora kernel: audit(1115127745.661:0): avc:  denied 
{ write } for  name=001 dev=usbfs ino=4457
scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:usbfs_t
tclass=file
May  3 06:42:25 fedora kernel: audit(1115127745.661:0): avc:  denied 
{ write } for  name=001 dev=usbfs ino=4457
scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:usbfs_t
tclass=file

3. issues with fifo files:
May  3 06:42:14 fedora kernel: IPv6 over IPv4 tunneling driver
May  3 06:42:14 fedora kernel: audit(1115127718.038:0): avc:  denied 
{ write } for  name=rhgb-console dev=ramfs ino=5658
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t
tclass=fifo_file
May  3 06:42:14 fedora kernel: audit(1115127718.041:0): avc:  denied 
{ write } for  name=rhgb-console dev=ramfs ino=5658
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t
tclass=fifo_file
May  3 06:42:14 fedora kernel: audit(1115127718.256:0): avc:  denied 
{ write } for  name=rhgb-console dev=ramfs ino=5658
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t
tclass=fifo_file
May  3 06:42:14 fedora kernel: audit(1115127718.260:0): avc:  denied 
{ write } for  name=rhgb-console dev=ramfs ino=5658
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t
tclass=fifo_file
May  3 06:42:14 fedora kernel: ACPI: Power Button (FF) [PWRF]
<<<SNIP>>>
May  3 06:42:50 fedora ntpd[2472]: kernel time sync status 0040
May  3 06:42:50 fedora kernel: audit(1115127770.407:0): avc:  denied 
{ write } for  name=rhgb-console dev=ramfs ino=5658
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t
tclass=fifo_file
May  3 06:42:50 fedora ntpd[2472]: frequency initialized 67.355 PPM
from /var/lib/ntp/drift
May  3 06:42:50 fedora ntpd[2472]: configure: keyword "authenticate"
unknown, line ignored
May  3 06:42:51 fedora kernel: audit(1115127771.070:0): avc:  denied 
{ write } for  name=rhgb-console dev=ramfs ino=5658
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t
tclass=fifo_file
<<<SNIP>>>
May  3 06:42:59 fedora kernel: audit(1115127779.773:0): avc:  denied 
{ write } for  name=rhgb-console dev=ramfs ino=5658
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t
tclass=fifo_file
May  3 06:42:59 fedora kernel: audit(1115127779.800:0): avc:  denied 
{ write } for  name=rhgb-console dev=ramfs ino=5658
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t
tclass=fifo_file


4. ddclient (fix to support http_port_t):
May  3 06:42:52 fedora kernel: audit(1115127772.664:0): avc:  denied 
{ name_connect } for  dest=80 scontext=system_u:system_r:ddclient_t
tcontext=system_u:object_r:http_port_t tclass=tcp_socket
or
allow ddclient_t http_port_t:tcp_socket name_connect;

5. su denial:
May  3 06:44:04 fedora su(pam_unix)[3241]: session opened for user
root by tbl(uid=500)
May  3 06:44:17 fedora kernel: audit(1115127857.306:0): avc:  denied 
{ unix_read unix_write } for  key=1592234044
scontext=user_u:user_r:user_t tcontext=system_u:system_r:xdm_t
tclass=sem

Does 
allow user_t xdm_t:sem { unix_read unix_write };
make sense?

Thanks!
   tom
-- 
Tom London

More information about the selinux mailing list