Kernel 2.6.14-1.1653 & selinux 1.27.1.-2.16

[Stephen Smalley]

On Fri, 2006-01-27 at 12:36 +0200, G Jahchan wrote:
> I have been desperately trying to get selinux strict policy to work on my
> laptop to no avail. I have been using a strict policy in enforcing mode for a
> long time, but since I upgraded to the kernel / selinux versions listed below,
> when in enforcing mode, the policy causes authentication to fail from the
> console (my default runlevel is 3).
> 
> Even though I have the following statements in my custom.te under
> /etc/selinux/strict/src/policy/domains/misc/
> 
> allow kernel_t sysadm_t:process transition;
> allow kernel_t sysadm_tty_device_t:chr_file { relabelfrom relabelto };
> allow sysadm_t sysadm_t:process transition;
> 
> I keep getting corresponding 'avc: denied' events in the audit log.

These rules shouldn't be necessary, so they imply a more fundamental
problem.  They suggest that your login program is still running in
kernel_t rather than local_login_t.  In turn, this suggests that the
initial transition from kernel_t to init_t upon executing /sbin/init did
not occur.  What does ls -Z /sbin/init show?  
What does '/usr/sbin/sestatus -v | grep -v active' show?

As a side note, avc denials can be caused by other components of the
policy beyond the TE rules, and the above permissions are likely being
(correctly) denied by the role-based restrictions and user-based
restrictions.  Normally, kernel_t doesn't need to be able to transition
to a user security context since kernel_t is only for the initial kernel
task and other kernel threads.  audit2why(8) will try to tell you why a
given avc denial occurred.

-- 
Stephen Smalley
National Security Agency