MLS and back from runlevel 3

Szabo Akos fonya at fatav.hu
Fri Apr 15 13:07:04 UTC 2011 

Hi,

On Thu, Apr 14, 2011 at 11:26:28AM -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 04/14/2011 10:50 AM, Szabo Akos wrote:
> > Hi, 
> > 
> > On Tue, 2011-04-12 at 08:59 +0200, mgrepl wrote:
> >>>> Hi 2 all,
> >>>>
> >>>> As the http://fedoraproject.org/wiki/SELinux/FedoraMLSHowto said:
> >>>>
> >>>>
> >>>> Configure the system to boot into run level 3 by default:
> >>>>
> >>>> perl -p -i -e "s/^id:5:initdefault:/id:3:initdefault:/g" /etc/inittab
> >>>>
> >>>> The when SE Linux execute MLS Policy instead of targeted, the system boots
> >>>> always in runlevel3 mode?
> >>>>
> >>>> I would like to run PostgreSQL DBMS based on MLS security policy.
> >>>> But when the system boot in runlevel 3, I have som problems.
> >>>>
> >>>> Is there any Idea that I come back to previous run level?
> >>>> How ever when I did it, my screen was blinking, then I have nothing(black screen).
> >>>>
> >>>> The system is Fedora 14, I have just installed selinux-policy-mls-3.9.7-38.fc14.noarch.rpm.
> >>>>
> >>>> Regards,
> >>>> Flora
> > 
> >>> You can run at Higher Runlevels the Runlevel 3 in Fedora.  We only
> >>> support Runlevel 3 in RHEL.  (Server only mode).
> >>>
> >>> mls policy should mostly work on a desktop environment.
> >> You might want to try to boot with
> >>
> >> enforcing=0
> >>
> >> on the kernel line.
> > 
> > I try it on fedora 14, wothout succes, the X was killed /I'm using
> > proprietary nvidia drv/, crontabs not working, etc. 
> 
> I would boot in permissive mode and send us the audit.log.



Yes, of course, I attache it. If You need, I've got the dmesg output too, but it's 72KB.
 
Üdvözlettel:
	Fonya

	    Küldetésem ösztönözni az ütemes akció-rádiuszt.
                PGP key ID F86614E5, GPG key ID 83AD9365
-------------- next part --------------
type=DAEMON_START msg=audit(1302869501.631:564): auditd start, ver=2.0.6 format=raw kernel=2.6.35.12-88.fc14.x86_64 auid=502 pid=3245 subj=user_u:user_r:user_t:s0 res=success
type=AVC msg=audit(1302869501.735:72): avc:  denied  { write } for  pid=3248 comm="touch" name="subsys" dev=sda6 ino=5726240 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
type=AVC msg=audit(1302869501.735:73): avc:  denied  { add_name } for  pid=3248 comm="touch" name="auditd" scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
type=AVC msg=audit(1302869501.735:74): avc:  denied  { create } for  pid=3248 comm="touch" name="auditd" scontext=user_u:user_r:user_t:s0 tcontext=user_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1302869501.735:75): avc:  denied  { write open } for  pid=3248 comm="touch" name="auditd" dev=sda6 ino=5728452 scontext=user_u:user_r:user_t:s0 tcontext=user_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1302869501.750:76): avc:  denied  { nlmsg_readpriv } for  pid=3250 comm="auditctl" scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=netlink_audit_socket
type=SYSCALL msg=audit(1302869501.750:76): arch=c000003e syscall=44 success=yes exit=16 a0=3 a1=7fffe051e1d0 a2=10 a3=0 items=0 ppid=3237 pid=3250 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="auditctl" exe="/sbin/auditctl" subj=user_u:user_r:user_t:s0 key=(null)
type=CONFIG_CHANGE msg=audit(1302869501.750:77): audit_backlog_limit=320 old=64 auid=502 ses=2 subj=user_u:user_r:user_t:s0 res=1
type=AVC msg=audit(1302869501.769:78): avc:  denied  { setpcap } for  pid=3251 comm="sedispatch" capability=8  scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=capability
type=SYSCALL msg=audit(1302869501.769:78): arch=c000003e syscall=157 success=yes exit=0 a0=18 a1=0 a2=0 a3=0 items=0 ppid=3247 pid=3251 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="sedispatch" exe="/usr/sbin/sedispatch" subj=user_u:user_r:user_t:s0 key=(null)
type=USER_AVC msg=audit(1302869503.486:79): user pid=1223 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.fedoraproject.SetroubleshootdIface member=avc dest=org.fedoraproject.Setroubleshootd spid=3251 tpid=3258 scontext=user_u:user_r:user_t:s0 tcontext=system_u:system_r:setroubleshootd_t:s0-s15:c0.c1023 tclass=dbus : exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1302869506.411:80): user pid=1223 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.77 spid=3258 tpid=3251 scontext=system_u:system_r:setroubleshootd_t:s0-s15:c0.c1023 tcontext=user_u:user_r:user_t:s0 tclass=dbus : exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=AVC msg=audit(1302869510.936:81): avc:  denied  { read } for  pid=3225 comm="bash" name="audit" dev=sda6 ino=5726242 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=dir
type=AVC msg=audit(1302869510.936:82): avc:  denied  { open } for  pid=3225 comm="bash" name="audit" dev=sda6 ino=5726242 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=dir
type=AVC msg=audit(1302869511.469:83): avc:  denied  { getattr } for  pid=3258 comm="setroubleshootd" path="/etc/audit" dev=sda6 ino=9166877 scontext=system_u:system_r:setroubleshootd_t:s0-s15:c0.c1023 tcontext=system_u:object_r:auditd_etc_t:s15:c0.c1023 tclass=dir
type=SYSCALL msg=audit(1302869511.469:83): arch=c000003e syscall=6 success=yes exit=0 a0=4b6f550 a1=7fffa3570470 a2=7fffa3570470 a3=5485e68 items=0 ppid=1 pid=3258 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1302869511.823:84): avc:  denied  { getattr } for  pid=3258 comm="setroubleshootd" path="/var/log/audit" dev=sda6 ino=5726242 scontext=system_u:system_r:setroubleshootd_t:s0-s15:c0.c1023 tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=dir
type=SYSCALL msg=audit(1302869511.823:84): arch=c000003e syscall=6 success=yes exit=0 a0=4b6f550 a1=7fffa3570470 a2=7fffa3570470 a3=0 items=0 ppid=1 pid=3258 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1302869514.863:85): avc:  denied  { search } for  pid=3280 comm="cp" name="audit" dev=sda6 ino=5726242 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=dir
type=SYSCALL msg=audit(1302869514.863:85): arch=c000003e syscall=4 success=yes exit=0 a0=7fffd414b83f a1=7fffd414ae50 a2=7fffd414ae50 a3=2 items=0 ppid=3225 pid=3280 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="cp" exe="/bin/cp" subj=user_u:user_r:user_t:s0 key=(null)
type=AVC msg=audit(1302869514.863:86): avc:  denied  { read } for  pid=3280 comm="cp" name="audit.log" dev=sda6 ino=5728350 scontext=user_u:user_r:user_t:s0 tcontext=user_u:object_r:auditd_log_t:s0 tclass=file
type=AVC msg=audit(1302869514.863:86): avc:  denied  { open } for  pid=3280 comm="cp" name="audit.log" dev=sda6 ino=5728350 scontext=user_u:user_r:user_t:s0 tcontext=user_u:object_r:auditd_log_t:s0 tclass=file
type=SYSCALL msg=audit(1302869514.863:86): arch=c000003e syscall=2 success=yes exit=3 a0=7fffd414b83f a1=0 a2=0 a3=2 items=0 ppid=3225 pid=3280 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="cp" exe="/bin/cp" subj=user_u:user_r:user_t:s0 key=(null)
type=AVC msg=audit(1302869514.863:87): avc:  denied  { dac_override } for  pid=3280 comm="cp" capability=1  scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=capability
type=SYSCALL msg=audit(1302869514.863:87): arch=c000003e syscall=2 success=yes exit=4 a0=17298f0 a1=c1 a2=180 a3=2 items=0 ppid=3225 pid=3280 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="cp" exe="/bin/cp" subj=user_u:user_r:user_t:s0 key=(null)
type=AVC msg=audit(1302869515.177:88): avc:  denied  { read search } for  pid=3284 comm="locate" name="audit" dev=sda6 ino=5726242 scontext=system_u:system_r:setroubleshootd_t:s0-s15:c0.c1023 tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=dir
type=SYSCALL msg=audit(1302869515.177:88): arch=c000003e syscall=21 success=yes exit=0 a0=21a1620 a1=5 a2=21a5330 a3=676f6c2f7261762f items=0 ppid=3283 pid=3284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=21 sgid=21 fsgid=21 tty=(none) ses=4294967295 comm="locate" exe="/usr/bin/locate" subj=system_u:system_r:setroubleshootd_t:s0-s15:c0.c1023 key=(null)
type=USER_ACCT msg=audit(1302869521.360:89): user pid=3288 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s15:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_ACQ msg=audit(1302869521.361:90): user pid=3288 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s15:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=LOGIN msg=audit(1302869521.362:91): login pid=3288 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=17
type=USER_START msg=audit(1302869521.368:92): user pid=3288 uid=0 auid=0 ses=17 subj=system_u:system_r:crond_t:s0-s15:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_REFR msg=audit(1302869521.369:93): user pid=3288 uid=0 auid=0 ses=17 subj=system_u:system_r:crond_t:s0-s15:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1302869521.384:94): user pid=3288 uid=0 auid=0 ses=17 subj=system_u:system_r:crond_t:s0-s15:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1302869521.385:95): user pid=3288 uid=0 auid=0 ses=17 subj=system_u:system_r:crond_t:s0-s15:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=AVC msg=audit(1302869522.009:96): avc:  denied  { read write } for  pid=1837 comm="Xorg" path="/dev/nvidiactl" dev=devtmpfs ino=16093 scontext=system_u:system_r:xserver_t:s0-s15:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20110415/b36128ee/attachment.bin

More information about the selinux mailing list