SELinux Attack!

Karl Larsen k5di at zianet.com
Sat Oct 13 15:42:21 UTC 2007 

Matthew Saltzman wrote:
> On Sat, 2007-10-13 at 06:41 -0600, Karl Larsen wrote:
>   
>> Vinayak Mahadevan wrote:
>>     
>>> On 10/13/07, Karl Larsen <k5di at zianet.com> wrote:
>>>   
>>>       
>>>>>       
>>>>>           
>>>>     I have had all those problems in the past years. But this problem
>>>> yesterday was in fact caused by SELinux. I say that because different
>>>> from your experience when I turned off SELinux all the problems went away.
>>>>     
>>>>         
>>> let the machine  run for some days and then let us know your
>>> experience with the machine.
>>>
>>> Vinayak
>>>
>>>   
>>>       
>>     So far so good. But I would like to know why SELinux did this. And 
>> what do I need to do to to make SELinux work on this machine? There seem 
>> to be others that use it and it works without a problem.
>>     
>
> Karl-
>
> As I recall, you said earlier in the thread that you had disabled
> SELinux for a while when you were experimenting with spinning a custom
> distribution.  
>
> SELinux checks the contexts of files (their SELinux security
> information) to see if programs are violating their restrictions, but it
> also updates the contexts when files are created and updated.  If you
> turn SELinux off, file contexts stop getting updated.  When you turn it
> back on, the files may suddenly not have contexts that allow their
> applications to access them.  You'll see the things going wrong
> in /var/log/messages (grep for AVC and look for "denied" messages) or
> you'll get that star icon in your notification area when a program.  And
> of course, the programs that use incorrectly labeled files will not
> work.
>
> You also said at some point that you followed instructions to relabel
> your filesystem and things started to work.  That is exactly the
> solution to the problems introduced by turning SELinux off.  So if you
> turn SELinux back on and relabel one more time, you should be OK after
> that (as long as you leave SELinux on).
>
> Most people don't see (too many) SELinux problems because most people
> don't ever turn it off.  So it maintains itself.
>
>   
>>
>>     
    Well I did get a whole lot of messages like this, every ten seconds 
or so:

Oct 11 02:31:08 k5di dbus: Can't send to audit system: USER_AVC avc:  
received policyload notice (seqno=2) : exe="/bin/dbus-daemon" 
(sauid=500, hostname=?, addr=?, terminal=?)

I'm not sure what this means but it seems to mean that /bin/dbus-daemon 
has a problem with my hostname ect.

I looked at man dbus-daemon and it is a library that any device can 
access. It appears it doesn't have what SELinux wants. How do I fix this 
I wonder?


-- 

	Karl F. Larsen, AKA K5DI
	Linux User
	#450462   http://counter.li.org.

More information about the users mailing list