[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gentoo-hardened
Subject:    Re: [gentoo-hardened] Denied message
From:       Petre Rodan <kaiowas () gentoo ! org>
Date:       2006-06-12 20:42:37
Message-ID: 20060612204237.GB9721 () peter ! sunspire ! org
[Download RAW message or body]

Hi,

On Mon, Jun 12, 2006 at 04:23:48PM +0200, sebastien Pastor wrote:
> Hi guys,
> 
> I am finishing a brand new Selinux install. I have still 3 avc denied
> message types when i boot up on enforcing mode. I hope anyone could help
> me in understanding why they are showing up ... i m quite a newbie so
> please be kind with me ;-).
> 
> - the first denied concerns init running on system_u:system_r:init_t
> context , trying to do a getcap on a process class object with context
> system_u:system_r:init_t

you can allow both getcap and setcap for init_t.
sysvinit uses the __NR_capget and __NR_capset syscalls and those generate the avc \
message.  
> - the second denieds concerns processes run from  modules-update script
> (id,mv,cp ..) scontext=system_u:system_r:update_modules_t trying to
> search directories like  /var /usr etc .... : i had a look @ modutil.te
> and there is a bunch of dontaudit  which seems to take care of this. Why
> do i see those denied then  ? is it a well-known bug ?

show us the exact avc message.
you also might want to inspect the processed rules in policy.conf to see if the \
dontaudits are actually there, or maybe they got left out for some reason.

> - the last denieds are issued by unix_chkpwd
> scontext=system_u:system_r:system_chkpwd_t
> tcontext=root:object_r:sysadm_tty_device_t  tclass=chr_file

looks harmless. if your command succeeds in enforcing mode you can ignore errors like \
this one.

cheers,
peter

-- 
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux 


[Attachment #3 (application/pgp-signature)]
-- 
gentoo-hardened@gentoo.org mailing list


[prev in list] [next in list] [prev in thread] [next in thread]