'[gentoo-hardened] SELinux AVC denial during login at tty and some another issue.'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gentoo-hardened
Subject:    [gentoo-hardened] SELinux AVC denial during login at tty and some another issue.
From:       à¤†à¤¶à¥€à¤·_Ashish <wahjava.ml () gmail ! com>
Date:       2007-12-06 20:52:39
Message-ID: 200712070221.42057.wahjava.ml () gmail ! com
[Download RAW message or body]

Hi list,

I'm getting this SELinux AVC denial on my Gentoo 
(2007.0/amd64/no-multilib/PaX) installation at the time of login to the TTY.

type=AVC msg=audit(1196966507.080:55): avc:  denied  { create } for  pid=5858 
comm="login" scontext=system_u:system_r:local_login_t 
tcontext=system_u:system_r:local_login_t tclass=netlink_route_socket

I'm not able to figure out the reason for this AVC denial. Any ideas, how to 
fix ? Shall I add a 'allow' rule or something is messed up.


Another issue is regarding the LDPATH present in "/etc/env.d/04multilib" :

LDPATH="/lib:/usr/lib:/usr/local/lib:/lib64:/usr/lib64:/usr/local/lib64"

On AMD64 architecture, where /usr/lib is symlinked (tclass=lnk_file) 
to /usr/lib64, according to above rule:

chatteau ~ $ ldd `which ls`
        librt.so.1 => /lib/librt.so.1 (0x00002b73875fe000)
        libselinux.so.1 => /lib/libselinux.so.1 (0x00002b7387807000)
        libc.so.6 => /lib/libc.so.6 (0x00002b7387a22000)
        libpthread.so.0 => /lib/libpthread.so.0 (0x00002b7387d60000)
        /lib64/ld-linux-x86-64.so.2 (0x00002b73873e3000)
        libdl.so.2 => /lib/libdl.so.2 (0x00002b7387f7b000)
        libsepol.so.1 => /lib/libsepol.so.1 (0x00002b738817f000)

According to SELinux policy, only apps can load .so from 'file' class of 
object not 'lnk_file'. I'd issues with this few weeks ago, in previous Gentoo 
installation (which I wiped off after few days), which went, when I reordered 
LDPATH, with 'lib64' before corresponding 'lib'. So this needs to be fixed 
too.

TIA
-- 
Ashish Shukla à¤†à¤¶à¥€à¤· à¤¶à¥à¤•à¥à¤²                      http://wahjava.wordpress.com/
 ·--  ·-  · · · ·  ·---  ·-  · · ·-  ·-  ·-- ·- · -- · --  ·-  · ·  ·- · ·  ·- ·- ·- - ·- · --- --

["signature.asc" (application/pgp-signature)]
-- 
gentoo-hardened@gentoo.org mailing list


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic