[prev in list] [next in list] [prev in thread] [next in thread]
List: gentoo-hardened
Subject: [gentoo-hardened] SELinux AVC denial during login at tty and some another issue.
From: आशीष_Ashish <wahjava.ml () gmail ! com>
Date: 2007-12-06 20:52:39
Message-ID: 200712070221.42057.wahjava.ml () gmail ! com
[Download RAW message or body]
Hi list,
I'm getting this SELinux AVC denial on my Gentoo
(2007.0/amd64/no-multilib/PaX) installation at the time of login to the TTY.
type=AVC msg=audit(1196966507.080:55): avc: denied { create } for pid=5858
comm="login" scontext=system_u:system_r:local_login_t
tcontext=system_u:system_r:local_login_t tclass=netlink_route_socket
I'm not able to figure out the reason for this AVC denial. Any ideas, how to
fix ? Shall I add a 'allow' rule or something is messed up.
Another issue is regarding the LDPATH present in "/etc/env.d/04multilib" :
LDPATH="/lib:/usr/lib:/usr/local/lib:/lib64:/usr/lib64:/usr/local/lib64"
On AMD64 architecture, where /usr/lib is symlinked (tclass=lnk_file)
to /usr/lib64, according to above rule:
chatteau ~ $ ldd `which ls`
librt.so.1 => /lib/librt.so.1 (0x00002b73875fe000)
libselinux.so.1 => /lib/libselinux.so.1 (0x00002b7387807000)
libc.so.6 => /lib/libc.so.6 (0x00002b7387a22000)
libpthread.so.0 => /lib/libpthread.so.0 (0x00002b7387d60000)
/lib64/ld-linux-x86-64.so.2 (0x00002b73873e3000)
libdl.so.2 => /lib/libdl.so.2 (0x00002b7387f7b000)
libsepol.so.1 => /lib/libsepol.so.1 (0x00002b738817f000)
According to SELinux policy, only apps can load .so from 'file' class of
object not 'lnk_file'. I'd issues with this few weeks ago, in previous Gentoo
installation (which I wiped off after few days), which went, when I reordered
LDPATH, with 'lib64' before corresponding 'lib'. So this needs to be fixed
too.
TIA
--
Ashish Shukla आशीष शुक्ल http://wahjava.wordpress.com/
-- - --- - - - -- - -- -- - - - - - - - --- --
["signature.asc" (application/pgp-signature)]
--
gentoo-hardened@gentoo.org mailing list
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic