Re: Should selinux be standard?
On Tue, 2008-09-16 at 13:05 -0500, Manoj Srivastava wrote:
> On Tue, Sep 16 2008, Julien Cristau wrote:
>
> > I just tried booting with selinux=1 on my laptop. I see errors from mpd
> > related to /usr/lib/libtheora.so.0.3.3, from xdm starting my X session,
> > from sudo reading /etc/resolv.conf, from dmesg reading the system log,
> > from ssh-add connecting to the ssh agent socket, from dhclient3 reading
> > /proc/net, creating a socket and doing anything with it, then some more
> > errors from bind startup, postfix startup, mutt, gpgkeys_hkp (apparently
> > it's not allowed to connect to 11371/tcp, firefox, or gconfd-2. Uptime
> > is about 20 minutes, and dmesg|grep -c 'avc: denied' returns 73.
> > Looks like it's not ready for prime time to me.
>
> Hmm.
My own laptop, installed 2007-02.
$dpkg -l | egrep '^ii' | wc -l
1964
$uptime
21:07:07 up 3 days, 9 min, 9 users, load average: 0.40, 0.19, 0.23
$cat /var/log/messages{,.0,.1} |audit2allow | egrep -v '(^$)|(^#)'|wc -l
46
Not so bad for an old laptop, with many non-standard settings, and
probably some file that are improperly tagged.
$cat /var/log/messages{,.0,.1} | audit2allow | egrep -v '(^$)|(^#)'
allow avahi_t httpd_t:dbus send_msg;
allow crond_t file_t:file { read getattr };
allow cupsd_t dhcpc_var_run_t:file { read getattr };
allow dhcpc_t avahi_var_run_t:dir { write remove_name search getattr add_name };
allow dhcpc_t avahi_var_run_t:file { write rename create unlink getattr };
allow dhcpc_t etc_t:file { execute execute_no_trans };
allow dhcpc_t lib_t:file execute_no_trans;
allow gpm_t self:process signull;
allow hald_t apm_bios_t:chr_file { read ioctl };
allow hald_t self:capability ipc_lock;
allow hald_t self:dir mounton;
allow hald_t self:process setrlimit;
allow hald_t tmpfs_t:blk_file { read write create };
allow hald_t tmpfs_t:dir { write add_name };
allow hald_t tmpfs_t:filesystem { mount unmount };
allow hald_t xdm_t:dbus send_msg;
allow httpd_t avahi_t:dbus send_msg;
allow httpd_t dhcpc_var_run_t:file { read getattr };
allow httpd_t httpd_modules_t:lnk_file read;
allow httpd_t system_dbusd_t:dbus send_msg;
allow httpd_t system_dbusd_t:unix_stream_socket connectto;
allow httpd_t system_dbusd_var_run_t:dir search;
allow httpd_t system_dbusd_var_run_t:sock_file write;
allow httpd_t usr_t:file { execute execute_no_trans };
allow httpd_t var_lib_t:dir { create rmdir };
allow httpd_t var_lib_t:file { write append setattr };
allow httpd_t var_t:dir read;
allow httpd_t var_t:file { read getattr ioctl };
allow httpd_t var_t:lnk_file read;
allow inetd_t var_lib_t:dir search;
allow insmod_t device_t:dir { write add_name };
allow insmod_t lib_t:file execute_no_trans;
allow insmod_t self:capability mknod;
allow ldconfig_t usr_t:file read;
allow logrotate_t unconfined_home_dir_t:dir search;
allow mount_t dosfs_t:dir search;
allow mount_t etc_t:file { write append };
allow rpcd_t proc_net_t:lnk_file read;
allow system_dbusd_t inotifyfs_t:dir read;
allow udev_t etc_runtime_t:file { unlink append };
allow udev_t usr_t:file execute;
allow udev_t var_log_t:file read;
allow unconfined_t lib_t:file execmod;
allow unconfined_t self:process { execstack execmem };
allow vbetool_t console_device_t:chr_file { read write };
allow xdm_t hald_t:dbus send_msg;
> I have not tried to boot into enforcing mode, but I am not sure
> which of these are actually needed, and which can safely be denied
> anyway.
me neither.
> So, 9 missing lines in policy, out of which 6 are about dbus.
> Russell is probably way better than I to try to resolve these issues,
> but I'll see what I can do to help.
The entries related to apache are probably either related to my own
specific settings, or related to libapache2-mod-dnssd.
Most of the httpd entries are probably specific for my configuration.
Franklin
Reply to: