[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Should selinux be standard?

This one time, at band camp, Josselin Mouette said:
> Le dimanche 14 septembre 2008 à 21:32 +1000, Russell Coker a écrit :
> > For a typical desktop system (such as my EeePC) a default installation of SE 
> > Linux in Lenny works for most things.  
> 
> What do you mean by "most things"? What is not working?

Sep 15 22:04:17 spartacus kernel: [   17.148409] type=1400 audit(1221512644.263:3): avc:  denied  { execute_no_trans } for  pid=1497 comm="sh" path="/lib/alsa/modprobe-post-install" dev=hda1 ino=133937 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file
Sep 15 22:04:17 spartacus kernel: [   24.378414] type=1400 audit(1221512651.107:4): avc:  denied  { unlink } for  pid=2141 comm="mount" name="blkid.tab.old" dev=hda1 ino=472430 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
Sep 15 22:04:17 spartacus kernel: [   26.578258] type=1400 audit(1221512653.313:5): avc:  denied  { append } for  pid=1215 comm="ifup" name="ifstate" dev=hda1 ino=472430 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
Sep 15 22:04:17 spartacus kernel: [   26.884443] type=1400 audit(1221512653.621:6): avc:  denied  { unlink } for  pid=1755 comm="ifup" name="ifstate" dev=hda1 ino=472430 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
Sep 15 22:04:17 spartacus kernel: [   27.648008] SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts
Sep 15 22:04:30 spartacus kernel: [   43.593733] type=1400 audit(1221512670.315:8): avc:  denied  { search } for  pid=3230 comm="ntpd" name="/" dev=tmpfs ino=8681 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
Sep 15 22:04:30 spartacus kernel: [   43.617789] type=1400 audit(1221512670.352:9): avc:  denied  { write } for  pid=3230 comm="ntpd" name="/" dev=tmpfs ino=8681 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
Sep 15 22:04:30 spartacus kernel: [   43.641627] type=1400 audit(1221512670.376:10): avc:  denied  { add_name } for  pid=3230 comm="ntpd" name="ntpGXDttA" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
Sep 15 22:05:31 spartacus kernel: [  104.500825] type=1400 audit(1221512731.235:16): avc:  denied  { search } for  pid=3724 comm="dhclient-script" name="/" dev=tmpfs ino=8681 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
Sep 15 22:05:31 spartacus kernel: [  104.500865] type=1400 audit(1221512731.235:17): avc:  denied  { write } for  pid=3724 comm="dhclient-script" name="/" dev=tmpfs ino=8681 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
Sep 15 22:05:31 spartacus kernel: [  104.500897] type=1400 audit(1221512731.235:18): avc:  denied  { add_name } for  pid=3724 comm="dhclient-script" name="dhclient-script.debug" scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
Sep 15 22:05:31 spartacus kernel: [  104.500953] type=1400 audit(1221512731.235:19): avc:  denied  { create } for  pid=3724 comm="dhclient-script" name="dhclient-script.debug" scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
Sep 15 22:05:31 spartacus kernel: [  104.501021] type=1400 audit(1221512731.235:20): avc:  denied  { append } for  pid=3724 comm="dhclient-script" name="dhclient-script.debug" dev=tmpfs ino=12040 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
Sep 15 22:05:31 spartacus kernel: [  104.505653] type=1400 audit(1221512731.239:21): avc:  denied  { getattr } for  pid=3728 comm="env" path="/tmp/dhclient-script.debug" dev=tmpfs ino=12040 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
Sep 15 22:05:36 spartacus kernel: [  109.527213] type=1400 audit(1221512736.259:22): avc:  denied  { read } for  pid=3772 comm="start-stop-daem" name="ntpd.pid" dev=hda3 ino=239075 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:ntpd_var_run_t:s0 tclass=file
Sep 15 22:05:36 spartacus kernel: [  109.527300] type=1400 audit(1221512736.259:23): avc:  denied  { getattr } for  pid=3772 comm="start-stop-daem" path="/var/run/ntpd.pid" dev=hda3 ino=239075 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:ntpd_var_run_t:s0 tclass=file
Sep 15 22:05:36 spartacus kernel: [  109.527402] type=1400 audit(1221512736.259:24): avc:  denied  { kill } for  pid=3772 comm="start-stop-daem" capability=5 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=capability
Sep 15 22:05:36 spartacus kernel: [  109.527470] type=1400 audit(1221512736.259:25): avc:  denied  { signal } for  pid=3772 comm="start-stop-daem" scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:ntpd_t:s0 tclass=process
Sep 15 22:05:36 spartacus kernel: [  109.531109] type=1400 audit(1221512736.263:26): avc:  denied  { unlink } for  pid=3773 comm="rm" name="ntpd.pid" dev=hda3 ino=239075 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:ntpd_var_run_t:s0 tclass=file
Sep 15 22:05:42 spartacus kernel: [  116.196909] type=1400 audit(1221512742.931:38): avc:  denied  { read write } for  pid=3969 comm="modprobe" path="socket:[10331]" dev=sockfs ino=10331 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:system_r:apmd_t:s0 tclass=unix_stream_socket
Sep 15 22:05:58 spartacus kernel: [  127.229027] type=1400 audit(1221512758.469:41): avc:  denied  { read write } for  pid=4178 comm="modprobe" path="socket:[10331]" dev=sockfs ino=10331 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:system_r:apmd_t:s0 tclass=unix_stream_socket
Sep 15 22:06:04 spartacus kernel: [  133.607089] type=1400 audit(1221512764.832:42): avc:  denied  { use } for  pid=4571 comm="hdparm" path="/dev/null" dev=tmpfs ino=636 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:system_r:apmd_t:s0 tclass=fd
Sep 15 22:06:18 spartacus kernel: [  147.286548] type=1400 audit(1221512778.512:45): avc:  denied  { search } for  pid=4748 comm="dhclient-script" name="/" dev=tmpfs ino=8681 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
Sep 15 22:06:18 spartacus kernel: [  147.286602] type=1400 audit(1221512778.512:46): avc:  denied  { append } for  pid=4748 comm="dhclient-script" name="dhclient-script.debug" dev=tmpfs ino=12040 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
Sep 15 22:06:18 spartacus kernel: [  147.290715] type=1400 audit(1221512778.516:47): avc:  denied  { getattr } for  pid=4752 comm="env" path="/tmp/dhclient-script.debug" dev=tmpfs ino=12040 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
Sep 15 22:06:21 spartacus kernel: [  149.790564] type=1400 audit(1221512781.016:48): avc:  denied  { search } for  pid=4761 comm="dhclient-script" name="/" dev=tmpfs ino=8681 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
Sep 15 22:13:08 spartacus kernel: [  554.601443] type=1400 audit(1221513188.747:65): avc:  denied  { execstack } for  pid=4937 comm="firefox-bin" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
Sep 15 22:13:08 spartacus kernel: [  554.601443] type=1400 audit(1221513188.747:66): avc:  denied  { execmem } for  pid=4937 comm="firefox-bin" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
Sep 15 22:17:13 spartacus kernel: [  799.457889] SELinux: initialized (dev fuse, type fuse), uses genfs_contexts
Sep 16 07:41:53 spartacus kernel: [34679.717570] type=1400 audit(1221547313.862:67): avc:  denied  { search } for  pid=5910 comm="logrotate" name="root" dev=hda1 ino=944705 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tclass=dir
Sep 16 09:10:28 spartacus kernel: [39994.409191] type=1400 audit(1221552628.554:68): avc:  denied  { execmem } for  pid=6121 comm="molecule" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
Sep 16 21:08:56 spartacus kernel: [83102.182743] type=1400 audit(1221595736.326:69): avc:  denied  { execstack } for  pid=5207 comm="epiphany-browse" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
Sep 16 21:08:56 spartacus kernel: [83102.182789] type=1400 audit(1221595736.326:70): avc:  denied  { execmem } for  pid=5207 comm="epiphany-browse" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process

This is a sid install of the default policy in non-enforcing mode.  I
can't guarantee that every one of those complaints would have generated
errors that matter, but it doesn't look like we're tuned for a normal
install just yet.
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------

Attachment: signature.asc
Description: Digital signature

Reply to: