selinux January 2010 archive
Main Archive Page > Month Archives  > selinux archives
selinux: RE: Bootup problem with refpolicy-2.20091117 - rules fo

RE: Bootup problem with refpolicy-2.20091117 - rules found but still can't login

From: TaurusHarry <harrytaurus2002_at_nospam>
Date: Thu Jan 21 2010 - 09:36:40 GMT
To: <justinmattock@gmail.com>

Hi Justin,

Sorry I respond late, thanks a lot for you to remind to first boot SELinux into Permissive mode then analyze the AVC denied messages and try to supplement necessary rules, I think it is indeed the once-and-for-all solution to any problem of missing SELinux rules.

It took me two days to come up with following rules that may be desirable to the refpolicy-2.20091117: (or to use dontaudit if they are expected redundant behaviors)

+allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search audit_control };

+corecmd_bin_domtrans(crond_t)
+hostname_domtrans(crond_t)
+corecmd_getattr_bin_files(crond_t)
+corecmd_exec_bin(crond_t)
+corecmd_manage_bin_files(crond_t)
+fs_search_tmpfs(crond_t)
+fs_manage_tmpfs_sockets(crond_t)

+dontaudit quota_t self:memprotect { mmap_zero} ;

+fs_search_tmpfs(getty_t)

+term_use_console(insmod_t)

+fs_search_tmpfs(iscsid_t)
+fs_manage_tmpfs_sockets(iscsid_t)

+files_rw_lock_dirs(mount_t)
+files_manage_generic_locks(mount_t)

+fs_search_tmpfs(pam_console_t)
+fs_getattr_tmpfs_dirs(pam_console_t)
+fs_manage_tmpfs_dirs(pam_console_t)

+fs_search_tmpfs(portmap_t)

+/root -d gen_context(system_u:object_r:user_home_dir_t,s0)
+/root/.+ gen_context(system_u:object_r:user_home_t,s0)

+fs_search_tmpfs(sendmail_t)
+fs_manage_tmpfs_sockets(sendmail_t)

+term_read_console(setfiles_t)

+fs_search_tmpfs(syslogd_t)
+fs_manage_tmpfs_dirs(syslogd_t)
+fs_manage_tmpfs_sockets(syslogd_t)

+fs_search_tmpfs(sysstat_t)

(BTW, why there are so many types that have missed the "search" privilege against tmpfs_t? Any convenient way to solve this problem than invoking fs_search_tmpfs() against each type individually?)

I've tried my best to translate as many AVC denied messages to SELinux rules as possible, however, even with all above additional rules applied, I still can't log in SELinux in Enforcing mode(the console stuck with "INIT: Id "0" respawning too fast: disabled for 5 minutes"), and there is NOT a single AVC denied message I could find any more by dmesg after log in with enforcing=0! I really don't get it :-(

What could I have missed out? So far all I know is that neither the kernel nor the SELinux tools I used are latest, my kernel is 2.6.27 and SELinux tools are of "Release 2009-04-03". Do I need to update kernel and SElinux tools in order to use refpolicy-2.20091117? What can I do now to solve this problem?

BTW, I've compiled refpolicy-2.20091117 with "TYPE = standard", while I originally wanted to try out the MLS type. I uuss I have to overcome the standard type problem before moving on to the MLS type.

Any comment is greatly appreciated!

Thanks a lot!
Harry > Date: Mon, 18 Jan 2010 17:45:29 -0800 > From: justinmattock@gmail.com > To: harrytaurus2002@hotmail.com > CC: selinux@tycho.nsa.gov > Subject: Re: Bootup problem with refpolicy-2.20091117 >
 > then that could be what your hitting. > (noticed this a while back over here for some reason or another); > > try booting with both: (boot param)enforcing=0 > and (/etc/selinux/config)SELINUX=permissive > > and see if you boot up.. then define the rules. > > Justin P. Mattock > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with > the words "unsubscribe selinux" without quotes as the message. _________________________________________________________________ 约会说不清地方?来试试微软地图最新msn互动功能! http://ditu.live.com/?form=TL&swm=1 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.