Запомняне

» Здравейте
[ Вход :: Регистриране ]
Тема: SELinux, Проблеми с процесите
Мнение #1 Skip to the next post in this topic.
Написано на: Декември 19 2005, 19:57
Zero_effect

Avatar




Група: Li maniacs
Мнения: 489
Регистриран: Юли 2005

Оценка: 5

Offline
Инсталирах си Gentoo 2005 r1 по стандартното ръководство, но след това реших да го ъпгрейтна да използва SELinux. Проблемът се изразява в това, че SELinux-а дава изключително много "грешки" за различни процеси:

Код: 

audit(1135004958.304:3): avc:  denied  { ioctl } for  pid=1 comm="init" name="tty0" dev=hda3 ino=454925 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1135004958.308:4): avc:  denied  { read } for  pid=842 comm="hotplug" name="urandom" dev=hda3 ino=452482 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1135004958.308:5): avc:  denied  { write } for  pid=842 comm="hotplug" name="tty" dev=hda3 ino=453716 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1135004958.320:6): avc:  denied  { read } for  pid=844 comm="10-udev.hotplug" name="urandom" dev=hda3 ino=452482 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1135004958.560:7): avc:  denied  { read } for  pid=1 comm="init" name="utmp" dev=hda3 ino=827685 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t tclass=file
audit(1135004958.560:8): avc:  denied  { lock } for  pid=1 comm="init" name="utmp" dev=hda3 ino=827685 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t tclass=file
audit(1135004958.636:9): avc:  denied  { read write } for  pid=883 comm="rc" name="console" dev=hda3 ino=453816 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1135004958.724:10): avc:  denied  { read write } for  pid=885 comm="consoletype" name="console" dev=hda3 ino=453816 scontext=system_u:system_r:consoletype_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1135004958.724:11): avc:  denied  { search } for  pid=885 comm="consoletype" name="dev" dev=hda3 ino=452481 scontext=system_u:system_r:consoletype_t tcontext=system_u:object_r:file_t tclass=dir
audit(1135004958.724:12): avc:  denied  { getattr } for  pid=885 comm="consoletype" name="console" dev=hda3 ino=453816 scontext=system_u:system_r:consoletype_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1135004958.724:13): avc:  denied  { ioctl } for  pid=885 comm="consoletype" name="console" dev=hda3 ino=453816 scontext=system_u:system_r:consoletype_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1135004958.780:14): avc:  denied  { ioctl } for  pid=887 comm="stty" name="console" dev=hda3 ino=453816 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1135004958.792:15): avc:  denied  { getattr } for  pid=883 comm="rc" name="null" dev=hda3 ino=452589 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1135004958.844:16): avc:  denied  { read write } for  pid=891 comm="mount" name="console" dev=hda3 ino=453816 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:file_t tclass=chr_file
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
audit(1135004959.088:17): avc:  denied  { read write } for  pid=923 comm="restorecon" name="console" dev=hda3 ino=453816 scontext=system_u:system_r:restorecon_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1135004959.240:18): avc:  denied  { write } for  pid=924 comm="udevstart" name="console" dev=hda3 ino=453816 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1135004967.041:19): avc:  denied  { read write } for  pid=1862 comm="swapon" name="console" dev=hda3 ino=453816 scontext=system_u:system_r:fsadm_t tcontext=system_u:object_r:file_t tclass=chr_file
Adding 506036k swap on /dev/hda2.  Priority:-1 extents:1 across:506036k
audit(1135004967.109:20): avc:  denied  { read write } for  pid=1863 comm="dmesg" name="console" dev=hda3 ino=453816 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1135004967.277:21): avc:  denied  { ioctl } for  pid=1873 comm="fsck.ext3" name="console" dev=hda3 ino=453816 scontext=system_u:system_r:fsadm_t tcontext=system_u:object_r:file_t tclass=chr_file
EXT3 FS on hda3, internal journal
audit(1135004967.497:22): avc:  denied  { read write } for  pid=1895 comm="hostname" name="console" dev=hda3 ino=453816 scontext=system_u:system_r:hostname_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1135004967.613:23): avc:  denied  { read write } for  pid=1903 comm="modules-update" name="console" dev=hda3 ino=453816 scontext=system_u:system_r:update_modules_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1135004967.613:24): avc:  denied  { search } for  pid=1903 comm="modules-update" name="var" dev=hda3 ino=824161 scontext=system_u:system_r:update_modules_t tcontext=system_u:object_r:file_t tclass=dir
audit(1135004967.641:25): avc:  denied  { getattr } for  pid=1905 comm="consoletype" name="console" dev=hda3 ino=453816 scontext=system_u:system_r:update_modules_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1135004967.641:26): avc:  denied  { ioctl } for  pid=1905 comm="consoletype" name="console" dev=hda3 ino=453816 scontext=system_u:system_r:update_modules_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1135004976.837:27): avc:  denied  { read write } for  pid=4645 comm="depmod" name="console" dev=hda3 ino=453816 scontext=system_u:system_r:depmod_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1135004977.161:28): avc:  denied  { read write } for  pid=4647 comm="modprobe" name="console" dev=hda3 ino=453816 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1135004977.161:29): avc:  denied  { getattr } for  pid=4647 comm="modprobe" name="console" dev=hda3 ino=453816 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:file_t tclass=chr_file


***********************************



audit(1135004977.557:30): avc:  denied  { read write } for  pid=4674 comm="hwclock" name="console" dev=hda3 ino=453816 scontext=system_u:system_r:hwclock_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1134997778.758:31): avc:  denied  { search } for  pid=839 comm="udevd" name="1" dev=proc ino=65538 scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:init_t tclass=dir
audit(1134997778.758:32): avc:  denied  { read } for  pid=839 comm="udevd" name="stat" dev=proc ino=65550 scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:init_t tclass=file
audit(1134997778.758:33): avc:  denied  { search } for  pid=839 comm="udevd" name="4745" dev=proc ino=310968322 scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:initrc_t tclass=dir
audit(1134997778.758:34): avc:  denied  { read } for  pid=839 comm="udevd" name="stat" dev=proc ino=310968334 scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:initrc_t tclass=file
audit(1134997778.758:35): avc:  denied  { search } for  pid=839 comm="udevd" name="4974" dev=proc ino=325976066 scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:udev_t tclass=dir
audit(1134997778.758:36): avc:  denied  { read } for  pid=839 comm="udevd" name="stat" dev=proc ino=325976078 scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:udev_t tclass=file
audit(1134997783.398:37): avc:  denied  { ioctl } for  pid=5381 comm="route" name="[10618]" dev=sockfs ino=10618 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=sock_file
eth0: link up, 100Mbps, full-duplex, lpa 0x45E1
audit(1134997788.770:38): avc:  denied  { ioctl } for  pid=6061 comm="route" name="[11846]" dev=sockfs ino=11846 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=sock_file
audit(1134997789.742:39): avc:  denied  { read } for  pid=5675 comm="syslog-ng" name="[11982]" dev=sockfs ino=11982 scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=sock_file
audit(1134997790.162:40): avc:  denied  { read write } for  pid=6206 comm="udev" name="null" dev=hda3 ino=452589 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_t tclass=chr_file
audit(1134997790.426:41): avc:  denied  { search } for  pid=839 comm="udevd" name="1" dev=proc ino=65538 scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:init_t tclass=dir
audit(1134997790.430:42): avc:  denied  { read } for  pid=839 comm="udevd" name="stat" dev=proc ino=65550 scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:init_t tclass=file
audit(1134997790.430:43): avc:  denied  { search } for  pid=839 comm="udevd" name="5675" dev=proc ino=371916802 scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:syslogd_t tclass=dir
audit(1134997790.430:44): avc:  denied  { read } for  pid=839 comm="udevd" name="stat" dev=proc ino=371916814 scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:syslogd_t tclass=file
audit(1134997790.430:45): avc:  denied  { search } for  pid=839 comm="udevd" name="6151" dev=proc ino=403111938 scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:sshd_t tclass=dir
audit(1134997790.430:46): avc:  denied  { read } for  pid=839 comm="udevd" name="stat" dev=proc ino=403111950 scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:sshd_t tclass=file
audit(1134997790.430:47): avc:  denied  { search } for  pid=839 comm="udevd" name="6190" dev=proc ino=405667842 scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:crond_t tclass=dir
audit(1134997790.430:48): avc:  denied  { read } for  pid=839 comm="udevd" name="stat" dev=proc ino=405667854 scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:crond_t tclass=file
audit(1134997790.430:49): avc:  denied  { search } for  pid=839 comm="udevd" name="6207" dev=proc ino=406781954 scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:udev_t tclass=dir
audit(1134997790.430:50): avc:  denied  { read } for  pid=839 comm="udevd" name="stat" dev=proc ino=406781966 scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:udev_t tclass=file
audit(1134997790.430:51): avc:  denied  { search } for  pid=839 comm="udevd" name="6213" dev=proc ino=407175170 scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:getty_t tclass=dir
audit(1134997790.430:52): avc:  denied  { read } for  pid=839 comm="udevd" name="stat" dev=proc ino=407175182 scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:getty_t tclass=file
audit(1135008621.671:53): avc:  denied  { write } for  pid=6151 comm="sshd" name="[13178]" dev=sockfs ino=13178 scontext=system_u:system_r:sshd_t tcontext=system_u:system_r:sshd_t tclass=sock_file
audit(1135008621.679:54): avc:  denied  { read } for  pid=6520 comm="sshd" name="[13179]" dev=sockfs ino=13179 scontext=system_u:system_r:sshd_t tcontext=system_u:system_r:sshd_t tclass=sock_file
audit(1135013649.490:55): avc:  denied  { getattr } for  pid=6528 comm="bash" name="su" dev=hda3 ino=412756 scontext=user_u:user_r:user_t tcontext=system_u:object_r:su_exec_t tclass=file
audit(1135013649.490:56): avc:  denied  { execute } for  pid=6631 comm="bash" name="su" dev=hda3 ino=412756 scontext=user_u:user_r:user_t tcontext=system_u:object_r:su_exec_t tclass=file
audit(1135013649.490:57): avc:  denied  { execute_no_trans } for  pid=6631 comm="bash" name="su" dev=hda3 ino=412756 scontext=user_u:user_r:user_t tcontext=system_u:object_r:su_exec_t tclass=file
audit(1135013649.490:58): avc:  denied  { read } for  pid=6631 comm="bash" name="su" dev=hda3 ino=412756 scontext=user_u:user_r:user_t tcontext=system_u:object_r:su_exec_t tclass=file
audit(1135013649.554:59): avc:  denied  { read } for  pid=6631 comm="su" name="shadow" dev=hda3 ino=468845 scontext=user_u:user_r:user_t tcontext=system_u:object_r:shadow_t tclass=file
audit(1135013649.554:60): avc:  denied  { getattr } for  pid=6631 comm="su" name="shadow" dev=hda3 ino=468845 scontext=user_u:user_r:user_t tcontext=system_u:object_r:shadow_t tclass=file
audit(1135013652.182:61): avc:  denied  { setuid } for  pid=6631 comm="su" capability=7 scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=capability
audit(1135013660.062:62): avc:  denied  { execute } for  pid=6634 comm="bash" name="emerge" dev=hda3 ino=341590 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_exec_t tclass=file
audit(1135013660.062:63): avc:  denied  { execute_no_trans } for  pid=6634 comm="bash" name="emerge" dev=hda3 ino=341590 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_exec_t tclass=file
audit(1135013660.062:64): avc:  denied  { read } for  pid=6634 comm="bash" name="emerge" dev=hda3 ino=341590 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_exec_t tclass=file
audit(1135013660.526:65): avc:  denied  { ioctl } for  pid=6634 comm="emerge" name="emerge" dev=hda3 ino=341590 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_exec_t tclass=file
audit(1135013661.778:66): avc:  denied  { getattr } for  pid=6634 comm="emerge" name="portage" dev=hda6 ino=3695561 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_lib_t tclass=dir
audit(1135013661.806:67): avc:  denied  { search } for  pid=6634 comm="emerge" name="portage" dev=hda3 ino=358933 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_ebuild_t tclass=dir
audit(1135013661.910:68): avc:  denied  { getattr } for  pid=6634 comm="emerge" name="x86" dev=hda3 ino=662884 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_ebuild_t tclass=dir
audit(1135013661.938:69): avc:  denied  { search } for  pid=6634 comm="emerge" name="portage" dev=hda3 ino=468836 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_conf_t tclass=dir
audit(1135013661.942:70): avc:  denied  { getattr } for  pid=6634 comm="emerge" name="parent" dev=hda3 ino=662890 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_ebuild_t tclass=file
audit(1135013661.942:71): avc:  denied  { read } for  pid=6634 comm="emerge" name="parent" dev=hda3 ino=662890 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_ebuild_t tclass=file
audit(1135013662.082:72): avc:  denied  { read } for  pid=6634 comm="emerge" name="make.globals" dev=hda3 ino=468850 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_conf_t tclass=file
audit(1135013662.086:73): avc:  denied  { getattr } for  pid=6634 comm="emerge" name="make.globals" dev=hda3 ino=468850 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_conf_t tclass=file
audit(1135013662.306:74): avc:  denied  { search } for  pid=6634 comm="emerge" name="pkg" dev=hda6 ino=719490 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_db_t tclass=dir
audit(1135013662.318:75): avc:  denied  { getattr } for  pid=6634 comm="emerge" name="app-admin" dev=hda6 ino=720110 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_db_t tclass=dir
audit(1135013662.318:76): avc:  denied  { read } for  pid=6634 comm="emerge" name="app-admin" dev=hda6 ino=720110 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_db_t tclass=dir
audit(1135013662.878:77): avc:  denied  { read } for  pid=6634 comm="emerge" name="PROVIDE" dev=hda6 ino=720120 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_db_t tclass=file
audit(1135013662.878:78): avc:  denied  { getattr } for  pid=6634 comm="emerge" name="PROVIDE" dev=hda6 ino=720120 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_db_t tclass=file
audit(1135013664.871:79): avc:  denied  { read } for  pid=6634 comm="emerge" name="eclass" dev=hda3 ino=537949 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_ebuild_t tclass=dir
audit(1135013665.039:80): avc:  denied  { getattr } for  pid=6634 comm="emerge" name="edb" dev=hda6 ino=3123270 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_cache_t tclass=dir
audit(1135013665.039:81): avc:  denied  { search } for  pid=6634 comm="emerge" name="edb" dev=hda6 ino=3123270 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_cache_t tclass=dir
audit(1135013665.051:82): avc:  denied  { setattr } for  pid=6634 comm="emerge" name="edb" dev=hda6 ino=3123270 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_cache_t tclass=dir
audit(1135013665.075:83): avc:  denied  { read } for  pid=6634 comm="emerge" name="mtimedb" dev=hda6 ino=3127547 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_cache_t tclass=file
audit(1135013665.079:84): avc:  denied  { getattr } for  pid=6634 comm="emerge" name="mtimedb" dev=hda6 ino=3127547 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_cache_t tclass=file
audit(1135013665.271:85): avc:  denied  { append } for  pid=6634 comm="emerge" name="emerge.log" dev=hda6 ino=2976072 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_log_t tclass=file
audit(1135013665.271:86): avc:  denied  { lock } for  pid=6634 comm="emerge" name="emerge.log" dev=hda6 ino=2976072 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_log_t tclass=file
audit(1135013665.375:87): avc:  denied  { search } for  pid=6634 comm="emerge" name="pkg" dev=hda6 ino=719490 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_db_t tclass=dir
audit(1135013665.379:88): avc:  denied  { getattr } for  pid=6634 comm="emerge" name="app-admin" dev=hda6 ino=720110 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_db_t tclass=dir
audit(1135013665.379:89): avc:  denied  { read } for  pid=6634 comm="emerge" name="app-admin" dev=hda6 ino=720110 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_db_t tclass=dir
audit(1135013669.539:90): avc:  denied  { write } for  pid=6634 comm="emerge" name="mtimedb" dev=hda6 ino=3127547 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_cache_t tclass=file
audit(1135013669.575:91): avc:  denied  { setattr } for  pid=6634 comm="emerge" name="mtimedb" dev=hda6 ino=3127547 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_cache_t tclass=file
audit(1135013679.708:92): avc:  denied  { execute } for  pid=6635 comm="bash" name="emerge" dev=hda3 ino=341590 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_exec_t tclass=file
audit(1135013679.708:93): avc:  denied  { execute_no_trans } for  pid=6635 comm="bash" name="emerge" dev=hda3 ino=341590 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_exec_t tclass=file
audit(1135013679.708:94): avc:  denied  { read } for  pid=6635 comm="bash" name="emerge" dev=hda3 ino=341590 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_exec_t tclass=file
audit(1135013679.760:95): avc:  denied  { ioctl } for  pid=6635 comm="emerge" name="emerge" dev=hda3 ino=341590 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_exec_t tclass=file
audit(1135013680.372:96): avc:  denied  { search } for  pid=6635 comm="emerge" name="portage" dev=hda3 ino=468836 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_conf_t tclass=dir
audit(1135013693.888:97): avc:  denied  { write } for  pid=6635 comm="emerge" name="dep" dev=hda6 ino=3123272 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_cache_t tclass=dir
audit(1135013693.888:98): avc:  denied  { add_name } for  pid=6635 comm="emerge" name="aux_db_key_temp.portage_lockfile" scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_cache_t tclass=dir
audit(1135013693.888:99): avc:  denied  { create } for  pid=6635 comm="emerge" name="aux_db_key_temp.portage_lockfile" scontext=user_u:user_r:user_t tcontext=user_u:object_r:portage_cache_t tclass=file
audit(1135013693.900:100): avc:  denied  { getattr } for  pid=6635 comm="emerge" name="aux_db_key_temp.portage_lockfile" dev=hda6 ino=3125133 scontext=user_u:user_r:user_t tcontext=user_u:object_r:portage_cache_t tclass=file
audit(1135013693.900:101): avc:  denied  { lock } for  pid=6635 comm="emerge" name="aux_db_key_temp.portage_lockfile" dev=hda6 ino=3125133 scontext=user_u:user_r:user_t tcontext=user_u:object_r:portage_cache_t tclass=file
audit(1135013694.336:102): avc:  denied  { search } for  pid=6637 comm="bash" name="portage" dev=hda6 ino=310691 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_tmp_t tclass=dir
audit(1135013694.336:103): avc:  denied  { dac_override } for  pid=6637 comm="bash" capability=1 scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=capability
audit(1135013694.636:104): avc:  denied  { write } for  pid=6637 comm="ebuild.sh" name="aux_db_key_temp" dev=hda6 ino=3127551 scontext=user_u:user_r:user_t tcontext=user_u:object_r:portage_cache_t tclass=file
audit(1135013694.640:105): avc:  denied  { append } for  pid=6637 comm="ebuild.sh" name="aux_db_key_temp" dev=hda6 ino=3127551 scontext=user_u:user_r:user_t tcontext=user_u:object_r:portage_cache_t tclass=file
audit(1135013694.768:106): avc:  denied  { read } for  pid=6635 comm="emerge" name="aux_db_key_temp" dev=hda6 ino=3127551 scontext=user_u:user_r:user_t tcontext=user_u:object_r:portage_cache_t tclass=file
audit(1135013694.768:107): avc:  denied  { remove_name } for  pid=6635 comm="emerge" name="aux_db_key_temp" dev=hda6 ino=3127551 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_cache_t tclass=dir
audit(1135013694.768:108): avc:  denied  { unlink } for  pid=6635 comm="emerge" name="aux_db_key_temp" dev=hda6 ino=3127551 scontext=user_u:user_r:user_t tcontext=user_u:object_r:portage_cache_t tclass=file
audit(1135013694.804:109): avc:  denied  { setattr } for  pid=6635 comm="emerge" name=".update.6635.uudeview-0.5.20" dev=hda6 ino=3139594 scontext=user_u:user_r:user_t tcontext=user_u:object_r:portage_cache_t tclass=file
audit(1135013694.804:110): avc:  denied  { rename } for  pid=6635 comm="emerge" name=".update.6635.uudeview-0.5.20" dev=hda6 ino=3139594 scontext=user_u:user_r:user_t tcontext=user_u:object_r:portage_cache_t tclass=file
audit(1135013694.804:111): avc:  denied  { unlink } for  pid=6635 comm="emerge" name="uudeview-0.5.20" dev=hda6 ino=3143639 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_cache_t tclass=file
audit(1135013694.812:112): avc:  denied  { read } for  pid=6635 comm="emerge" name="app-text-eclass.cpickle" dev=hda6 ino=3127436 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_cache_t tclass=file
audit(1135013694.812:113): avc:  denied  { getattr } for  pid=6635 comm="emerge" name="app-text-eclass.cpickle" dev=hda6 ino=3127436 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_cache_t tclass=file
audit(1135013697.133:114): avc:  denied  { write } for  pid=6635 comm="emerge" name="mtimedb" dev=hda6 ino=3127547 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_cache_t tclass=file
audit(1135013697.137:115): avc:  denied  { setattr } for  pid=6635 comm="emerge" name="mtimedb" dev=hda6 ino=3127547 scontext=user_u:user_r:user_t tcontext=system_u:object_r:portage_cache_t tclass=file



Всичко това е изкарано от dmesg.

Имат ли някакво генерално решение тези проблеми?

Ето ви резултати от статуса на SELinux (sestatus):

Код: 

SELinux status:         enabled
SELinuxfs mount:        /selinux
Current mode:           permissive
Policy version:         20

Policy booleans:
secure_mode             inactive
ssh_sysadm_login        inactive
user_ping               inactive

Process contexts:
Current context:        user_u:user_r:user_t
Init context:           system_u:system_r:init_t
/sbin/agetty            system_u:system_r:getty_t
/usr/sbin/sshd          system_u:system_r:sshd_t

File contexts:
Controlling term:       user_u:object_r:user_devpts_t
/sbin/init              system_u:object_r:init_exec_t
/sbin/agetty            system_u:object_r:getty_exec_t
/bin/login              system_u:object_r:login_exec_t
/sbin/rc                system_u:object_r:initrc_exec_t
/sbin/runscript.sh      system_u:object_r:initrc_exec_t
/usr/sbin/sshd          system_u:object_r:sshd_exec_t
/etc/passwd             system_u:object_r:etc_t
/etc/shadow             system_u:object_r:shadow_t
/bin/sh                 system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
/bin/bash               system_u:object_r:shell_exec_t
/usr/bin/newrole        system_u:object_r:newrole_exec_t
/lib/libc.so.6          system_u:object_r:lib_t -> system_u:object_r:shlib_t
/lib/ld-linux.so.2      system_u:object_r:lib_t -> system_u:object_r:ld_so_t



Редактирано от Zero_effect на Декември 19 2005, 20:03
Контакти:  Zero_effect

  • AOL  AOL:
  • ICQ  ICQ: 94584818
  • MSN  MSN:
  • YIM  Yahoo IM:
WEB  
Мнение #2 Skip to the next post in this topic.
Skip to the previous post in this topic. Написано на: Декември 19 2005, 21:01
quintessence

Avatar




Група: Li psychos
Мнения: 813
Регистриран: Август 2005

Offline
не съм запозната в въпросната дистрибуция,поразгледах обаче из нета .. имаш забрани ,по пътя на логката/па колко е верен той/ - как си с позволенията ,policy след ъпгрейда..?понеже гледам си в permissive mode може да пробваш със следната команда:
Код: 
watch audit2allow -d
стрелям на посоки наистина.
Контакти:  quintessence

  • AOL  AOL:
  • ICQ  ICQ:
  • MSN  MSN:
  • YIM  Yahoo IM:
WEB  
Мнение #3 Skip to the next post in this topic.
Skip to the previous post in this topic. Написано на: Декември 19 2005, 21:16
Zero_effect

Avatar




Група: Li maniacs
Мнения: 489
Регистриран: Юли 2005

Оценка: 5

Offline
Ето ги резултатите:

Код: 
allow sshd_t self:sock_file { read write };
allow syslogd_t self:sock_file read;
allow user_t etc_runtime_t:file write;
allow user_t etc_t:dir { add_name remove_name write };
allow user_t etc_t:file { create rename setattr write };
allow user_t initrc_exec_t:file { execute execute_no_trans ioctl read };
allow user_t initrc_state_t:dir { add_name create getattr read remove_name rmdir search write };
allow user_t initrc_state_t:file { getattr read };
allow user_t initrc_state_t:lnk_file { create getattr read setattr unlink };
allow user_t insmod_exec_t:file { execute execute_no_trans read };
allow user_t ld_so_cache_t:file unlink;
allow user_t ldconfig_exec_t:file { execute execute_no_trans read };
allow user_t lib_t:dir { add_name relabelto remove_name rmdir write };
allow user_t lib_t:file { create relabelto setattr unlink write };
allow user_t man_t:dir { add_name relabelto remove_name rmdir write };
allow user_t man_t:file { create relabelto setattr unlink write };
allow user_t modules_dep_t:file { getattr read };
allow user_t modules_object_t:dir search;
allow user_t policy_config_t:dir { getattr read search };
allow user_t policy_src_t:dir { getattr read search };
allow user_t policy_src_t:file { getattr read };
allow user_t portage_conf_t:dir { getattr read };
allow user_t portage_db_t:dir { add_name create getattr remove_name rename search setattr write };
allow user_t portage_db_t:file { create getattr lock read setattr unlink write };
allow user_t portage_ebuild_t:dir remove_name;
allow user_t portage_ebuild_t:file { ioctl read unlink };
allow user_t portage_lib_t:file lock;
allow user_t portage_tmp_t:dir { read relabelfrom };
allow user_t portage_tmp_t:file { execute execute_no_trans ioctl read relabelfrom rename write };
allow user_t root_t:dir { relabelto remove_name rmdir write };
allow user_t sbin_t:dir { add_name relabelto remove_name rmdir write };
allow user_t sbin_t:file { create relabelto setattr unlink write };
allow user_t security_t:file { getattr write };
allow user_t security_t:security check_context;
allow user_t setfiles_exec_t:file { execute execute_no_trans read };
allow user_t shlib_t:file { create relabelto setattr unlink write };
allow user_t src_t:dir { add_name remove_name write };
allow user_t src_t:file { create execute execute_no_trans setattr unlink write };
allow user_t system_cron_spool_t:dir { getattr read search };
allow user_t system_cron_spool_t:file getattr;
allow user_t self:capability net_admin;
allow user_t usr_t:dir { add_name create relabelto remove_name rmdir setattr write };
allow user_t usr_t:file { create relabelto unlink write };
allow user_t var_log_t:dir read;
allow user_t var_log_t:file read;


Редактирано от Zero_effect на Декември 19 2005, 21:27
Контакти:  Zero_effect

  • AOL  AOL:
  • ICQ  ICQ: 94584818
  • MSN  MSN:
  • YIM  Yahoo IM:
WEB  
Мнение #4
Skip to the previous post in this topic. Написано на: Декември 20 2005, 00:41
quintessence

Avatar




Група: Li psychos
Мнения: 813
Регистриран: Август 2005

Offline
освен след резултата - load/reload policy (reload по-скоро)
"make load","make reload" за да се установят направените промени по системата
бтв гледах одеве някакво туулче - seaudit ..
Контакти:  quintessence

  • AOL  AOL:
  • ICQ  ICQ:
  • MSN  MSN:
  • YIM  Yahoo IM:
WEB  
Общо 3 отговор(а) от Декември 19 2005, 19:57 до сега

© 2014 Linux Index Project
Powered by iF 1.0.0 © 2006 ikonForums