* AVCs errors generated when CLI comands executed
@ 2014-05-27 12:21 Kim Lawson-Jenkins
2014-05-27 13:45 ` Christopher J. PeBenito
0 siblings, 1 reply; 2+ messages in thread
From: Kim Lawson-Jenkins @ 2014-05-27 12:21 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 2167 bytes --]
Hi,
We're running SELinux on an embedded system using a reference policy from
the Yocto project. RAM, which is used instead of flash, is mounted after
SELinux relabeling completes and the files have default labels after a
reboot. I've added restorecon -R /dev to a rc.init to set the contexts
correctly but the files on RAM still have the default label. After logging
in, I'm able to execute SELinux commands to modify the policy and fix the
labels, but avcs are generated for every command. Here are some examples -
May 20 20:04:16 guard kernel: type=1400 audit(1400616256.808:53): avc:
denied { relabelto } for pid=1536 comm="restorecon" name="sipc_mq1 "
dev="ram1" ino=14341 scontext=root:sysadm_r:setfiles_t:s0-s15:c0.c1023
tcontext=system_u:object_r:ioi_orch_cq_t:s0 tclass=file
May 20 20:04:16 guard kernel: type=1400 audit(1400616256.839:54): avc:
denied { associate } for pid=1536 comm="restorecon" name="sipc_mq2 "
dev="ram1" ino=14341 scontext=system_u:object_r:ioi_orch_cq_t:s0
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
May 20 20:04:16 guard kernel: type=1400 audit(1400616256.864:55): avc:
denied { relabelto } for pid=1536 comm="restorecon" name="sipc_mq3 "
dev="ram1" ino=14342 scontext=root:sysadm_r:setfiles_t:s0-s15:c0.c1023
tcontext=system_u:object_r:orch_ioi_cq_t:s0 tclass=file
May 20 20:04:16 guard kernel: type=1400 audit(1400616256.888:56): avc:
denied { associate } for pid=1536 comm="restorecon" name="sipc_mq4"
dev="ram1" ino=14342 scontext=system_u:object_r:orch_ioi_cq_t:s0
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
May 20 20:04:16 guard kernel: type=1400 audit(1400616256.907:57): avc:
denied { relabelto } for pid=1536 comm="restorecon" name="sipc_mq5"
dev="ram1" ino=14343 scontext=root:sysadm_r:setfiles_t:s0-s15:c0.c1023
tcontext=system_u:object_r:ioi_orch_dq_t:s0 tclass=file
I don't understand why the restorecon does not apply the correct labels when
the init script is executed but it does when I execute the command as admin.
Also, I don't know why the AVC errors are generated when I execute the
commands as admin. Any feedback would be greatly appreciated.
Kim
[-- Attachment #2: Type: text/html, Size: 4563 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: AVCs errors generated when CLI comands executed
2014-05-27 12:21 AVCs errors generated when CLI comands executed Kim Lawson-Jenkins
@ 2014-05-27 13:45 ` Christopher J. PeBenito
0 siblings, 0 replies; 2+ messages in thread
From: Christopher J. PeBenito @ 2014-05-27 13:45 UTC (permalink / raw)
To: kim.lawson-jenkins, selinux
On 05/27/2014 08:21 AM, Kim Lawson-Jenkins wrote:
> Hi,
>
>
>
> We’re running SELinux on an embedded system using a reference policy from the Yocto project. RAM, which is used instead of flash, is mounted after SELinux relabeling completes and the files have default labels after a reboot. I’ve added restorecon -R /dev to a rc.init to set the contexts correctly but the files on RAM still have the default label. After logging in, I’m able to execute SELinux commands to modify the policy and fix the labels, but avcs are generated for every command. Here are some examples –
>
>
>
> May 20 20:04:16 guard kernel: type=1400 audit(1400616256.808:53): avc: denied { relabelto } for pid=1536 comm="restorecon" name="sipc_mq1 " dev="ram1" ino=14341 scontext=root:sysadm_r:setfiles_t:s0-s15:c0.c1023 tcontext=system_u:object_r:ioi_orch_cq_t:s0 tclass=file
>
> May 20 20:04:16 guard kernel: type=1400 audit(1400616256.839:54): avc: denied { associate } for pid=1536 comm="restorecon" name="sipc_mq2 " dev="ram1" ino=14341 scontext=system_u:object_r:ioi_orch_cq_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
>
> May 20 20:04:16 guard kernel: type=1400 audit(1400616256.864:55): avc: denied { relabelto } for pid=1536 comm="restorecon" name="sipc_mq3 " dev="ram1" ino=14342 scontext=root:sysadm_r:setfiles_t:s0-s15:c0.c1023 tcontext=system_u:object_r:orch_ioi_cq_t:s0 tclass=file
>
> May 20 20:04:16 guard kernel: type=1400 audit(1400616256.888:56): avc: denied { associate } for pid=1536 comm="restorecon" name="sipc_mq4" dev="ram1" ino=14342 scontext=system_u:object_r:orch_ioi_cq_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
>
> May 20 20:04:16 guard kernel: type=1400 audit(1400616256.907:57): avc: denied { relabelto } for pid=1536 comm="restorecon" name="sipc_mq5" dev="ram1" ino=14343 scontext=root:sysadm_r:setfiles_t:s0-s15:c0.c1023 tcontext=system_u:object_r:ioi_orch_dq_t:s0 tclass=file
>
>
>
> I don’t understand why the restorecon does not apply the correct labels when the init script is executed but it does when I execute the command as admin. Also, I don’t know why the AVC errors are generated when I execute the commands as admin. Any feedback would be greatly appreciated.
It doesn't look like the ioi_orch_dq_t is marked as a files_type(). Because of the filesystem associate denial, it doesn't seem like it should work in any case.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2014-05-27 13:44 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-05-27 12:21 AVCs errors generated when CLI comands executed Kim Lawson-Jenkins
2014-05-27 13:45 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.