opensuse 11.2 and selinux

I’ve been trying to get SELinux working in OpenSUSE 11.2. So far I can get to runlevel 3 with enforcing=0. Before I start tinkering with audit2allow, I thought I should get some advice.

The 11.2 repository gives me these policy rpms:

http://download.opensuse.org/repositories/enSUSE:/11.2/standard/noarch

http://download.opensuse.org/repositories/openSUSE:/11.2/standard/src/se

But that version of policy has some issues in OpenSUSE:

  1. failure to allow the graphical desktop to load (even with enforcing=0) . The following message appears in the console during boot:

** (gdm:1073): WARNING **: Couldn’t connect to system bus: A SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender “(unset)” interface “org.freedesktop.DBus” member “Hello” erro name “(unset)” destination “org.freedesktop.DBus”) startproc: exit status of parent of /usr/sbin/gdm: 1

Since enforcing is off, I’m surprised to see a message like that. SELinux shouldn’t be preventing anything, so I don’t see how modifying policy will solve that. Ideas?

  1. Attempting to boot to runlevel 5 with kernel parms “security=selinux selinux=1 enforcing=0”, I’m dropped off in runlevel 3 instead. I’m getting a couple of pages of AVC errors after boot (see below).

I’ve tried several other versions of the policy without luck:

  • the version included in Fedora 12 (refpolicy-2.2009117
  • the latest release from Tresys
  • the latest from the repository at Tresys

They all give basically the same problems. Any advice would be appreciated.

Thanks,
Alan

Following are the AVC messages I’ve been getting:

type=DAEMON_START msg=audit(1265904613.457:3152): auditd start, ver=1.7.13 format=raw kernel=2.6.31.5-0.1-desktop auid=4294967295 pid=2337 subj=system_u:system_r:sysadm_t res=success

type=AVC msg=audit(1265904613.473:202): avc: denied { write } for pid=2342 comm=“auditctl” path="/dev/blog" dev=tmpfs ino=1836 scontext=system_u:system_r:auditctl_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file

type=AVC msg=audit(1265904613.689:203): avc: denied { execstack } for pid=2382 comm=“cupsd” scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=process

type=AVC msg=audit(1265904613.690:204): avc: denied { execmem } for pid=2382 comm=“cupsd” scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=process

type=AVC msg=audit(1265904614.260:205): avc: denied { read write } for pid=2448 comm=“smartd” name=“sda” dev=tmpfs ino=1749 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file

type=AVC msg=audit(1265904614.260:206): avc: denied { open } for pid=2448 comm=“smartd” name=“sda” dev=tmpfs ino=1749 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file

type=AVC msg=audit(1265904614.261:207): avc: denied { ioctl } for pid=2448 comm=“smartd” path="/dev/sda" dev=tmpfs ino=1749 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file

type=AVC msg=audit(1265904615.964:208): avc: denied { read } for pid=287 comm=“stapio” path="/sys/kernel/debug/systemtap/preloadtrace/trace0" dev=debugfs ino=4136 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=file

type=AVC msg=audit(1265904615.964:209): avc: denied { read } for pid=2337 comm=“auditd” scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_audit_socket

type=AVC msg=audit(1265904616.052:210): avc: denied { read } for pid=2728 comm=“modprobe” path="/dev/console" dev=tmpfs ino=3969 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:console_device_t tclass=chr_file

type=AVC msg=audit(1265904616.053:211): avc: denied { write } for pid=2728 comm=“modprobe” path="/dev/blog" dev=tmpfs ino=1836 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file

type=AVC msg=audit(1265904616.063:212): avc: denied { read } for pid=308 comm=“udevd” scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_kobject_uevent_socket

type=AVC msg=audit(1265904616.063:213): avc: denied { write } for pid=308 comm=“udevd” scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_kobject_uevent_socket

type=AVC msg=audit(1265904616.069:214): avc: denied { write } for pid=2729 comm=“mount” path="/dev/blog" dev=tmpfs ino=1836 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file

type=AVC msg=audit(1265904617.858:215): avc: denied { write } for pid=2779 comm=“ip6tables” path="/tmp/SuSEfirewall2_iptables.2F1un9MP" dev=sda2 ino=132181 scontext=system_u:system_r:iptables_t tcontext=system_u:object_r:user_tmp_t tclass=file

type=AVC msg=audit(1265904617.859:216): avc: denied { write } for pid=2779 comm=“ip6tables” path="/dev/blog" dev=tmpfs ino=1836 scontext=system_u:system_r:iptables_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file

type=AVC msg=audit(1265904617.889:217): avc: denied { write } for pid=2785 comm=“modprobe” path="/tmp/SuSEfirewall2_iptables.2F1un9MP" dev=sda2 ino=132181 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:user_tmp_t tclass=file

type=AVC msg=audit(1265904618.183:218): avc: denied { read } for pid=2831 comm=“iptables-batch” name=“SuSEfirewall2_iptables.2F1un9MP” dev=sda2 ino=132181 scontext=system_u:system_r:iptables_t tcontext=system_u:object_r:user_tmp_t tclass=file

type=AVC msg=audit(1265904618.183:219): avc: denied { open } for pid=2831 comm=“iptables-batch” name=“SuSEfirewall2_iptables.2F1un9MP” dev=sda2 ino=132181 scontext=system_u:system_r:iptables_t tcontext=system_u:object_r:user_tmp_t tclass=file

type=AVC msg=audit(1265904618.183:220): avc: denied { getattr } for pid=2831 comm=“iptables-batch” path="/tmp/SuSEfirewall2_iptables.2F1un9MP" dev=sda2 ino=132181 scontext=system_u:system_r:iptables_t tcontext=system_u:object_r:user_tmp_t tclass=file

type=AVC msg=audit(1265904618.473:221): avc: denied { setattr } for pid=2853 comm=“mingetty” name=“tty1” dev=tmpfs ino=3984 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:tty_device_t tclass=chr_file

type=AVC msg=audit(1265904618.480:222): avc: denied { getattr } for pid=2853 comm=“mingetty” path="/sys/kernel/debug/systemtap/preloadtrace/.cmd" dev=debugfs ino=4137 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=file

type=AVC msg=audit(1265904621.738:223): avc: denied { write } for pid=286 comm=“stapio” path="/sys/kernel/debug/systemtap/preloadtrace/.cmd" dev=debugfs ino=4137 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=file

type=AVC msg=audit(1265904621.783:224): avc: denied { search } for pid=2868 comm=“staprun” name="/" dev=debugfs ino=1 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir

type=AVC msg=audit(1265904621.783:225): avc: denied { open } for pid=2868 comm=“staprun” name=".cmd" dev=debugfs ino=4137 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=file

type=AVC msg=audit(1265904621.784:226): avc: denied { sys_module } for pid=2868 comm=“staprun” capability=16 scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=capability

type=AVC msg=audit(1265904628.319:227): avc: denied { create } for pid=2853 comm=“login” scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_audit_socket

type=AVC msg=audit(1265904628.320:228): avc: denied { write } for pid=2853 comm=“login” scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_audit_socket

type=AVC msg=audit(1265904628.320:229): avc: denied { nlmsg_relay } for pid=2853 comm=“login” scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_audit_socket

type=AVC msg=audit(1265904628.321:230): avc: denied { audit_write } for pid=2853 comm=“login” capability=29 scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=capability

type=AVC msg=audit(1265904628.370:231): avc: denied { audit_control } for pid=2853 comm=“login” capability=30 scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=capability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Why SELinux if you have AppArmor???


VampirD
No in elenath hîlar nan hâd gîn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAkt17ycACgkQJQ+0ABWtaVkihACgpV9C2GTkOf9Frx6AaPYnm/Px
n+UAoNxgMAMmU+uVUdUYz7DPnz50qTqC
=P5BN
-----END PGP SIGNATURE-----

Well… I’m not wanting to get into the AppArmore vs SELinux debate here. There are legitimate reasons to use AppArmor, and also legitimate reasons to choose SELinux instead.

SELinux provides more granularity for access control. For example, you can restrict FTP to port 21, SMTP to port 25, http to port 80, etc. So if someone compromises apache, they would be unable to use that vulnerability to launch an FTP server. And you could ensure that there is not an unauthorized server running on a high port. etc… If you need that kind of control, you need SELinux rather than AppArmor.

So, since Novell is reintroducting SELinux, I’d like to be able to use it.