I’ve been trying to get SELinux working in OpenSUSE 11.2. So far I can get to runlevel 3 with enforcing=0. Before I start tinkering with audit2allow, I thought I should get some advice.
The 11.2 repository gives me these policy rpms:
http://download.opensuse.org/repositories/enSUSE:/11.2/standard/noarch…
http://download.opensuse.org/repositories/openSUSE:/11.2/standard/src/se…
But that version of policy has some issues in OpenSUSE:
- failure to allow the graphical desktop to load (even with enforcing=0) . The following message appears in the console during boot:
** (gdm:1073): WARNING **: Couldn’t connect to system bus: A SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender “(unset)” interface “org.freedesktop.DBus” member “Hello” erro name “(unset)” destination “org.freedesktop.DBus”) startproc: exit status of parent of /usr/sbin/gdm: 1
Since enforcing is off, I’m surprised to see a message like that. SELinux shouldn’t be preventing anything, so I don’t see how modifying policy will solve that. Ideas?
- Attempting to boot to runlevel 5 with kernel parms “security=selinux selinux=1 enforcing=0”, I’m dropped off in runlevel 3 instead. I’m getting a couple of pages of AVC errors after boot (see below).
I’ve tried several other versions of the policy without luck:
- the version included in Fedora 12 (refpolicy-2.2009117
- the latest release from Tresys
- the latest from the repository at Tresys
They all give basically the same problems. Any advice would be appreciated.
Thanks,
Alan
Following are the AVC messages I’ve been getting:
type=DAEMON_START msg=audit(1265904613.457:3152): auditd start, ver=1.7.13 format=raw kernel=2.6.31.5-0.1-desktop auid=4294967295 pid=2337 subj=system_u:system_r:sysadm_t res=success
type=AVC msg=audit(1265904613.473:202): avc: denied { write } for pid=2342 comm=“auditctl” path="/dev/blog" dev=tmpfs ino=1836 scontext=system_u:system_r:auditctl_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file
type=AVC msg=audit(1265904613.689:203): avc: denied { execstack } for pid=2382 comm=“cupsd” scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=process
type=AVC msg=audit(1265904613.690:204): avc: denied { execmem } for pid=2382 comm=“cupsd” scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=process
type=AVC msg=audit(1265904614.260:205): avc: denied { read write } for pid=2448 comm=“smartd” name=“sda” dev=tmpfs ino=1749 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
type=AVC msg=audit(1265904614.260:206): avc: denied { open } for pid=2448 comm=“smartd” name=“sda” dev=tmpfs ino=1749 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
type=AVC msg=audit(1265904614.261:207): avc: denied { ioctl } for pid=2448 comm=“smartd” path="/dev/sda" dev=tmpfs ino=1749 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
type=AVC msg=audit(1265904615.964:208): avc: denied { read } for pid=287 comm=“stapio” path="/sys/kernel/debug/systemtap/preloadtrace/trace0" dev=debugfs ino=4136 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=file
type=AVC msg=audit(1265904615.964:209): avc: denied { read } for pid=2337 comm=“auditd” scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_audit_socket
type=AVC msg=audit(1265904616.052:210): avc: denied { read } for pid=2728 comm=“modprobe” path="/dev/console" dev=tmpfs ino=3969 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:console_device_t tclass=chr_file
type=AVC msg=audit(1265904616.053:211): avc: denied { write } for pid=2728 comm=“modprobe” path="/dev/blog" dev=tmpfs ino=1836 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file
type=AVC msg=audit(1265904616.063:212): avc: denied { read } for pid=308 comm=“udevd” scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_kobject_uevent_socket
type=AVC msg=audit(1265904616.063:213): avc: denied { write } for pid=308 comm=“udevd” scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_kobject_uevent_socket
type=AVC msg=audit(1265904616.069:214): avc: denied { write } for pid=2729 comm=“mount” path="/dev/blog" dev=tmpfs ino=1836 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file
type=AVC msg=audit(1265904617.858:215): avc: denied { write } for pid=2779 comm=“ip6tables” path="/tmp/SuSEfirewall2_iptables.2F1un9MP" dev=sda2 ino=132181 scontext=system_u:system_r:iptables_t tcontext=system_u:object_r:user_tmp_t tclass=file
type=AVC msg=audit(1265904617.859:216): avc: denied { write } for pid=2779 comm=“ip6tables” path="/dev/blog" dev=tmpfs ino=1836 scontext=system_u:system_r:iptables_t tcontext=system_u:object_r:tmpfs_t tclass=fifo_file
type=AVC msg=audit(1265904617.889:217): avc: denied { write } for pid=2785 comm=“modprobe” path="/tmp/SuSEfirewall2_iptables.2F1un9MP" dev=sda2 ino=132181 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:user_tmp_t tclass=file
type=AVC msg=audit(1265904618.183:218): avc: denied { read } for pid=2831 comm=“iptables-batch” name=“SuSEfirewall2_iptables.2F1un9MP” dev=sda2 ino=132181 scontext=system_u:system_r:iptables_t tcontext=system_u:object_r:user_tmp_t tclass=file
type=AVC msg=audit(1265904618.183:219): avc: denied { open } for pid=2831 comm=“iptables-batch” name=“SuSEfirewall2_iptables.2F1un9MP” dev=sda2 ino=132181 scontext=system_u:system_r:iptables_t tcontext=system_u:object_r:user_tmp_t tclass=file
type=AVC msg=audit(1265904618.183:220): avc: denied { getattr } for pid=2831 comm=“iptables-batch” path="/tmp/SuSEfirewall2_iptables.2F1un9MP" dev=sda2 ino=132181 scontext=system_u:system_r:iptables_t tcontext=system_u:object_r:user_tmp_t tclass=file
type=AVC msg=audit(1265904618.473:221): avc: denied { setattr } for pid=2853 comm=“mingetty” name=“tty1” dev=tmpfs ino=3984 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:tty_device_t tclass=chr_file
type=AVC msg=audit(1265904618.480:222): avc: denied { getattr } for pid=2853 comm=“mingetty” path="/sys/kernel/debug/systemtap/preloadtrace/.cmd" dev=debugfs ino=4137 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=file
type=AVC msg=audit(1265904621.738:223): avc: denied { write } for pid=286 comm=“stapio” path="/sys/kernel/debug/systemtap/preloadtrace/.cmd" dev=debugfs ino=4137 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=file
type=AVC msg=audit(1265904621.783:224): avc: denied { search } for pid=2868 comm=“staprun” name="/" dev=debugfs ino=1 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir
type=AVC msg=audit(1265904621.783:225): avc: denied { open } for pid=2868 comm=“staprun” name=".cmd" dev=debugfs ino=4137 scontext=system_u:system_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=file
type=AVC msg=audit(1265904621.784:226): avc: denied { sys_module } for pid=2868 comm=“staprun” capability=16 scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=capability
type=AVC msg=audit(1265904628.319:227): avc: denied { create } for pid=2853 comm=“login” scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_audit_socket
type=AVC msg=audit(1265904628.320:228): avc: denied { write } for pid=2853 comm=“login” scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_audit_socket
type=AVC msg=audit(1265904628.320:229): avc: denied { nlmsg_relay } for pid=2853 comm=“login” scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=netlink_audit_socket
type=AVC msg=audit(1265904628.321:230): avc: denied { audit_write } for pid=2853 comm=“login” capability=29 scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=capability
type=AVC msg=audit(1265904628.370:231): avc: denied { audit_control } for pid=2853 comm=“login” capability=30 scontext=system_u:system_r:sysadm_t tcontext=system_u:system_r:sysadm_t tclass=capability