Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: vserver and vprocunhide
From: Daniel Gil Mayol <Daniel.Gil-Mayol_at_brunel.de>
Date: Wed, 25 Oct 2006 10:33:18 +0200
But the "denied messages" I sent you before, are reported before I try to unhide the /proc/1.
> So, again, why are The problem is that I haven't programmed the vservers.
> > Oct 24 07:45:55 cnsu kernel: audit(1161675955.340:8577): avc: denied I just change the name, are the same.
> Where does this process run? On the "base" system or Do you mean vserver_ids? I think within each vserver.
> > Move init into its own domain means relabel /proc/1 with for example I wrote the following: domain_auto_trans(init_t, vserver_ids_exec_t, vserver_ids_t); and I am still receiving the same:
Oct 25 09:18:06 cnsu kernel: audit(1161767886.890:1510): avc: denied
{ search } for pid=3322 comm="pidof" name="1" dev=proc ino=65538
scontext=root:system_r:vserver_ids_t tcontext=user_u:system_r:unconfined_t
tclass=dir
> > I haven't found any definition of type init_t (something like "type Yes, each vserver is a daemon.
> But what about the rest of the processes running within each vserver Yes, httpd is shared for both vservers.
> > > And what was that assertion? Likely just requires an attribute on You are right, it is not a daemon....it is a simple script, I made a mistake using the macro daemon_domain().
> > > Is this process running within a vserver? The second "allow" was in my policy, I have added the first (audit_write) and I see the same message: Oct 25 07:57:27 cnsu dbus: Can't send to audit system: USER_AVC pid=26679 uid=81 loginuid=-1 message=avc: 0 AV entries and 0/512 buckets used, longestchain length 0 #--------------------------------------------------------------- I am trying to understand the "denied messages" to avoid to use allow with unconfined. For example the following:
Oct 25 08:02:37 cnsu kernel: audit(1161763357.211:1434): avc: denied
{ search } for pid=30655 comm="ls" name="util-vserver" dev=hda5 ino=208827
scontext=root:system_r:unconfined_t
Oct 25 08:02:37 cnsu kernel: audit(1161763357.239:1435): avc: denied { getattr } for pid=30655 comm="ls" name="vserver-wrapper" dev=hda5 ino=208979 scontext=root:system_r:unconfined_t tcontext=system_u:object_r:vserver_utils_t tclass=file In the first denied, ino=208827 is a node that, after execute "find / -inum 208827" I see that corresponds with the following directory: /usr/lib/util-vserver that is labelled with "system_u:object_r:vserver_utils_t", it is not unconfined. So, the denied message says the process with pid 30655 (that I don't know who is it because when I execute "ps -e | grep 30655" nothing appears) from the unconfined domain, executes "ls" over the directory "/usr/lib/util-vserver" and have not the rights to search in directories labelled with vserver_utils_t. Did I interpretate right the denied? What can I do to avoid this denied without write: allow unconfined_t vserver_utils_t:dir { search }; allow unconfined_t vserver_utils_t:file { getattr } Something that for me is strange is that the "find -inum NUMBER" sometimes reports me more than one files/directories for the same ino number, can that happen? Another thing that I don't understand is, why the unconfined domain ask for some new permissions like: allow unconfined_t crontab_exec_t:file getattr; I thought unconfined is free to do everything. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Wed 25 Oct 2006 - 04:33:34 EDT |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |