# selinux startup woes

## R. Bosch

Hi,

I got selinux installed, but get a flood of audit messages. So, I'm not yet switching to enforced mode yet  :Sad: 

I have the following policies installedselinux-acpi-20070329

selinux-apache-20070329

selinux-avahi-20070329

selinux-base-policy-20070329

selinux-dbus-20070329

selinux-desktop-20070329

selinux-gnupg-20070329

selinux-gpm-20070329

selinux-hal-20070329

selinux-logrotate-20070329

selinux-mysql-20070329

selinux-pcmcia-20070329

selinux-screen-20070329

selinux-sudo-20070329

Yet for some reason I get messages like:

```
audit(1182458611.586:735): avc:  denied  { append } for  pid=8949 comm="runscript.sh" name="syslog-ng" dev=hda2 ino=523504 scontext=user_u:user_r:user_t tcontext=user_u:object_r:initrc_state_t tclass=file

audit(1182458612.586:736): avc:  denied  { sys_ptrace } for  pid=8978 comm="start-stop-daem" capability=19 scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=capability

audit(1182458612.586:737): avc:  denied  { ptrace } for  pid=8978 comm="start-stop-daem" scontext=user_u:user_r:user_t tcontext=system_u:system_r:init_t tclass=process

audit(1182458612.586:738): avc:  denied  { ptrace } for  pid=8978 comm="start-stop-daem" scontext=user_u:user_r:user_t tcontext=system_u:system_r:kernel_t tclass=process

audit(1182458612.586:739): avc:  denied  { ptrace } for  pid=8978 comm="start-stop-daem" scontext=user_u:user_r:user_t tcontext=system_u:system_r:udev_t tclass=process

audit(1182458612.586:740): avc:  denied  { ptrace } for  pid=8978 comm="start-stop-daem" scontext=user_u:user_r:user_t tcontext=system_u:system_r:initrc_t tclass=process

audit(1182458612.586:741): avc:  denied  { ptrace } for  pid=8978 comm="start-stop-daem" scontext=user_u:user_r:user_t tcontext=system_u:system_r:xdm_t tclass=process
```

These are the first lines after restarting syslog-ng.

My sestatus reads

```
SELinux status:                 enabled

SELinuxfs mount:                /selinux

Current mode:                   permissive

Mode from config file:          permissive

Policy version:                 21

Policy from config file:        strict
```

I intend to create a guide here of a sort, to work out start-up problems for noobs like me who start with selinux.

Regards,

Remy

----------

## kevstar31

Did you follow the install steps here: 

http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml

----------

## R. Bosch

Yes, and ran `rlpkg -a -r ; reboot` 5 times now  :Sad: 

Also checked the upgrade guide to 2006.1 since 2005.1 wouldn't let me install wpa_supplicant  :Confused: 

Running `emerge -e system` just to be sure.... No, I won't start `emerge -e world`. Compiling 500 packages is too much   :Wink:   :Rolling Eyes: 

Well, after running rlpkg -a -r ; reboot twice, I still get strange audit messages.

```
audit(1182530779.515:17): avc:  denied  { write } for  pid=1064 comm="modprobe" name="console" dev=tmpfs ino=1901 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:device_t tclass=chr_file

audit(1182530779.515:18): avc:  denied  { getattr } for  pid=1064 comm="modprobe" name="console" dev=tmpfs ino=1901 context=system_u:system_r:insmod_t tcontext=system_u:object_r:device_t tclass=chr_file

audit(1182530780.015:19): avc:  denied  { getattr } for  pid=997 comm="modprobe.sh" name="modprobe.conf" dev=hda2 ino=212283 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:modules_conf_t tclass=file

audit(1182530780.015:20): avc:  denied  { read } for  pid=1427 comm="grep" name="modprobe.conf" dev=hda2 ino=212283 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:modules_conf_t tclass=file

audit(1182530783.514:21): avc:  denied  { read write } for  pid=2778 comm="dmsetup" name="console" dev=hda2 ino=65293 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1182530783.514:22): avc:  denied  { read write } for  pid=2804 comm="fsck" name="console" dev=hda2 ino=65293 scontext=system_u:system_r:fsadm_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1182530783.514:23): avc:  denied  { ioctl } for  pid=2805 comm="fsck.ext3" name="console" dev=hda2 ino=65293 scontext=system_u:system_r:fsadm_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1182530784.014:24): avc:  denied  { read write } for  pid=2832 comm="update-modules" name="console" dev=hda2 ino=65293 scontext=system_u:system_r:update_modules_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1182530784.014:25): avc:  denied  { ioctl } for  pid=2838 comm="stty" name="console" dev=hda2 ino=65293 scontext=system_u:system_r:update_modules_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1182530784.014:26): avc:  denied  { read write } for  pid=2856 comm="modprobe" name="console" dev=hda2 ino=65293 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1182530784.014:27): avc:  denied  { getattr } for  pid=2856 comm="modprobe" name="console" dev=hda2 ino=65293 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1182530784.014:28): avc:  denied  { write } for  pid=2869 comm="mount" name="blkid.tab" dev=hda2 ino=212683 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:etc_t tclass=file

audit(1182530784.014:29): avc:  denied  { unlink } for  pid=2869 comm="mount" name="blkid.tab.old" dev=hda2 ino=212669 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:etc_t tclass=file

audit(1182530784.014:30): avc:  denied  { link } for  pid=2869 comm="mount" name="blkid.tab" dev=hda2 ino=212683 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:etc_t tclass=file

audit(1182530784.014:31): avc:  denied  { read write } for  pid=2894 comm="hwclock" name="console" dev=hda2 ino=65293 scontext=system_u:system_r:hwclock_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1182523590.413:32): avc:  denied  { write } for  pid=4165 comm="runscript.sh" name="oss" dev=proc ino=-268435167 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:proc_t tclass=file

audit(1182523590.413:33): avc:  denied  { create } for  pid=4101 comm="cpufreqd" name="cpufreqd" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:initrc_tmp_t tclass=sock_file

audit(1182523590.413:34): avc:  denied  { setattr } for  pid=4101 comm="cpufreqd" name="cpufreqd" dev=hda2 ino=82527 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:initrc_tmp_t tclass=sock_file

audit(1182523591.912:35): avc:  denied  { nlmsg_write } for  pid=4938 comm="wpa_supplicant" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=netlink_route_socket

audit(1182523591.912:36): avc:  denied  { create } for  pid=4938 comm="wpa_supplicant" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=packet_socket
```

This is a tiny portion of what I get on boot  :Sad: 

Init hasn't started yet, or the audit messages get flowing. This is too weird  :Confused: 

Remy

----------

## R. Bosch

Just typed:

```
ReboliLaptop gentoo # checkpolicy 

checkpolicy:  loading policy configuration from policy.conf

checkpolicy:  unable to open policy.conf
```

 I have sec-policy/selinux-base-policy-20070329 merged.

How to solve this?

Remy

----------

## kevstar31

try semodule -n -B

----------

## R. Bosch

Been there, done that. Sorry  :Sad: 

Remy

----------

## DynamicStability

Do you really need SeLinux?  If you dont need to hid information from the CIA/FBI/IRS you probably can just ignore the errors and use linux like a normal human.

----------

## R. Bosch

I'd lik to try this out, and see if I can help improve it's usability. For this I need to know it first  :Wink: 

So the stupid questions come first..   :Rolling Eyes: 

Yes, I can use selinux in permissive mode and ignore the audit errors, but then I might as well use a standard linux setup in stead of SE-Linux.

I recompiled compiled the kernel (suspend2 for my laptop), but made no difference.

Here's the selinux config in menuconfig:

```
[ ] Enable access key retention support

[*] Enable different security models

[*]   Socket and Networking Security Hooks

[ ]     XFRM (IPSec) Networking Security Hooks

<*>   Default Linux Capabilities

< >   Root Plug Support

[*] NSA SELinux Support

[ ]   NSA SELinux boot parameter

[ ]   NSA SELinux runtime disable

[*]   NSA SELinux Development Support

[ ]   NSA SELinux AVC Statistics

(1)   NSA SELinux checkreqprot default value

[ ]   NSA SELinux enable new secmark network controls by default

[ ]   NSA SELinux maximum supported policy format version
```

```
ReboliLaptop ~ # semodule -l

apache  1.5.5

apm     1.3.3

avahi   1.4.1

dbus    1.4.1

gpg     1.1.1

gpm     1.2.1

hal     1.5.2

java    1.3.4

logrotate       1.4.0

mono    1.3.0

mozilla 1.1.2

mplayer 1.1.2

mysql   1.3.1

pcmcia  1.1.1

screen  1.1.0

sudo    1.0.2

wine    1.2.1

xfs     1.1.1

xserver 1.3.4
```

Remy

----------

## R. Bosch

Any one know how to verify the basemodules are loaded? I don't see hints under /selinux  :Sad: 

```
ReboliLaptop ~ # ldd /sbin/init 

        linux-gate.so.1 =>  (0xb7f33000)

        libsepol.so.1 => /lib/libsepol.so.1 (0xb7ee4000)

        libselinux.so.1 => /lib/libselinux.so.1 (0xb7ecf000)

        libc.so.6 => /lib/libc.so.6 (0xb7da7000)

        libdl.so.2 => /lib/libdl.so.2 (0xb7da3000)

        /lib/ld-linux.so.2 (0xb7f34000)

```

Also did a relabeling on sysvinit.

Do I need the "hardened" useflag? I understood it made some problems with selinux in the past and since I was just starting, i thought it best to avoid it for now.

Thanks

Remy

----------

## kevstar31

Did you add these lines to make.conf?

```

FEATURES="selinux sesandbox"

POLICYDIR="/etc/security/selinux/src/policy"

POLICY_TYPES="strict targeted"

PORTAGE_FETCH_T="portage_fetch_t"

PORTAGE_SANDBOX_T="portage_sandbox_t"

```

----------

## R. Bosch

 *kevstar31 wrote:*   

> Did you add these lines to make.conf?
> 
> ```
> FEATURES="selinux sesandbox"
> 
> ...

 

Did not read anywhere that I had to  :Sad: 

I added the lines and did a "emerge -e system". It's compiling atm...

Thanks for the suggestion!

Remy

----------

## R. Bosch

Ok,Added the extra lines to make.conf

Re-emerged the policiesRe-emerged systemRelabled the system (rlpkg -a -r)rebooted to relabel againreboot

Still the damned messages!  :Sad: 

At startup I can read this is:

```
audit(1182780359.516:2): policy loaded auid=4294967295

audit(1182780359.516:3): avc:  denied  { read write } for  pid=1 comm="init" name="console" dev=hda2 ino=65293 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1182780359.516:4): avc:  denied  { ioctl } for  pid=1 comm="init" name="tty0" dev=hda2 ino=66132 scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t tclass=chr_file

INIT: version 2.86 booting

audit(1182780359.516:5): avc:  denied  { read write } for  pid=858 comm="rc" name="console" dev=hda2 ino=65293 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1182780360.515:6): avc:  denied  { read write } for  pid=860 comm="consoletype" name="console" dev=hda2 ino=65293 scontext=system_u:system_r:consoletype_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1182780360.515:7): avc:  denied  { getattr } for  pid=860 comm="consoletype" name="console" dev=hda2 ino=65293 scontext=system_u:system_r:consoletype_t tcontext=system_u:object_r:file_t tclass=chr_file

audit(1182780360.515:8): avc:  denied  { ioctl } for  pid=860 comm="consoletype" name="console" dev=hda2 ino=65293 scontext=system_u:system_r:consoletype_t tcontext=system_u:object_r:file_t tclass=chr_file
```

I use ext3 as a filesystem.

```
Portage 2.1.2.2 (selinux/x86/2006.1, gcc-4.1.2, glibc-2.5-r3, 2.6.21-suspend2-r6 i686)

=================================================================

System uname: 2.6.21-suspend2-r6 i686 Intel(R) Pentium(R) M processor 1.73GHz

Gentoo Base System release 1.12.9

Timestamp of tree: Tue, 19 Jun 2007 07:00:01 +0000

dev-java/java-config: 1.3.7, 2.0.32

dev-lang/python:     2.4.4-r4

dev-python/pycrypto: 2.0.1-r5

sys-apps/sandbox:    1.2.17

sys-devel/autoconf:  2.13, 2.61

sys-devel/automake:  1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10

sys-devel/binutils:  2.16.1-r3

sys-devel/gcc-config: 1.3.16

sys-devel/libtool:   1.5.22

virtual/os-headers:  2.6.17-r2

ACCEPT_KEYWORDS="x86"

AUTOCLEAN="yes"

CBUILD="i686-pc-linux-gnu"

CFLAGS=" -O2 -march=pentium-m -pipe -fomit-frame-pointer "

CHOST="i686-pc-linux-gnu"

CONFIG_PROTECT="/etc /usr/share/X11/xkb"

CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/terminfo"

CXXFLAGS=""

DISTDIR="/usr/portage/distfiles"

FEATURES="distlocks loadpolicy metadata-transfer sandbox selinux sesandbox sfperms strict"

GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"

PKGDIR="/usr/portage/packages"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

SYNC="rsync://rsync.gentoo.org/gentoo-portage"

USE="X acpi alsa avahi berkdb branding bzip2 cairo ccache cdr crypt cups curl dbus dri dvdr exif fftw gif gimpprint glitz gnutls gpm gtk gtk2 hal inkjar ipv6 java jpeg jpeg2k lcms logrotate mad midi mikmod mmap mmx mng mysql ncurses nls nptl nptlonly offensive ogg opengl oss pam pcmcia pdf plugins png ppds pulseaudio python readline rtc seamonkey selinux sipv6 sndfile spell sse sse2 ssl startup-notification svg tcl tcpd threads tiff truetype unicode usb wifi x86 xattr xcb xinerama xml xml2 xv zlib" ALSA_CARDS="mpu401 loopback hda-intel usb-audio" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="wacom evdev keyboard mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="i810 v4l"

Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
```

What can I do to clear/isolate this issue?

----------

## kevstar31

 *R. Bosch wrote:*   

> 
> 
> Did not read anywhere that I had to 
> 
> I added the lines and did a "emerge -e system". It's compiling atm...
> ...

 

I found them in the selinux profile make.defaults.

 *R. Bosch wrote:*   

> What can I do to clear/isolate this issue?

 

maybe you can create a custom make.profile:

rm /etc/make.profile

mkdir /etc/make.profile

ln -s [current profile]/make.defaults /etc/make.profile/make.defaults

ln -s [current profile]/virtuals /etc/make.profile/virtuals

ln -s [current profile]/packages /etc/make.profile/packages

ln -s [current profile]/use /etc/make.profile/use

ecco "/usr/portage/profiles/selinux/x86" > /etc/make.profile/parentLast edited by kevstar31 on Mon Jun 25, 2007 6:11 pm; edited 3 times in total

----------

## nixnut

Moved from Installing Gentoo to Networking & Security.

Not about getting gentoo installed.

----------

## R. Bosch

I think it's best to start looking at the installing first.

I've compiled a script and devided the build in three parts.

```
mkfs.ext3 /dev/hda7 &&

mount /dev/hda7 /mnt/gentoo &&

cd /mnt/gentoo  &&

tar -xjf /media/dl/stage3-i686-2007.0.tar.bz2  &&

mkdir /mnt/gentoo/usr/portage  &&

mount -o bind /dev /mnt/gentoo/dev  &&

mount -t proc none /mnt/gentoo/proc  &&

# For the portage tree:

mount -o bind /media/portage /mnt/gentoo/usr/portage  &&

# For network

cp /etc/resolv.conf /mnt/gentoo/etc/  &&

# Profiling

rm /mnt/gentoo/etc/make.profile  &&

ln -sf /usr/portage/profiles/selinux/2007.0/x86 /mnt/gentoo/etc/make.profile  &&

# Remove to replace

rm /mnt/gentoo/etc/{make.conf,locale.gen}  &&

# make.conf

cat >> /mnt/gentoo/etc/make.conf << "EOF" &&

CFLAGS="-mtune=i686 -O2 -pipe -fforce-addr"

CXXFLAGS="-mtune=i686 -O2 -pipe -fforce-addr"

CHOST="i686-pc-linux-gnu"

USE="gpm ipv6 bzip2 sse sse2 mmx -3dnow nptl nptlonly acpi -apm -lm_sensors -debug -gnome -kde -X nls -slang unicode alsa offensive threads wifi xml2 ccache branding"

ALSA_CARDS="mpu401 loopback hda-intel usb-audio"

VIDEO_CARDS="i810 v4l"

INPUT_DEVICES="wacom evdev keyboard mouse synaptics"

FEATURES="selinux sesandbox buildpkg"

POLICYDIR="/etc/security/selinux/src/policy"

POLICY_TYPES="strict targeted"

PORTAGE_FETCH_T="portage_fetch_t"

PORTAGE_SANDBOX_T="portage_sandbox_t"

EOF

# locale.gen

cat >> /mnt/gentoo/etc/locale.gen << "EOF" &&

en_US ISO-8859-1

en_US.UTF-8 UTF-8

nl_NL.UTF-8 UTF-8

nl_NL@euro ISO-8859-15

EOF

echo done
```

```
mkdir /selinux &&

env-update &&

#1.b. Kernel headers

emerge -u linux-headers &&

cp /usr/share/zoneinfo/Europe/Amsterdam /etc/localtime &&

# what can I say? I use a laptop.

emerge -av suspend2-sources &&

cd /usr/src/linux && 

zcat /proc/config.gz > .config &&

make all modules_install &&

cp arch/i386/boot/bzImage /boot/vmlinuz &&

#1c Update glibc 

emerge glibc -av &&

echo done
```

```
FEATURES="-selinux" PORTAGE_T="portage_t" emerge -u1 libsepol libselinux libsemanage checkpolicy policycoreutils selinux-base-policy  &&

emerge selinux-base-policy checkpolicy policycoreutils sysvinit pam coreutils findutils openssh procps psmisc shadow util-linux python-selinux &&

emerge -u `qlist -IC sec-policy` selinux-desktop &&

rm -f /lib/udev/devices/* &&

semodule -n -B &&

rlpkg -a -r &&

echo done
```

In the last part where I emerge without selinux, I avoid the following:

```
>>> Done.

>>> Merging sys-libs/libselinux-1.34.0 to /

>>> Setting SELinux security labels

/etc/selinux/targeted/contexts/files/file_contexts: No such file or directory
```

The main question to everyone here who has built selinux before is: "What the hell am I doing wrong?"

The commands are -mostly- straight from the handbook / selinux-howto / 2006.1 upgrade

I doesn't make sense. Could please someone help here?

Thanks!

----------

## R. Bosch

Seems like here someone found a chicken-and-egg problem  :Smile: 

```
mkdir /mnt/rawroot

mount --bind / /mnt/rawroot

cd /mnt/rawroot/dev

setfilecon system_u:object_r:console_device_t console
```

I don't understand the other commands though... Ok, they'r run to solve a mount deny from /selinux, but that's all I understand. I just don't have the file /security

See link above for more info.

 :Confused: 

----------

