I am trying to configure SELinux on Poky Linux distro.
I am connecting to the board both on serial and ssh.
Launching ping and ifconfig on ssh the board prints nothing, whereas the same command on serial is printing the correct one.
At first, ping was completely disabled, so I had to patch the netutils SELinux policy (now works correctly).
The command journalctl -xe | grep "denied" shows no "denied" for ping neither ifconfig.
How can I fix this issue? Or where should I look further? Maybe a /dev/pts error?
I think I have found something.
After
semodule --disable_dontaudit --build
like described here,
then:
~# journalctl -xe | grep "denied" | grep "ping"
Aug 04 13:04:42 audit[2510]: AVC avc: denied { use } for pid=2510 comm="ping" path="/dev/pts/0" dev="devpts" ino=3 scontext=root:sysadm_r:ping_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=fd permissive=0
Aug 04 13:04:42 audit[2510]: AVC avc: denied { use } for pid=2510 comm="ping" path="/dev/pts/0" dev="devpts" ino=3 scontext=root:sysadm_r:ping_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=fd permissive=0
Aug 04 13:04:42 audit[2510]: AVC avc: denied { use } for pid=2510 comm="ping" path="/dev/pts/0" dev="devpts" ino=3 scontext=root:sysadm_r:ping_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=fd permissive=0
Aug 04 13:04:42 audit[2510]: AVC avc: denied { rlimitinh } for pid=2510 comm="ping" scontext=root:sysadm_r:sysadm_t:s0 tcontext=root:sysadm_r:ping_t:s0 tclass=process permissive=0
Aug 04 13:04:42 audit[2510]: AVC avc: denied { siginh } for pid=2510 comm="ping" scontext=root:sysadm_r:sysadm_t:s0 tcontext=root:sysadm_r:ping_t:s0 tclass=process permissive=0
Aug 04 13:04:42 audit[2510]: AVC avc: denied { noatsecure } for pid=2510 comm="ping" scontext=root:sysadm_r:sysadm_t:s0 tcontext=root:sysadm_r:ping_t:s0 tclass=process permissive=0
Aug 04 13:04:49 audit[2511]: AVC avc: denied { use } for pid=2511 comm="ping" path="/dev/pts/0" dev="devpts" ino=3 scontext=root:sysadm_r:ping_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=fd permissive=0
Aug 04 13:04:49 audit[2511]: AVC avc: denied { use } for pid=2511 comm="ping" path="/dev/pts/0"dev="devpts" ino=3 scontext=root:sysadm_r:ping_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=fd permissive=0
Aug 04 13:04:49 audit[2511]: AVC avc: denied { use } for pid=2511 comm="ping" path="/dev/pts/0" dev="devpts" ino=3 scontext=root:sysadm_r:ping_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=fd permissive=0
Aug 04 13:04:49 audit[2511]: AVC avc: denied { rlimitinh } for pid=2511 comm="ping" scontext=root:sysadm_r:sysadm_t:s0 tcontext=root:sysadm_r:ping_t:s0 tclass=process permissive=0
Aug 04 13:04:49 audit[2511]: AVC avc: denied { siginh } for pid=2511 comm="ping" scontext=root:sysadm_r:sysadm_t:s0 tcontext=root:sysadm_r:ping_t:s0 tclass=process permissive=0
Aug 04 13:04:49 audit[2511]: AVC avc: denied { noatsecure } for pid=2511 comm="ping" scontext=root:sysadm_r:sysadm_t:s0 tcontext=root:sysadm_r:ping_t:s0 tclass=process permissive=0
And:
~# cat /var/audit/audit.log | audit2allow -m fix_ping_ifconfig.te
The lines that had to be added were
policy/modules/admin/netutils.te
+allow ping_t devpts_t:chr_file { getattr ioctl };
+allow ping_t init_t:fd use;
policy/modules/system/sysnetwork.te
+allow ifconfig_t devpts_t:chr_file { read write getattr };
So it was a devpts issue as thought but the process to solve it was found disabling the dountaudit rules