selinux mls labeling

paul2015 · 06-20-2015, 02:38 PM

hellow everyone,

I have minimal installation of centos7 3.10.0-229.el7.x86_64 and installed selinux-policy-mls touched /.autorelabel. after system reboot and relabeling I have problem that there is no default label for some files, I think because mls policy does not have unconfined modules included. Can anyone suggest how to relabel system correctly or how to correct labeling.

Thanks

Here is my audit.log

Code:

#============= auditctl_t ==============
allow auditctl_t unlabeled_t:file read;

#============= chkpwd_t ==============

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
	mlsconstrain file { read getattr execute } ((l1 dom l2 -Fail-)  or (t1=chkpwd_t  eq TYPE_ENTRY -Fail-)  and (h1 dom L2 -Pass-)  or (t1=chkpwd_t  eq TYPE_ENTRY -Fail-)  or (t2=unlabeled_t  eq TYPE_ENTRY -Fail-) ); Constraint DENIED

#	Possible cause is the source level (s0-s15:c0.c1023) and target level (s15:c0.c1023) are different.
allow chkpwd_t unlabeled_t:file { read getattr };

#============= crond_t ==============
allow crond_t unlabeled_t:file { read getattr open };

#============= dmesg_t ==============
allow dmesg_t unlabeled_t:file { read getattr open };

#============= hostname_t ==============
allow hostname_t unlabeled_t:file open;

#============= ifconfig_t ==============
allow ifconfig_t unlabeled_t:file { read getattr open };

#============= init_t ==============
allow init_t root_t:dir remove_name;
allow init_t rpm_script_tmp_t:dir read;
allow init_t unlabeled_t:file { read open };
allow init_t user_fonts_t:dir read;
allow init_t var_log_t:file { rename create unlink };

#============= initrc_t ==============
allow initrc_t etc_t:service status;
allow initrc_t unlabeled_t:file { read ioctl open };

#============= irqbalance_t ==============

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
	mlsconstrain dir { search } ((l1 dom l2 -Fail-)  or (t1=irqbalance_t  eq TYPE_ENTRY -Fail-)  and (h1 dom L2 -Pass-)  or (t1=irqbalance_t  eq TYPE_ENTRY -Fail-)  or (t2=etc_t  eq TYPE_ENTRY -Fail-) ); Constraint DENIED
mlsconstrain dir { read getattr execute } ((l1 dom l2 -Fail-)  or (t1=irqbalance_t  eq TYPE_ENTRY -Fail-)  and (h1 dom L2 -Pass-)  or (t1=irqbalance_t  eq TYPE_ENTRY -Fail-)  or (t2=etc_t  eq TYPE_ENTRY -Fail-) ); Constraint DENIED

#	Possible cause is the source level (s0-s15:c0.c1023) and target level (s15:c0.c1023) are different.
allow irqbalance_t etc_t:dir search;
allow irqbalance_t unlabeled_t:file { read getattr open };

#============= kdumpctl_t ==============

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
	mlsconstrain dir { search } ((l1 dom l2 -Fail-)  or (t1=kdumpctl_t  eq TYPE_ENTRY -Fail-)  and (h1 dom L2 -Pass-)  or (t1=kdumpctl_t  eq TYPE_ENTRY -Fail-)  or (t2=etc_t  eq TYPE_ENTRY -Fail-) ); Constraint DENIED
mlsconstrain dir { read getattr execute } ((l1 dom l2 -Fail-)  or (t1=kdumpctl_t  eq TYPE_ENTRY -Fail-)  and (h1 dom L2 -Pass-)  or (t1=kdumpctl_t  eq TYPE_ENTRY -Fail-)  or (t2=etc_t  eq TYPE_ENTRY -Fail-) ); Constraint DENIED

#	Possible cause is the source level (s0-s15:c0.c1023) and target level (s15:c0.c1023) are different.
allow kdumpctl_t etc_t:dir search;
allow kdumpctl_t unlabeled_t:file { read getattr open };

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
	mlsconstrain dir { add_name remove_name reparent rmdir } ((l1 eq l2 -Fail-)  or (t1=kdumpctl_t  eq TYPE_ENTRY -Fail-)  and (l1 dom l2 -Fail-)  and (l1 domby h2 -Pass-)  or (t1=kdumpctl_t  eq TYPE_ENTRY -Fail-)  and (h1 dom L2 -Pass-)  and (l1 domby l2 -Pass-)  or (t1=kdumpctl_t  eq TYPE_ENTRY -Fail-)  or (t2=var_t  eq TYPE_ENTRY -Fail-) ); Constraint DENIED
mlsconstrain dir { write create setattr relabelfrom append unlink link rename mounton } ((l1 eq l2 -Fail-)  or (t1=kdumpctl_t  eq TYPE_ENTRY -Fail-)  and (h1 dom L2 -Pass-)  and (l1 domby l2 -Pass-)  or (t2=var_t  eq TYPE_ENTRY -Fail-)  and (l1 dom l2 -Fail-)  and (h1 domby h2 -Pass-)  or (t1=kdumpctl_t  eq TYPE_ENTRY -Fail-)  or (t2=var_t  eq TYPE_ENTRY -Fail-) ); Constraint DENIED
mlsconstrain dir { search } ((l1 dom l2 -Fail-)  or (t1=kdumpctl_t  eq TYPE_ENTRY -Fail-)  and (h1 dom L2 -Pass-)  or (t1=kdumpctl_t  eq TYPE_ENTRY -Fail-)  or (t2=var_t  eq TYPE_ENTRY -Fail-) ); Constraint DENIED
mlsconstrain dir { read getattr execute } ((l1 dom l2 -Fail-)  or (t1=kdumpctl_t  eq TYPE_ENTRY -Fail-)  and (h1 dom L2 -Pass-)  or (t1=kdumpctl_t  eq TYPE_ENTRY -Fail-)  or (t2=var_t  eq TYPE_ENTRY -Fail-) ); Constraint DENIED

#	Possible cause is the source level (s0-s15:c0.c1023) and target level (s15:c0.c1023) are different.
allow kdumpctl_t var_t:dir { getattr search };

#============= netutils_t ==============

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
	mlsconstrain file { read getattr execute } ((l1 dom l2 -Fail-)  or (t1=netutils_t  eq TYPE_ENTRY -Fail-)  and (h1 dom L2 -Pass-)  or (t1=netutils_t  eq TYPE_ENTRY -Fail-)  or (t2=unlabeled_t  eq TYPE_ENTRY -Fail-) ); Constraint DENIED

#	Possible cause is the source level (s0-s15:c0.c1023) and target level (s15:c0.c1023) are different.
allow netutils_t unlabeled_t:file { read getattr };

#============= plymouthd_t ==============
allow plymouthd_t devpts_t:chr_file setattr;

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
	mlsconstrain dir { search } ((l1 dom l2 -Fail-)  or (t1=plymouthd_t  eq TYPE_ENTRY -Fail-)  and (h1 dom L2 -Pass-)  or (t1=plymouthd_t  eq TYPE_ENTRY -Fail-)  or (t2=etc_t  eq TYPE_ENTRY -Fail-) ); Constraint DENIED
mlsconstrain dir { read getattr execute } ((l1 dom l2 -Fail-)  or (t1=plymouthd_t  eq TYPE_ENTRY -Fail-)  and (h1 dom L2 -Pass-)  or (t1=plymouthd_t  eq TYPE_ENTRY -Fail-)  or (t2=etc_t  eq TYPE_ENTRY -Fail-) ); Constraint DENIED

#	Possible cause is the source level (s0-s15:c0.c1023) and target level (s15:c0.c1023) are different.
allow plymouthd_t etc_t:dir search;

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
	mlsconstrain file { read getattr execute } ((l1 dom l2 -Fail-)  or (t1=plymouthd_t  eq TYPE_ENTRY -Fail-)  and (h1 dom L2 -Pass-)  or (t1=plymouthd_t  eq TYPE_ENTRY -Fail-)  or (t2=unlabeled_t  eq TYPE_ENTRY -Fail-) ); Constraint DENIED

#	Possible cause is the source level (s0-s15:c0.c1023) and target level (s15:c0.c1023) are different.
allow plymouthd_t unlabeled_t:file { read getattr };

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
	mlsconstrain dir { search } ((l1 dom l2 -Fail-)  or (t1=plymouthd_t  eq TYPE_ENTRY -Fail-)  and (h1 dom L2 -Pass-)  or (t1=plymouthd_t  eq TYPE_ENTRY -Fail-)  or (t2=var_t  eq TYPE_ENTRY -Fail-) ); Constraint DENIED
mlsconstrain dir { read getattr execute } ((l1 dom l2 -Fail-)  or (t1=plymouthd_t  eq TYPE_ENTRY -Fail-)  and (h1 dom L2 -Pass-)  or (t1=plymouthd_t  eq TYPE_ENTRY -Fail-)  or (t2=var_t  eq TYPE_ENTRY -Fail-) ); Constraint DENIED

#	Possible cause is the source level (s0-s15:c0.c1023) and target level (s15:c0.c1023) are different.
allow plymouthd_t var_t:dir search;

#============= system_cronjob_t ==============
allow system_cronjob_t unlabeled_t:file { read open };

#============= systemd_sysctl_t ==============

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
	mlsconstrain dir { search } ((l1 dom l2 -Fail-)  or (t1=systemd_sysctl_t  eq TYPE_ENTRY -Fail-)  and (h1 dom L2 -Pass-)  or (t1=systemd_sysctl_t  eq TYPE_ENTRY -Fail-)  or (t2=etc_t  eq TYPE_ENTRY -Fail-) ); Constraint DENIED
mlsconstrain dir { read getattr execute } ((l1 dom l2 -Fail-)  or (t1=systemd_sysctl_t  eq TYPE_ENTRY -Fail-)  and (h1 dom L2 -Pass-)  or (t1=systemd_sysctl_t  eq TYPE_ENTRY -Fail-)  or (t2=etc_t  eq TYPE_ENTRY -Fail-) ); Constraint DENIED

#	Possible cause is the source level (s0-s15:c0.c1023) and target level (s15:c0.c1023) are different.
allow systemd_sysctl_t etc_t:dir { getattr search };
allow systemd_sysctl_t unlabeled_t:file { read getattr open };

#============= tuned_t ==============

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
	mlsconstrain dir { add_name remove_name reparent rmdir } ((l1 eq l2 -Fail-)  or (t1=tuned_t  eq TYPE_ENTRY -Fail-)  and (l1 dom l2 -Fail-)  and (l1 domby h2 -Pass-)  or (t1=tuned_t  eq TYPE_ENTRY -Fail-)  and (h1 dom L2 -Pass-)  and (l1 domby l2 -Pass-)  or (t1=tuned_t  eq TYPE_ENTRY -Fail-)  or (t2=etc_t  eq TYPE_ENTRY -Fail-) ); Constraint DENIED
mlsconstrain dir { write create setattr relabelfrom append unlink link rename mounton } ((l1 eq l2 -Fail-)  or (t1=tuned_t  eq TYPE_ENTRY -Fail-)  and (h1 dom L2 -Pass-)  and (l1 domby l2 -Pass-)  or (t2=etc_t  eq TYPE_ENTRY -Fail-)  and (l1 dom l2 -Fail-)  and (h1 domby h2 -Pass-)  or (t1=tuned_t  eq TYPE_ENTRY -Fail-)  or (t2=etc_t  eq TYPE_ENTRY -Fail-) ); Constraint DENIED
mlsconstrain dir { search } ((l1 dom l2 -Fail-)  or (t1=tuned_t  eq TYPE_ENTRY -Fail-)  and (h1 dom L2 -Pass-)  or (t1=tuned_t  eq TYPE_ENTRY -Fail-)  or (t2=etc_t  eq TYPE_ENTRY -Fail-) ); Constraint DENIED
mlsconstrain dir { read getattr execute } ((l1 dom l2 -Fail-)  or (t1=tuned_t  eq TYPE_ENTRY -Fail-)  and (h1 dom L2 -Pass-)  or (t1=tuned_t  eq TYPE_ENTRY -Fail-)  or (t2=etc_t  eq TYPE_ENTRY -Fail-) ); Constraint DENIED

#	Possible cause is the source level (s0-s15:c0.c1023) and target level (s15:c0.c1023) are different.
allow tuned_t etc_t:dir search;
allow tuned_t unlabeled_t:file { read getattr open };

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
	mlsconstrain dir { search } ((l1 dom l2 -Fail-)  or (t1=tuned_t  eq TYPE_ENTRY -Fail-)  and (h1 dom L2 -Pass-)  or (t1=tuned_t  eq TYPE_ENTRY -Fail-)  or (t2=var_t  eq TYPE_ENTRY -Fail-) ); Constraint DENIED
mlsconstrain dir { read getattr execute } ((l1 dom l2 -Fail-)  or (t1=tuned_t  eq TYPE_ENTRY -Fail-)  and (h1 dom L2 -Pass-)  or (t1=tuned_t  eq TYPE_ENTRY -Fail-)  or (t2=var_t  eq TYPE_ENTRY -Fail-) ); Constraint DENIED

#	Possible cause is the source level (s0-s15:c0.c1023) and target level (s15:c0.c1023) are different.
allow tuned_t var_t:dir search;

#============= udev_t ==============
allow udev_t unlabeled_t:file { read getattr open };

unSpawn · 06-22-2015, 01:11 AM

Quote:

Originally Posted by paul2015

I (..) installed selinux-policy-mls (..) I have problem that there is no default label for some files, I think because mls policy does not have unconfined modules included. Can anyone suggest how to relabel system correctly or how to correct labeling.

MLS requires you to do research and design rules yourself. If you don't need MLS then use "targeted" instead. Note there is a reason most Linux distributions supply the "targeted" one as default policy.