On Tue, 28 Dec 2004 01:00:15 +1100, Russell Coker <russell(a)coker.com.au> wrote:
On Saturday 04 December 2004 03:34, Tom London
<selinux(a)gmail.com> wrote:
> Booting produces following avc:
It seems that you never got a reply to this one.
> Dec 3 08:23:45 fedora kernel: audit(1102090997.316:0): avc: denied
> { create } for pid=1348 exe=/sbin/nash name=md0
> scontext=system_u:system_r:initrc_t
> tcontext=system_u:object_r:device_t tclass=blk_file Dec 3 08:23:45
> fedora kernel: device-mapper: 4.1.0-ioctl (2003-12-10) initialised:
> dm(a)uk.sistina.com
This is something that still needs a good solution. We don't want initrc_t to
be able to do such things in the strict policy, so udev seems to be the best
way of doing it. Maybe getting it added to /sbin/start_udev would be the
best solution? start_udev already creates a bunch of other device nodes that
are too inconvenient to do in other ways.
Of course due to the usual shell script issues udev_t isn't safe from
initrc_t. But it's a start at isolating it, we can improve later.
> Dec 3 08:23:45 fedora kernel: audit(1102090997.383:0): avc: denied
> { create } for pid=1354 exe=/sbin/nash name=mapper
> scontext=system_u:system_r:initrc_t
> tcontext=system_u:object_r:device_t tclass=dir
That one should have been fixed quite some time ago, before your message was
posted. Either you hadn't updated to all the latest packages or there is a
corner case we missed. In either case let me know if it still happens with
the latest rawhide.
--
Russell,
This one also has been fixed. Don't remember exactly when....
tom
--
Tom London