Latest rawhide packages, kudzu has problems with /dev/zero and /dev/mem
kudzu generates:
Nov 7 17:20:13 fedora kernel: audit(1099847973.501:0): avc: denied { read } for pid=826 exe=/sbin/kmodule name=zero dev=tmpfs ino=3510 scontext=system_u:system_r:kudzu_t tcontext=system_u:object_r:zero_device_t tclass=chr_file Nov 7 17:20:13 fedora kernel: audit(1099847973.501:0): avc: denied { read } for pid=826 exe=/sbin/kmodule name=zero dev=tmpfs ino=3510 scontext=system_u:system_r:kudzu_t tcontext=system_u:object_r:zero_device_t tclass=chr_file
after fixing this, it fails on mmap of /dev/zero, so need to also add execute.
Here's a patch: --- SAVE/kudzu.te 2004-11-07 18:18:24.889196971 -0800 +++ ./kudzu.te 2004-11-07 18:18:52.095994659 -0800 @@ -18,6 +18,7 @@ allow kudzu_t modules_object_t:dir r_dir_perms; allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read }; allow kudzu_t mouse_device_t:chr_file { read write }; +allow kudzu_t zero_device_t:chr_file { read execute }; allow kudzu_t proc_t:file { getattr read }; allow kudzu_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms; allow kudzu_t scsi_generic_device_t:chr_file r_file_perms;
But, it now produces: Nov 8 06:53:38 fedora kernel: audit(1099896764.946:0): avc: denied { read write } for pid=826 exe=/sbin/kmodule name=mem dev=tmpfs ino=909 scontext=system_u:system_r:kudzu_t tcontext=system_u:object_r:memory_device_t tclass=chr_file
Adding allow kudzu_t memory_device_t:chr_file { read write }; produces
/usr/bin/checkpolicy: loading policy configuration from policy.conf security: 5 users, 6 roles, 1323 types, 31 bools security: 53 classes, 313479 rules assertion on line 269956 violated by allow kudzu_t memory_device_t:chr_file { read write }; make: *** [/etc/selinux/strict/policy/policy.18] Error 1
Some help, please?
thanks, tom
On Tuesday 09 November 2004 03:40, Tom London selinux@gmail.com wrote:
Adding allow kudzu_t memory_device_t:chr_file { read write }; produces
/usr/bin/checkpolicy: loading policy configuration from policy.conf security: 5 users, 6 roles, 1323 types, 31 bools security: 53 classes, 313479 rules assertion on line 269956 violated by allow kudzu_t memory_device_t:chr_file { read write };
"head -269956 policy.conf |tail -1" gives the following: neverallow { domain -privmem } memory_device_t:{ chr_file blk_file } { read write append };
The solution is to add the privmem attribute to the declaration of kudzu_t: daemon_base_domain(kudzu, `, etc_writer, privmodule, sysctl_kernel_writer, fs_domain, privmem')
On Tue, 23 Nov 2004 15:11:25 +1100, Russell Coker russell@coker.com.au wrote:
"head -269956 policy.conf |tail -1" gives the following: neverallow { domain -privmem } memory_device_t:{ chr_file blk_file } { read write append };
The solution is to add the privmem attribute to the declaration of kudzu_t: daemon_base_domain(kudzu, `, etc_writer, privmodule, sysctl_kernel_writer, fs_domain, privmem')
Thanks, but this seems not to quite get it all:
Nov 23 06:05:21 fedora kernel: audit(1101189873.496:0): avc: denied { execute } for pid=824 path=/dev/zero dev=tmpfs ino=3517 scontext=system_u:system_r:kudzu_t tcontext=system_u:object_r:zero_device_t tclass=chr_file Nov 23 06:05:21 fedora kernel: audit(1101189873.497:0): avc: denied { execute } for pid=824 path=/dev/zero dev=tmpfs ino=3517 scontext=system_u:system_r:kudzu_t tcontext=system_u:object_r:zero_device_t tclass=chr_file
Is this mmap() again?
tom
selinux@lists.fedoraproject.org