9:38 a.m.
Running strict/enforcing, latest rawhide:
After installing latest packages, relabeling /etc, /bin, /lib, ....
and rebooting, the system produces lots of udev type errors
(cannot remove /dev/.udev_tdb/classSTUFF) and hangs
on 'adding hardware'
Boots (with messages) in permissive mode.
Here are the 'early' AVCs:
Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev bdev, type
bdev), uses genfs_contexts
Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev rootfs, type
rootfs), uses genfs_contexts
Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev sysfs, type
sysfs), uses genfs_contexts
Jan 21 07:24:30 fedora kernel: audit(1106292231.919:0): avc: denied
{ read } for pid=478 exe=/bin/hostname path=/init dev=rootfs ino=17
scontext=system_u:system_r:hostname_t
tcontext=system_u:object_r:root_t tclass=file
Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev usbfs, type
usbfs), uses genfs_contexts
Jan 21 07:24:30 fedora kernel: audit(1106292233.809:0): avc: denied
{ read } for pid=576 exe=/sbin/restorecon path=/init dev=rootfs
ino=17 scontext=system_u:system_r:restorecon_t
tcontext=system_u:object_r:root_t tclass=file
Jan 21 07:24:30 fedora kernel: audit(1106292234.081:0): avc: denied
{ read } for pid=576 exe=/sbin/restorecon name=customizable_types
dev=hda2 ino=4506184 scontext=system_u:system_r:restorecon_t
tcontext=system_u:object_r:default_context_t tclass=file
Jan 21 07:24:30 fedora kernel: audit(1106292235.062:0): avc: denied
{ use } for pid=702 exe=/bin/dmesg path=/init dev=rootfs ino=17
scontext=system_u:system_r:dmesg_t tcontext=system_u:system_r:kernel_t
tclass=fd
Jan 21 07:24:30 fedora kernel: audit(1106292235.062:0): avc: denied
{ read } for pid=702 exe=/bin/dmesg path=/init dev=rootfs ino=17
scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:root_t
tclass=file
Jan 21 07:24:30 fedora kernel: audit(1106292235.086:0): avc: denied
{ read } for pid=703 exe=/bin/bash path=/init dev=rootfs ino=17
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:root_t
tclass=file
Jan 21 07:24:30 fedora kernel: audit(1106292239.427:0): avc: denied
{ use } for pid=1233 exe=/sbin/kmodule path=/init dev=rootfs ino=17
scontext=system_u:system_r:kudzu_t tcontext=system_u:system_r:kernel_t
tclass=fd
Jan 21 07:24:30 fedora kernel: audit(1106292239.428:0): avc: denied
{ read } for pid=1233 exe=/sbin/kmodule path=/init dev=rootfs ino=17
scontext=system_u:system_r:kudzu_t tcontext=system_u:object_r:root_t
tclass=file
Jan 21 07:24:30 fedora ptal-mlcd: SYSLOG at ExMgr.cpp:652,
dev=<mlc:usb:PSC_900_Series>, pid=2629, e=2, t=1106321070
ptal-mlcd successfully initialized.
Jan 21 07:24:30 fedora ptal-printd:
ptal-printd(mlc:usb:PSC_900_Series) successfully initialized using
/var/run/ptal-printd/mlc_usb_PSC_900_Series*.
Jan 21 07:24:30 fedora kernel: Floppy drive(s): fd0 is 1.44M
I'll probe a bit, but any help is welcome!
tom
--
Tom London
10:36 a.m.
On Fri, 21 Jan 2005 07:38:15 -0800, Tom London <selinux(a)gmail.com> wrote:
Running strict/enforcing, latest rawhide:
After installing latest packages, relabeling /etc, /bin, /lib, ....
and rebooting, the system produces lots of udev type errors
(cannot remove /dev/.udev_tdb/classSTUFF) and hangs
on 'adding hardware'
Boots (with messages) in permissive mode.
I'll probe a bit, but any help is welcome!
OK. Doing the obvious (i.e. adding all of the following) fixes the problem:
allow dmesg_t kernel_t:fd use;
allow dmesg_t root_t:file read;
allow hostname_t root_t:file read;
allow kudzu_t kernel_t:fd use;
allow kudzu_t root_t:file read;
allow restorecon_t default_context_t:file read;
allow restorecon_t root_t:file read;
allow udev_t root_t:file read;
Adding 'root_t' to { kudzu_t restorecon_t udev_t } a problem?
tom
--
Tom London
10:48 a.m.
On Fri, 2005-01-21 at 10:38, Tom London wrote:
Jan 21 07:24:30 fedora kernel: audit(1106292231.919:0): avc: denied
{ read } for pid=478 exe=/bin/hostname path=/init dev=rootfs ino=17
scontext=system_u:system_r:hostname_t
tcontext=system_u:object_r:root_t tclass=file
I think that this denial reflects a kernel bug - leaking a descriptor to
the rootfs to userspace. Shouldn't interfere with booting.
Jan 21 07:24:30 fedora kernel: audit(1106292234.081:0): avc: denied
{ read } for pid=576 exe=/sbin/restorecon name=customizable_types
dev=hda2 ino=4506184 scontext=system_u:system_r:restorecon_t
tcontext=system_u:object_r:default_context_t tclass=file
This is more likely the culprit. restorecon is now trying to read the
customizable_types file to identify contexts that it shouldn't try to
relabel, but if it lacks permission to do so, then the current code is
going to prevent relabeling anything, as it is merely checking for a
non-zero return from is_context_customizable(), which could be an
error. Fix is to allow access by restorecon_t and setfiles_t, but also
likely change the calling code to distinguish the error case from > 0
case.
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency
11:32 a.m.
Stephen Smalley wrote:
On Fri, 2005-01-21 at 10:38, Tom London wrote:
>Jan 21 07:24:30 fedora kernel: audit(1106292231.919:0): avc: denied
>{ read } for pid=478 exe=/bin/hostname path=/init dev=rootfs ino=17
>scontext=system_u:system_r:hostname_t
>tcontext=system_u:object_r:root_t tclass=file
>
>
I think that this denial reflects a kernel bug - leaking a descriptor to
the rootfs to userspace. Shouldn't interfere with booting.
>Jan 21 07:24:30 fedora kernel: audit(1106292234.081:0): avc: denied
>{ read } for pid=576 exe=/sbin/restorecon name=customizable_types
>dev=hda2 ino=4506184 scontext=system_u:system_r:restorecon_t
>tcontext=system_u:object_r:default_context_t tclass=file
>
>
This is more likely the culprit. restorecon is now trying to read the
customizable_types file to identify contexts that it shouldn't try to
relabel, but if it lacks permission to do so, then the current code is
going to prevent relabeling anything, as it is merely checking for a
non-zero return from is_context_customizable(), which could be an
error. Fix is to allow access by restorecon_t and setfiles_t, but also
likely change the calling code to distinguish the error case from > 0
case.
Fix in selinux-policy-*-1.21.2-7
1:53 p.m.
New subject: FC4 update and SELINUX
I seem to remember an email passing this way
that the latest FC4 targeted update,
nagios stopped working.
I recall the response was
"setenforce permissive, and capture
the audit trail"... or something of that nature.
Can anyone help refresh my memory ?
As, I just got around to testing FC4 on an AMD64,
with it set to "permissive" it -all- works..
with NO AVC messages...
and with it set to "enforcing", it stops
working ...
with NO AVC messages.
I tried "audit2allow -i /dev/null",
but for some reason, that doesn't help me write policy.
:-P
Anyone have more informative output, or subtle clues ?
:-\
TIA!
1:57 p.m.
New subject: FC4 update and SELINUX
On Mon, 2005-11-07 at 14:53 -0500, Richard Irving wrote:
As, I just got around to testing FC4 on an AMD64,
with it set to "permissive" it -all- works..
with NO AVC messages...
and with it set to "enforcing", it stops
working ...
with NO AVC messages.
If there are truly no audit messages (in /var/log/audit/audit.log), then
install selinux-policy-targeted-sources if you don't already have them,
and then do:
cd /etc/selinux/targeted/src/policy
make clean enableaudit load
<run your tests>
cd /etc/selinux/targeted/src/policy
make clean load
Then look again at audit.log.
--
Stephen Smalley
National Security Agency
2:15 p.m.
New subject: FC4 update and SELINUX
Stephen Smalley wrote:
On Mon, 2005-11-07 at 14:53 -0500, Richard Irving wrote:
>As, I just got around to testing FC4 on an AMD64,
>with it set to "permissive" it -all- works..
>with NO AVC messages...
>
>and with it set to "enforcing", it stops
>working ...
>with NO AVC messages.
>
>
Dohh... FC3 to FC4 "OHS".
Why is the problem always the loose
nut in front of the keyboard ?
:-)
Thanks All!
If there are truly no audit messages (in /var/log/audit/audit.log), then
install selinux-policy-targeted-sources if you don't already have them,
and then do:
cd /etc/selinux/targeted/src/policy
make clean enableaudit load
<run your tests>
cd /etc/selinux/targeted/src/policy
make clean load
Then look again at audit.log.
1:58 p.m.
New subject: FC4 update and SELINUX
Richard Irving wrote:
I seem to remember an email passing this way
that the latest FC4 targeted update,
nagios stopped working.
I recall the response was
"setenforce permissive, and capture
the audit trail"... or something of that nature.
Can anyone help refresh my memory ?
As, I just got around to testing FC4 on an AMD64,
with it set to "permissive" it -all- works..
with NO AVC messages...
Are you looking in /var/log/audit/audit.log for avcs?
You can turn off all the dontaudit rules by installing
selinux-policy-targeted-source
cd /etc/selinux/targeted/src/policy
make enableaudit; make load
make clean; make load will set it back.
and with it set to "enforcing", it stops
working ...
with NO AVC messages.
I tried "audit2allow -i /dev/null",
but for some reason, that doesn't help me write policy.
:-P
Anyone have more informative output, or subtle clues ?
:-\
TIA!
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
6743
days inactive
7033
days old
selinux@lists.fedoraproject.org
7 comments
4 participants
participants (4)
-
Daniel J Walsh -
Richard Irving -
Stephen Smalley -
Tom London