Sorry, I sent this off too quickly.
Here are additional avc's generated by udev....
Aug 24 09:12:27 fedora kernel: audit(1093338680.407:0): avc: denied {
getattr
} for pid=315 exe=/sbin/udevsend path=/etc/selinux/config dev=hda2
ino=4509759
scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:selinux_config_t tclass=file
Aug 24 09:12:31 fedora kernel: audit(1093363902.870:0): avc: denied {
search } for pid=1079 exe=/sbin/udev name=contexts dev=hda2 ino=4509745
scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:default_context_t tclass=dir
Aug 24 09:12:31 fedora kernel: audit(1093363902.877:0): avc: denied {
search } for pid=1079 exe=/sbin/udev name=files dev=hda2 ino=4509746
scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:file_context_t tclass=dir
Aug 24 09:12:31 fedora kernel: audit(1093363902.894:0): avc: denied {
read } for pid=1079 exe=/sbin/udev name=file_contexts dev=hda2
ino=4505700 scontext=system_u:system_r:udev_t
tcontext=root:object_r:file_context_t tclass=file
Aug 24 09:12:31 fedora kernel: audit(1093363902.894:0): avc: denied {
getattr
} for pid=1079 exe=/sbin/udev
path=/etc/selinux/strict/contexts/files/file_contexts dev=hda2
ino=4505700 scontext=system_u:system_r:udev_t
tcontext=root:object_r:file_context_t tclass=file
Aug 24 09:12:31 fedora kernel: audit(1093363919.802:0): avc: denied {
write }
for pid=1200 exe=/sbin/udev name=fscreate dev=proc ino=78643222
scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t
tclass=file
Aug 24 09:12:31 fedora kernel: audit(1093363919.802:0): avc: denied {
setfscreate } for pid=1200 exe=/sbin/udev
scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t
tclass=process
Aug 24 09:12:31 fedora kernel: audit(1093363919.941:0): avc: denied {
search } for pid=1202 exe=/bin/bash name=console dev=hda2 ino=4456494
scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:pam_var_console_t tclass=dir
Aug 24 09:12:32 fedora kernel: audit(1093363947.209:0): avc: denied {
getattr
} for pid=2131 exe=/sbin/udev path=/etc/selinux/config dev=hda2
ino=4509759 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:selinux_config_t tclass=file
Seems to want:
allow udev_t default_context_t:dir { search };
allow udev_t file_context_t:dir { search };
allow udev_t file_context_t:file { getattr read };
allow udev_t pam_var_console_t:dir { search };
allow udev_t selinux_config_t:file { getattr };
allow udev_t udev_t:file { write };
allow udev_t udev_t:process { setfscreate }
Help.... this one is beyond me......
tom
Tom London wrote:
The newest Rawhide udev seems to add 'udevsend' that seems to
want
allow udev_t selinux_config_t:dir { search };
allow udev_t selinux_config_t:file { read };
I'm guessing that udevsend replaces the script
/etc/dev.d/default/selinux.dev.
tom
Here are the avcs....
Aug 24 08:45:13 fedora kernel: audit(1093362313.380:0): avc: denied
{ search } for pid=3905 exe=/sbin/udevsend name=selinux dev=hda2
ino=4509743 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:selinux_config_t tclass=dir
Aug 24 08:45:13 fedora kernel: audit(1093362313.380:0): avc: denied
{ read } for pid=3905 exe=/sbin/udevsend name=config dev=hda2
ino=4509759 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:selinux_config_t tclass=file
Aug 24 08:45:13 fedora kernel: audit(1093362313.380:0): avc: denied
{ getattr
} for pid=3905 exe=/sbin/udevsend path=/etc/selinux/config dev=hda2
ino=4509759 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:selinux_config_t tclass=file