10:43 a.m.
Newest Rawhide packages improve things a bit for strict/enforcing, but
still no joy.
When booting strict/enforcing, the system seems to boot to single user mode,
but is unable to write to the console. Last messages are avc denials from
/bin/dmesg, that seem to occur just before the 'Welcome to Fedora' message.
I can hear the device discovery going on, but nothing on the console.
After about 5 minutes, ALT-CTL-DEL brought the system down, with the
customary console messages. (But, error messages about most file systems
not being mounted).
Here are the early avcs...
Sep 3 07:25:35 fedora kernel: audit(1094196259.050:0): avc: denied {
create } for pid=1 exe=/sbin/init name=initctl
scontext=system_u:system_r:init_t tcontext=system_u:object_r:unlabeled_t
tclass=fifo_file
Sep 3 07:25:36 fedora smartd[2856]: Opened configuration file
/etc/smartd.conf
Sep 3 07:25:36 fedora kernel: audit(1094196259.050:0): avc: denied {
associate } for pid=1 exe=/sbin/init name=initctl
scontext=system_u:object_r:unlabeled_t tcontext=system_u:object_r:fs_t
tclass=filesystem
Sep 3 07:25:36 fedora smartd[2856]: Configuration file /etc/smartd.conf
parsed.
Sep 3 07:25:36 fedora kernel: audit(1094196259.050:0): avc: denied {
read write } for pid=1 exe=/sbin/init name=initctl dev=tmpfs ino=2095
scontext=system_u:system_r:init_t tcontext=system_u:object_r:unlabeled_t
tclass=fifo_file
Sep 3 07:25:36 fedora smartd[2856]: Device: /dev/hda, opened
Sep 3 07:25:36 fedora kernel: audit(1094196259.050:0): avc: denied {
getattr } for pid=1 exe=/sbin/init path=/dev/initctl dev=tmpfs ino=2095
scontext=system_u:system_r:init_t tcontext=system_u:object_r:unlabeled_t
tclass=fifo_file
Sep 3 07:25:36 fedora smartd[2856]: Device: /dev/hda, found in smartd
database.
Sep 3 07:25:36 fedora kernel: audit(1094196259.312:0): avc: denied {
read write } for pid=344 exe=/bin/hostname name=console dev=tmpfs
ino=864 scontext=system_u:system_r:hostname_t
tcontext=system_u:object_r:unlabeled_t tclass=chr_file
Sep 3 07:25:36 fedora kernel: audit(1094196259.382:0): avc: denied {
search } for pid=346 exe=/bin/bash dev=tmpfs ino=863
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:unlabeled_t
tclass=dir
Sep 3 07:25:36 fedora kernel: audit(1094196259.382:0): avc: denied {
read write } for pid=346 exe=/bin/bash name=tty dev=tmpfs ino=1227
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:unlabeled_t
tclass=chr_file
Sep 3 07:25:37 fedora smartd[2856]: Device: /dev/hda, is SMART capable.
Adding to "monitor" list.
Sep 3 07:25:37 fedora kernel: audit(1094196260.276:0): avc: denied {
read write } for pid=490 exe=/bin/mount name=console dev=tmpfs ino=864
scontext=system_u:system_r:mount_t
tcontext=system_u:object_r:unlabeled_t tclass=chr_file
Sep 3 07:25:37 fedora smartd[2856]: Monitoring 1 ATA and 0 SCSI devices
Sep 3 07:25:37 fedora kernel: audit(1094196260.277:0): avc: denied {
search } for pid=490 exe=/bin/mount dev=tmpfs ino=863
scontext=system_u:system_r:mount_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
Sep 3 07:25:37 fedora kernel: SELinux: initialized (dev usbfs, type
usbfs), uses genfs_contexts
Sep 3 07:25:38 fedora smartd[2858]: smartd has fork()ed into background
mode. New PID=2858.
Sep 3 07:25:38 fedora kernel: audit(1094196260.368:0): avc: denied {
read write } for pid=514 exe=/sbin/consoletype name=console dev=tmpfs
ino=864 scontext=system_u:system_r:consoletype_t
tcontext=system_u:object_r:unlabeled_t tclass=chr_file
Sep 3 07:25:38 fedora smartd: smartd startup succeeded
Sep 3 07:25:38 fedora kernel: audit(1094196260.368:0): avc: denied {
getattr } for pid=514 exe=/sbin/consoletype path=/dev/console dev=tmpfs
ino=864 scontext=system_u:system_r:consoletype_t
tcontext=system_u:object_r:unlabeled_t tclass=chr_file
Sep 3 07:25:38 fedora kernel: audit(1094196260.368:0): avc: denied {
ioctl } for pid=514 exe=/sbin/consoletype path=/dev/console dev=tmpfs
ino=864 scontext=system_u:system_r:consoletype_t
tcontext=system_u:object_r:unlabeled_t tclass=chr_file
Sep 3 07:25:38 fedora kernel: audit(1094196262.158:0): avc: denied {
read write } for pid=724 exe=/sbin/minilogd name=console dev=tmpfs
ino=864 scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:unlabeled_t tclass=chr_file
Sep 3 07:25:38 fedora kernel: audit(1094196262.158:0): avc: denied {
use } for pid=724 exe=/sbin/minilogd path=/init dev=rootfs ino=17
scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:kernel_t
tclass=fd
Sep 3 07:25:38 fedora kernel: audit(1094196262.158:0): avc: denied {
read } for pid=724 exe=/sbin/minilogd path=/init dev=rootfs ino=17
scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:root_t
tclass=file
Sep 3 07:25:38 fedora kernel: audit(1094196262.159:0): avc: denied {
search } for pid=724 exe=/sbin/minilogd dev=tmpfs ino=863
scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
Sep 3 07:25:38 fedora kernel: audit(1094196262.159:0): avc: denied {
write } for pid=724 exe=/sbin/minilogd dev=tmpfs ino=863
scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
Sep 3 07:25:38 fedora kernel: audit(1094196262.159:0): avc: denied {
add_name } for pid=724 exe=/sbin/minilogd name=log
scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
Sep 3 07:25:38 fedora kernel: audit(1094196262.159:0): avc: denied {
create } for pid=724 exe=/sbin/minilogd name=log
scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:unlabeled_t tclass=sock_file
Sep 3 07:25:38 fedora kernel: audit(1094196262.160:0): avc: denied {
getattr } for pid=727 exe=/sbin/minilogd path=/dev/log dev=tmpfs
ino=2641 scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:unlabeled_t tclass=sock_file
Sep 3 07:25:38 fedora kernel: audit(1094196262.217:0): avc: denied {
read write } for pid=730 exe=/bin/dmesg name=console dev=tmpfs ino=864
scontext=system_u:system_r:dmesg_t
tcontext=system_u:object_r:unlabeled_t tclass=chr_file
Sep 3 07:25:38 fedora acpid: acpid startup succeeded
Sep 3 07:25:38 fedora kernel: audit(1094196262.285:0): avc: denied {
read write } for pid=735 exe=/sbin/restorecon name=console dev=tmpfs
ino=864 scontext=system_u:system_r:restorecon_t
tcontext=system_u:object_r:unlabeled_t tclass=chr_file
Sep 3 07:25:38 fedora kernel: audit(1094196266.948:0): avc: denied {
create } for pid=746 exe=/sbin/udev name=input
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:device_t
tclass=dir
tom
11:20 a.m.
On Fri, 2004-09-03 at 11:43, Tom London wrote:
Newest Rawhide packages improve things a bit for strict/enforcing,
but
still no joy.
When booting strict/enforcing, the system seems to boot to single user mode,
but is unable to write to the console. Last messages are avc denials from
/bin/dmesg, that seem to occur just before the 'Welcome to Fedora' message.
I can hear the device discovery going on, but nothing on the console.
After about 5 minutes, ALT-CTL-DEL brought the system down, with the
customary console messages. (But, error messages about most file systems
not being mounted).
Here are the early avcs...
Sep 3 07:25:35 fedora kernel: audit(1094196259.050:0): avc: denied {
create } for pid=1 exe=/sbin/init name=initctl
scontext=system_u:system_r:init_t tcontext=system_u:object_r:unlabeled_t
tclass=fifo_file
Sep 3 07:25:36 fedora smartd[2856]: Opened configuration file
/etc/smartd.conf
Sep 3 07:25:36 fedora kernel: audit(1094196259.050:0): avc: denied {
associate } for pid=1 exe=/sbin/init name=initctl
scontext=system_u:object_r:unlabeled_t tcontext=system_u:object_r:fs_t
tclass=filesystem
No point in even trying to work from those audit messages, as the tmpfs
entry in fs_use in the rawhide policy is wrong and will break all users
of anonymous shared mappings and System V shared memory regardless of
whether it ever works for tmpfs /dev.
And life is still rather unpleasant even if fs_use is reverted to the
upstream policy. Using fscontext=system_u:object_r:device_t on the
tmpfs /dev mount would help significantly, but the claim is that it is
mounted before the initial policy load. End result is that tmpfs_t ends
up doing double duty as a type on shmem and /dev, which has a huge
impact on existing policy.
Strongly advise changing initialization to umount the initial tmpfs /dev
prior to initrd exit and re-mount it _after_ the initial policy load
using fscontext=. Or load a minimal policy from the initrd in your
/linuxrc prior to original tmpfs mount.
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency
9:02 a.m.
Stephen Smalley wrote:
On Fri, 2004-09-03 at 11:43, Tom London wrote:
>Newest Rawhide packages improve things a bit for strict/enforcing, but
>still no joy.
>
>When booting strict/enforcing, the system seems to boot to single user mode,
>but is unable to write to the console. Last messages are avc denials from
>/bin/dmesg, that seem to occur just before the 'Welcome to Fedora' message.
>I can hear the device discovery going on, but nothing on the console.
>After about 5 minutes, ALT-CTL-DEL brought the system down, with the
>customary console messages. (But, error messages about most file systems
>not being mounted).
>
>Here are the early avcs...
>
>Sep 3 07:25:35 fedora kernel: audit(1094196259.050:0): avc: denied {
>create } for pid=1 exe=/sbin/init name=initctl
>scontext=system_u:system_r:init_t tcontext=system_u:object_r:unlabeled_t
>tclass=fifo_file
>Sep 3 07:25:36 fedora smartd[2856]: Opened configuration file
>/etc/smartd.conf
>Sep 3 07:25:36 fedora kernel: audit(1094196259.050:0): avc: denied {
>associate } for pid=1 exe=/sbin/init name=initctl
>scontext=system_u:object_r:unlabeled_t tcontext=system_u:object_r:fs_t
>tclass=filesystem
>
>
No point in even trying to work from those audit messages, as the tmpfs
entry in fs_use in the rawhide policy is wrong and will break all users
of anonymous shared mappings and System V shared memory regardless of
whether it ever works for tmpfs /dev.
And life is still rather unpleasant even if fs_use is reverted to the
upstream policy. Using fscontext=system_u:object_r:device_t on the
tmpfs /dev mount would help significantly, but the claim is that it is
mounted before the initial policy load. End result is that tmpfs_t ends
up doing double duty as a type on shmem and /dev, which has a huge
impact on existing policy.
Strongly advise changing initialization to umount the initial tmpfs /dev
prior to initrd exit and re-mount it _after_ the initial policy load
using fscontext=. Or load a minimal policy from the initrd in your
/linuxrc prior to original tmpfs mount.
Most of the problems with booting strict SELinux with /dev/ mounted on a
tmpfs file system should be fixed by the
latest policy and initscripts package.
Dan
12:31 p.m.
New subject: Strict/enforcing.... ifconfig.te
Dan,
[Rawhide repo seems to be down, so I may have incomplete download state...]
running .541, strict enforcing.
Installed latest stuff from your tree, and applied patches you sent out later.
Strict/enforcing now boots up to X/Gnome. (Can login and everything!).
Early failure configuring NICs. Suggest:
--- ifconfig.te 2004-09-08 11:05:53.000000000 -0700
+++ ifconfig.te.new 2004-09-09 10:28:05.467768274 -0700
@@ -24,7 +24,7 @@
domain_auto_trans(sysadm_t, ifconfig_exec_t, ifconfig_t)
# for /sbin/ip
-allow ifconfig_t self:netlink_route_socket { bind create getattr
nlmsg_read nlmsg_write read write };
+allow ifconfig_t self:netlink_route_socket { bind create getattr
nlmsg_read nlmsg_write read write setopt };
allow ifconfig_t self:tcp_socket { create ioctl };
allow ifconfig_t etc_t:file { getattr read };
[I'm sorry if I missed this in your patches. I applied them manually,
so I may have missed this one.]
--
Tom London
7182
days inactive
7188
days old
selinux@lists.fedoraproject.org
3 comments
4 participants
participants (4)
-
Daniel J Walsh -
Stephen Smalley -
Tom London -
Tom London