Newest Rawhide packages improve things a bit for strict/enforcing, but still no joy.
When booting strict/enforcing, the system seems to boot to single user mode, but is unable to write to the console. Last messages are avc denials from /bin/dmesg, that seem to occur just before the 'Welcome to Fedora' message. I can hear the device discovery going on, but nothing on the console. After about 5 minutes, ALT-CTL-DEL brought the system down, with the customary console messages. (But, error messages about most file systems not being mounted).
Here are the early avcs...
Sep 3 07:25:35 fedora kernel: audit(1094196259.050:0): avc: denied { create } for pid=1 exe=/sbin/init name=initctl scontext=system_u:system_r:init_t tcontext=system_u:object_r:unlabeled_t tclass=fifo_file Sep 3 07:25:36 fedora smartd[2856]: Opened configuration file /etc/smartd.conf Sep 3 07:25:36 fedora kernel: audit(1094196259.050:0): avc: denied { associate } for pid=1 exe=/sbin/init name=initctl scontext=system_u:object_r:unlabeled_t tcontext=system_u:object_r:fs_t tclass=filesystem Sep 3 07:25:36 fedora smartd[2856]: Configuration file /etc/smartd.conf parsed. Sep 3 07:25:36 fedora kernel: audit(1094196259.050:0): avc: denied { read write } for pid=1 exe=/sbin/init name=initctl dev=tmpfs ino=2095 scontext=system_u:system_r:init_t tcontext=system_u:object_r:unlabeled_t tclass=fifo_file Sep 3 07:25:36 fedora smartd[2856]: Device: /dev/hda, opened Sep 3 07:25:36 fedora kernel: audit(1094196259.050:0): avc: denied { getattr } for pid=1 exe=/sbin/init path=/dev/initctl dev=tmpfs ino=2095 scontext=system_u:system_r:init_t tcontext=system_u:object_r:unlabeled_t tclass=fifo_file Sep 3 07:25:36 fedora smartd[2856]: Device: /dev/hda, found in smartd database. Sep 3 07:25:36 fedora kernel: audit(1094196259.312:0): avc: denied { read write } for pid=344 exe=/bin/hostname name=console dev=tmpfs ino=864 scontext=system_u:system_r:hostname_t tcontext=system_u:object_r:unlabeled_t tclass=chr_file Sep 3 07:25:36 fedora kernel: audit(1094196259.382:0): avc: denied { search } for pid=346 exe=/bin/bash dev=tmpfs ino=863 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:unlabeled_t tclass=dir Sep 3 07:25:36 fedora kernel: audit(1094196259.382:0): avc: denied { read write } for pid=346 exe=/bin/bash name=tty dev=tmpfs ino=1227 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:unlabeled_t tclass=chr_file Sep 3 07:25:37 fedora smartd[2856]: Device: /dev/hda, is SMART capable. Adding to "monitor" list. Sep 3 07:25:37 fedora kernel: audit(1094196260.276:0): avc: denied { read write } for pid=490 exe=/bin/mount name=console dev=tmpfs ino=864 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:unlabeled_t tclass=chr_file Sep 3 07:25:37 fedora smartd[2856]: Monitoring 1 ATA and 0 SCSI devices Sep 3 07:25:37 fedora kernel: audit(1094196260.277:0): avc: denied { search } for pid=490 exe=/bin/mount dev=tmpfs ino=863 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:unlabeled_t tclass=dir Sep 3 07:25:37 fedora kernel: SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts Sep 3 07:25:38 fedora smartd[2858]: smartd has fork()ed into background mode. New PID=2858. Sep 3 07:25:38 fedora kernel: audit(1094196260.368:0): avc: denied { read write } for pid=514 exe=/sbin/consoletype name=console dev=tmpfs ino=864 scontext=system_u:system_r:consoletype_t tcontext=system_u:object_r:unlabeled_t tclass=chr_file Sep 3 07:25:38 fedora smartd: smartd startup succeeded Sep 3 07:25:38 fedora kernel: audit(1094196260.368:0): avc: denied { getattr } for pid=514 exe=/sbin/consoletype path=/dev/console dev=tmpfs ino=864 scontext=system_u:system_r:consoletype_t tcontext=system_u:object_r:unlabeled_t tclass=chr_file Sep 3 07:25:38 fedora kernel: audit(1094196260.368:0): avc: denied { ioctl } for pid=514 exe=/sbin/consoletype path=/dev/console dev=tmpfs ino=864 scontext=system_u:system_r:consoletype_t tcontext=system_u:object_r:unlabeled_t tclass=chr_file Sep 3 07:25:38 fedora kernel: audit(1094196262.158:0): avc: denied { read write } for pid=724 exe=/sbin/minilogd name=console dev=tmpfs ino=864 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:unlabeled_t tclass=chr_file Sep 3 07:25:38 fedora kernel: audit(1094196262.158:0): avc: denied { use } for pid=724 exe=/sbin/minilogd path=/init dev=rootfs ino=17 scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:kernel_t tclass=fd Sep 3 07:25:38 fedora kernel: audit(1094196262.158:0): avc: denied { read } for pid=724 exe=/sbin/minilogd path=/init dev=rootfs ino=17 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:root_t tclass=file Sep 3 07:25:38 fedora kernel: audit(1094196262.159:0): avc: denied { search } for pid=724 exe=/sbin/minilogd dev=tmpfs ino=863 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:unlabeled_t tclass=dir Sep 3 07:25:38 fedora kernel: audit(1094196262.159:0): avc: denied { write } for pid=724 exe=/sbin/minilogd dev=tmpfs ino=863 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:unlabeled_t tclass=dir Sep 3 07:25:38 fedora kernel: audit(1094196262.159:0): avc: denied { add_name } for pid=724 exe=/sbin/minilogd name=log scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:unlabeled_t tclass=dir Sep 3 07:25:38 fedora kernel: audit(1094196262.159:0): avc: denied { create } for pid=724 exe=/sbin/minilogd name=log scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:unlabeled_t tclass=sock_file Sep 3 07:25:38 fedora kernel: audit(1094196262.160:0): avc: denied { getattr } for pid=727 exe=/sbin/minilogd path=/dev/log dev=tmpfs ino=2641 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:unlabeled_t tclass=sock_file Sep 3 07:25:38 fedora kernel: audit(1094196262.217:0): avc: denied { read write } for pid=730 exe=/bin/dmesg name=console dev=tmpfs ino=864 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:unlabeled_t tclass=chr_file Sep 3 07:25:38 fedora acpid: acpid startup succeeded Sep 3 07:25:38 fedora kernel: audit(1094196262.285:0): avc: denied { read write } for pid=735 exe=/sbin/restorecon name=console dev=tmpfs ino=864 scontext=system_u:system_r:restorecon_t tcontext=system_u:object_r:unlabeled_t tclass=chr_file Sep 3 07:25:38 fedora kernel: audit(1094196266.948:0): avc: denied { create } for pid=746 exe=/sbin/udev name=input scontext=system_u:system_r:udev_t tcontext=system_u:object_r:device_t tclass=dir
tom
On Fri, 2004-09-03 at 11:43, Tom London wrote:
Newest Rawhide packages improve things a bit for strict/enforcing, but still no joy.
When booting strict/enforcing, the system seems to boot to single user mode, but is unable to write to the console. Last messages are avc denials from /bin/dmesg, that seem to occur just before the 'Welcome to Fedora' message. I can hear the device discovery going on, but nothing on the console. After about 5 minutes, ALT-CTL-DEL brought the system down, with the customary console messages. (But, error messages about most file systems not being mounted).
Here are the early avcs...
Sep 3 07:25:35 fedora kernel: audit(1094196259.050:0): avc: denied { create } for pid=1 exe=/sbin/init name=initctl scontext=system_u:system_r:init_t tcontext=system_u:object_r:unlabeled_t tclass=fifo_file Sep 3 07:25:36 fedora smartd[2856]: Opened configuration file /etc/smartd.conf Sep 3 07:25:36 fedora kernel: audit(1094196259.050:0): avc: denied { associate } for pid=1 exe=/sbin/init name=initctl scontext=system_u:object_r:unlabeled_t tcontext=system_u:object_r:fs_t tclass=filesystem
No point in even trying to work from those audit messages, as the tmpfs entry in fs_use in the rawhide policy is wrong and will break all users of anonymous shared mappings and System V shared memory regardless of whether it ever works for tmpfs /dev.
And life is still rather unpleasant even if fs_use is reverted to the upstream policy. Using fscontext=system_u:object_r:device_t on the tmpfs /dev mount would help significantly, but the claim is that it is mounted before the initial policy load. End result is that tmpfs_t ends up doing double duty as a type on shmem and /dev, which has a huge impact on existing policy.
Strongly advise changing initialization to umount the initial tmpfs /dev prior to initrd exit and re-mount it _after_ the initial policy load using fscontext=. Or load a minimal policy from the initrd in your /linuxrc prior to original tmpfs mount.
Stephen Smalley wrote:
On Fri, 2004-09-03 at 11:43, Tom London wrote:
Newest Rawhide packages improve things a bit for strict/enforcing, but still no joy.
When booting strict/enforcing, the system seems to boot to single user mode, but is unable to write to the console. Last messages are avc denials from /bin/dmesg, that seem to occur just before the 'Welcome to Fedora' message. I can hear the device discovery going on, but nothing on the console. After about 5 minutes, ALT-CTL-DEL brought the system down, with the customary console messages. (But, error messages about most file systems not being mounted).
Here are the early avcs...
Sep 3 07:25:35 fedora kernel: audit(1094196259.050:0): avc: denied { create } for pid=1 exe=/sbin/init name=initctl scontext=system_u:system_r:init_t tcontext=system_u:object_r:unlabeled_t tclass=fifo_file Sep 3 07:25:36 fedora smartd[2856]: Opened configuration file /etc/smartd.conf Sep 3 07:25:36 fedora kernel: audit(1094196259.050:0): avc: denied { associate } for pid=1 exe=/sbin/init name=initctl scontext=system_u:object_r:unlabeled_t tcontext=system_u:object_r:fs_t tclass=filesystem
No point in even trying to work from those audit messages, as the tmpfs entry in fs_use in the rawhide policy is wrong and will break all users of anonymous shared mappings and System V shared memory regardless of whether it ever works for tmpfs /dev.
And life is still rather unpleasant even if fs_use is reverted to the upstream policy. Using fscontext=system_u:object_r:device_t on the tmpfs /dev mount would help significantly, but the claim is that it is mounted before the initial policy load. End result is that tmpfs_t ends up doing double duty as a type on shmem and /dev, which has a huge impact on existing policy.
Strongly advise changing initialization to umount the initial tmpfs /dev prior to initrd exit and re-mount it _after_ the initial policy load using fscontext=. Or load a minimal policy from the initrd in your /linuxrc prior to original tmpfs mount.
Most of the problems with booting strict SELinux with /dev/ mounted on a tmpfs file system should be fixed by the latest policy and initscripts package.
Dan
Dan,
[Rawhide repo seems to be down, so I may have incomplete download state...]
running .541, strict enforcing.
Installed latest stuff from your tree, and applied patches you sent out later.
Strict/enforcing now boots up to X/Gnome. (Can login and everything!).
Early failure configuring NICs. Suggest: --- ifconfig.te 2004-09-08 11:05:53.000000000 -0700 +++ ifconfig.te.new 2004-09-09 10:28:05.467768274 -0700 @@ -24,7 +24,7 @@ domain_auto_trans(sysadm_t, ifconfig_exec_t, ifconfig_t)
# for /sbin/ip -allow ifconfig_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write }; +allow ifconfig_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write setopt }; allow ifconfig_t self:tcp_socket { create ioctl }; allow ifconfig_t etc_t:file { getattr read };
[I'm sorry if I missed this in your patches. I applied them manually, so I may have missed this one.]
selinux@lists.fedoraproject.org