Question on SELinux AVC messages with systemd.
Lennart Poettering
mzerqung at 0pointer.de
Tue Jul 20 14:04:52 UTC 2010
On Mon, 19.07.10 13:52, Daniel J Walsh (dwalsh at redhat.com) wrote:
> I am noticing the following in F14
>
> type=1400 audit(1279559591.480:31): avc: denied { read } for pid=526
> comm="udevd" name="/" dev=autofs ino=9519
> scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:autofs_t:s0 tclass=dir
> type=1400 audit(1279559595.968:35): avc: denied { read } for pid=880
> comm="blkid" name="/" dev=autofs ino=9522
> scontext=system_u:system_r:fsadm_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:autofs_t:s0 tclass=dir
> type=AVC msg=audit(1279559629.289:59): avc: denied { read } for
> pid=2013 comm="vgchange" name="/" dev=autofs ino=9522
> scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:autofs_t:s0 tclass=dir
> type=PATH msg=audit(1279559629.289:59): item=0 name="/dev/mqueue"
> inode=9522 dev=00:21 mode=040755 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:autofs_t:s0
>
> These AVC messages indicate lots of daemons that are trying to list the
> contents of a directory labeled autofs_t. udevd, blkid, vgchange.
>
> Do you have any idea what is going on here? Am I going to have to allow
> all daemons to list the contents of autofs_t?
Those are the automount directories we install for /dev/mqueue,
/dev/hugepages, /proc/sys/fs/binfmt_misc, and the other API mounts. On
first access those automount points will be replaced by the actual file
systems. That allows us to make the mounts available right-away without
actually having to load the modules implementing them.
I am not entirely sure though why those processes actually access those
dirs in this case. Maybe they are iterating through the files in /dev?
Smells a bit broken to me.
> Will I have to allow all daemons to list the contents of hugetlbfs_t?
Well, I see no reason why the LVM tools, or udev might need to access
the mqueue or hugetlbfs file system. They should not need access to it.
> Or could these be leaks?
No, unlikely.
Lennart
--
Lennart Poettering - Red Hat, Inc.
More information about the devel
mailing list