udevsend....

Tue Aug 24 16:38:55 UTC 2004

Sorry, I sent this off too quickly.

Here are additional avc's generated by udev....

Aug 24 09:12:27 fedora kernel: audit(1093338680.407:0): avc:  denied  { 
getattr
} for  pid=315 exe=/sbin/udevsend path=/etc/selinux/config dev=hda2 
ino=4509759
scontext=system_u:system_r:udev_t 
tcontext=system_u:object_r:selinux_config_t tclass=file
Aug 24 09:12:31 fedora kernel: audit(1093363902.870:0): avc:  denied  { 
search } for  pid=1079 exe=/sbin/udev name=contexts dev=hda2 ino=4509745 
scontext=system_u:system_r:udev_t 
tcontext=system_u:object_r:default_context_t tclass=dir
Aug 24 09:12:31 fedora kernel: audit(1093363902.877:0): avc:  denied  { 
search } for  pid=1079 exe=/sbin/udev name=files dev=hda2 ino=4509746 
scontext=system_u:system_r:udev_t 
tcontext=system_u:object_r:file_context_t tclass=dir
Aug 24 09:12:31 fedora kernel: audit(1093363902.894:0): avc:  denied  { 
read } for  pid=1079 exe=/sbin/udev name=file_contexts dev=hda2 
ino=4505700 scontext=system_u:system_r:udev_t 
tcontext=root:object_r:file_context_t tclass=file
Aug 24 09:12:31 fedora kernel: audit(1093363902.894:0): avc:  denied  { 
getattr
} for  pid=1079 exe=/sbin/udev 
path=/etc/selinux/strict/contexts/files/file_contexts dev=hda2 
ino=4505700 scontext=system_u:system_r:udev_t 
tcontext=root:object_r:file_context_t tclass=file
Aug 24 09:12:31 fedora kernel: audit(1093363919.802:0): avc:  denied  { 
write }
for  pid=1200 exe=/sbin/udev name=fscreate dev=proc ino=78643222 
scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t 
tclass=file
Aug 24 09:12:31 fedora kernel: audit(1093363919.802:0): avc:  denied  { 
setfscreate } for  pid=1200 exe=/sbin/udev 
scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t 
tclass=process
Aug 24 09:12:31 fedora kernel: audit(1093363919.941:0): avc:  denied  { 
search } for  pid=1202 exe=/bin/bash name=console dev=hda2 ino=4456494 
scontext=system_u:system_r:udev_t 
tcontext=system_u:object_r:pam_var_console_t tclass=dir
Aug 24 09:12:32 fedora kernel: audit(1093363947.209:0): avc:  denied  { 
getattr
} for  pid=2131 exe=/sbin/udev path=/etc/selinux/config dev=hda2 
ino=4509759 scontext=system_u:system_r:udev_t 
tcontext=system_u:object_r:selinux_config_t tclass=file

Seems to want:
allow udev_t default_context_t:dir { search };
allow udev_t file_context_t:dir { search };
allow udev_t file_context_t:file { getattr read };
allow udev_t pam_var_console_t:dir { search };
allow udev_t selinux_config_t:file { getattr };
allow udev_t udev_t:file { write };
allow udev_t udev_t:process { setfscreate }

Help.... this one is beyond me......
   tom

Tom London wrote:

> The newest Rawhide udev seems to add 'udevsend' that seems to want
> allow udev_t selinux_config_t:dir { search };
> allow udev_t selinux_config_t:file { read };
>
> I'm guessing that udevsend replaces the script 
> /etc/dev.d/default/selinux.dev.
>
> tom
>
> Here are the avcs....
>
> Aug 24 08:45:13 fedora kernel: audit(1093362313.380:0): avc:  denied  
> { search } for  pid=3905 exe=/sbin/udevsend name=selinux dev=hda2 
> ino=4509743 scontext=system_u:system_r:udev_t 
> tcontext=system_u:object_r:selinux_config_t tclass=dir
> Aug 24 08:45:13 fedora kernel: audit(1093362313.380:0): avc:  denied  
> { read } for  pid=3905 exe=/sbin/udevsend name=config dev=hda2 
> ino=4509759 scontext=system_u:system_r:udev_t 
> tcontext=system_u:object_r:selinux_config_t tclass=file
> Aug 24 08:45:13 fedora kernel: audit(1093362313.380:0): avc:  denied  
> { getattr
> } for  pid=3905 exe=/sbin/udevsend path=/etc/selinux/config dev=hda2 
> ino=4509759 scontext=system_u:system_r:udev_t 
> tcontext=system_u:object_r:selinux_config_t tclass=file
>
>