selinux-policy-targeted-1.23.12-4: /proc {search} failures ?

Tom London selinux at gmail.com
Sat Apr 23 20:24:33 UTC 2005 

Running targeted/enforcing, latest rawhide.

Rebooting after today's updates (including .1261 and
selinux-policy-targeted-1.23.12-4), graphical logins fail.

Looks like search access to /proc/PROCESS-ID directories are failing.
(Also show an early hotplug attempt at writing to sysfs_t).

I worked around this by doing an 'ALT-CTL-F2', and logging in on the
text console, and doing a 'setenforce 0'. Reverting to graphical via
'ALT-CTL-F7' now  allows login.

/var/log messages show a very large number of avcs, including many
that look like:
Apr 23 13:04:18 localhost dhclient: DHCPREQUEST on eth0 to
255.255.255.255 port 67
Apr 23 13:04:18 localhost dhclient: DHCPACK from 10.10.192.1
Apr 23 13:04:18 localhost kernel: audit(1114286658.747:0): avc: 
denied  { write } for  name=vcs7 dev=sysfs ino=6997
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:sysfs_t tclass=dir
Apr 23 13:04:18 localhost kernel: audit(1114286658.747:0): avc: 
denied  { write } for  name=vcsa7 dev=sysfs ino=7003
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:sysfs_t tclass=dir
Apr 23 13:04:19 localhost NET[2301]: /sbin/dhclient-script : updated
/etc/resolv.conf

and
Apr 23 13:05:15 localhost kernel: audit(1114286715.636:0): avc: 
denied  { search } for  name=2 dev=proc ino=131074
scontext=system_u:system_r:init_t tcontext=system_u:system_r:kernel_t
tclass=dir
Apr 23 13:05:15 localhost kernel: audit(1114286715.636:0): avc: 
denied  { search } for  name=3 dev=proc ino=196610
scontext=system_u:system_r:init_t tcontext=system_u:system_r:kernel_t
tclass=dir
Apr 23 13:05:15 localhost kernel: audit(1114286715.636:0): avc: 
denied  { search } for  name=4 dev=proc ino=262146
scontext=system_u:system_r:init_t tcontext=system_u:system_r:kernel_t
tclass=dir
<<<<SNIP  many, many >>>>
Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: 
denied  { search } for  name=2103 dev=proc ino=137822210
scontext=system_u:system_r:init_t tcontext=system_u:system_r:initrc_t
tclass=dir
Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: 
denied  { search } for  name=2111 dev=proc ino=138346498
scontext=system_u:system_r:init_t tcontext=system_u:system_r:initrc_t
tclass=dir
Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: 
denied  { search } for  name=2303 dev=proc ino=150929410
scontext=system_u:system_r:init_t tcontext=system_u:system_r:dhcpc_t
tclass=dir
Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: 
denied  { search } for  name=2476 dev=proc ino=162267138
scontext=system_u:system_r:init_t tcontext=system_u:system_r:initrc_t
tclass=dir
Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: 
denied  { search } for  name=2530 dev=proc ino=165806082
scontext=system_u:system_r:init_t tcontext=system_u:system_r:portmap_t
tclass=dir
Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: 
denied  { search } for  name=2548 dev=proc ino=166985730
scontext=system_u:system_r:init_t tcontext=system_u:system_r:rpcd_t
tclass=dir
Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: 
denied  { search } for  name=2575 dev=proc ino=168755202
scontext=system_u:system_r:init_t tcontext=system_u:system_r:rpcd_t
tclass=dir
<<<<SNIP many, many.... >>>>

etc. etc.

Is this a policy change, or did something else change? Or, did I just
botch it again?

thanks,
   tom

-- 
Tom London

More information about the selinux mailing list