mknod problem still present denied avc's

Antonio Olivares olivares14031 at yahoo.com
Fri Jun 15 02:24:12 UTC 2007 


----- Original Message ----
From: Daniel J Walsh <dwalsh at redhat.com>
To: Antonio Olivares <olivares14031 at yahoo.com>
Cc: fedora-selinux-list at redhat.com
Sent: Thursday, June 14, 2007 9:02:35 AM
Subject: Re: mknod problem still present denied avc's

Antonio Olivares wrote:
> dmesg returns
>
> audit(1181681041.681:4): avc:  denied  { add_name } for  pid=739 comm="mknod" name="slamr0" scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir
>
> After I did this again
>
> [olivares at localhost ~]$ su -
> Password: 
> [root at localhost ~]# grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod
> ******************** IMPORTANT ***********************
> To make this policy package active, execute:
>
> semodule -i myinsmod.pp
>
> [root at localhost ~]# semodule -i myinsmod.pp
> [root at localhost ~]# 
>
> Selinux troubleshooter returned this:
>
> avc: denied { write } for comm="mknod" dev=tmpfs egid=0 euid=0 exe="/bin/mknod" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=2766 scontext=user_u:system_r:insmod_t:s0 sgid=0 subj=user_u:system_r:insmod_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:device_t:s0 tty=pts0 uid=0 
>
>   
Yes you allowed add_name to the directory now it is complaing about the 
write. It is best to put the machine in permissive mode,  Run the app to 
completion, then generate the policy and
retest in enforcing mode.

setenforce 0
run test
grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod
semodule -i myinsmod.pp
setenforce 1
run test
> Policy RPM:  selinux-policy-2.6.4-8.fc7
>
> Affected RPM Packages:  coreutils-6.9-2.fc7 [application]Policy RPM:  selinux-policy-2.6.4-12.fc7
>
>
> How can I effectively fix this?
>
> This is my /etc/modprobe.conf
>
> [root at localhost Download]# cat /etc/modprobe.conf
> alias eth0 8139too
> alias scsi_hostadapter sata_via
> alias scsi_hostadapter1 pata_via
> alias snd-card-0 snd-via82xx
> options snd-card-0 index=0  
> options snd-via82xx index=0  
> install slamr modprobe --ignore-install ungrab-winmodem ; modprobe --ignore-install slamr; test -e /dev/slamr0 || (/bin/mknod -m 660 /dev/slamr0 c 242 0 2>/dev/null && chgrp dialout /dev/slamr0)
> [root at localhost Download]#
>
> Thanks,
>
> Antonio 
>
>
>
>        
> ____________________________________________________________________________________
> Yahoo! oneSearch: Finally, mobile search 
> that gives answers, not web links. 
> http://mobile.yahoo.com/mobileweb/onesearch?refer=1ONXIC
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>   

Did as you instructed.  Set Selinux to permissive mode, recreated the dev/slamr0 using mknod and upon rebooting with selinux enabled it works!! 

[root at localhost ~]# grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i myinsmod.pp

[root at localhost ~]# semodule -i myinsmod.pp
[root at localhost ~]# setenforce 1

but the message still appears

audit(1181873499.608:3): avc:  denied  { create } for  pid=751 comm="mknod" name="slamr0" scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file

I have checked with the troubleshooter and it recommends me to do
restorecon -v /dev/slamr0

[root at localhost ~]# restorecon -v /dev/slamr0
[root at localhost ~]# ls /dev/slamr0 -l
crw-rw---- 1 root root 242, 0 2007-06-14 21:11 /dev/slamr0
[root at localhost ~]# 

Here is the summary from setroubleshoot browser.  

Summary
    SELinux is preventing sh (insmod_t) "getattr" access to device /dev/slamr0.

Detailed Description
    SELinux has denied the sh (insmod_t) "getattr" access to device /dev/slamr0.
    /dev/slamr0 is mislabeled, this device has the default label of the /dev
    directory, which should not happen.  All Character and/or Block Devices
    should have a label. You can attempt to change the label of the file using
    restorecon -v /dev/slamr0. If this device remains labeled device_t, then
    this is a bug in SELinux policy. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against the selinux-policy
    package. If you look at the other similar devices labels, ls -lZ
    /dev/SIMILAR, and find a type that would work for /dev/slamr0, you can use
    chcon -t SIMILAR_TYPE /dev/slamr0, If this fixes the problem, you can make
    this permanent by executing semanage fcontext -a -t SIMILAR_TYPE /dev/slamr0
    If the restorecon changes the context, this indicates that the application
    that created the device, created it without using SELinux APIs.  If you can
    figure out which application created the device, please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this application.

Allowing Access
    Attempt restorecon -v /dev/slamr0 or chcon -t SIMILAR_TYPE /dev/slamr0

Additional Information        

Source Context                system_u:system_r:insmod_t
Target Context                system_u:object_r:device_t
Target Objects                /dev/slamr0 [ chr_file ]
Affected RPM Packages         
Policy RPM                    selinux-policy-2.6.4-12.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.device
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.21-1.3226.fc7 #1
                              SMP Sat Jun 9 22:23:35 EDT 2007 i686 athlon
Alert Count                   1
First Seen                    Thu 14 Jun 2007 06:26:18 PM CDT
Last Seen                     Thu 14 Jun 2007 06:26:18 PM CDT
Local ID                      04c18a63-7a70-462e-8937-018923ab95bf
Line Numbers                  

Raw Audit Messages            

avc: denied { getattr } for comm="sh" dev=tmpfs egid=0 euid=0 exe="/bin/bash"
exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="slamr0" path="/dev/slamr0" pid=2265
scontext=system_u:system_r:insmod_t:s0 sgid=0 subj=system_u:system_r:insmod_t:s0
suid=0 tclass=chr_file tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0


Thanks for helping,

Antonio 





       
____________________________________________________________________________________
Be a better Globetrotter. Get better travel answers from someone who knows. Yahoo! Answers - Check it out.
http://answers.yahoo.com/dir/?link=list&sid=396545469

More information about the selinux mailing list