dmesg entries Rawhide

Dominick Grift domg472 at gmail.com
Tue Jun 1 10:42:52 UTC 2010 

On Tue, Jun 01, 2010 at 11:01:31AM +0100, Frank Murphy wrote:
> Is following anything to worry about, no alerts once on Desktop.
> ------------------------------------------------------------------
> dracut: Loading SELinux policy
> --snip--
> SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
> type=1403 audit(1275384894.833:3): policy loaded auid=4294967295
> ses=4294967295
> dracut: Switching root
> type=1400 audit(1275384895.605:4): avc:  denied  { read write } for
> pid=571 comm="hostname" path="/dev/console" dev=devtmpfs ino=5569
> scontext=system_u:system_r:hostname_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
> type=1400 audit(1275384895.607:5): avc:  denied  { read write } for
> pid=571 comm="hostname" path="/dev/console" dev=devtmpfs ino=5569
> scontext=system_u:system_r:hostname_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
> type=1400 audit(1275384895.682:6): avc:  denied  { read write } for
> pid=575 comm="consoletype" path="/dev/null" dev=devtmpfs ino=4055
> scontext=system_u:system_r:consoletype_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
> type=1400 audit(1275384895.682:7): avc:  denied  { read write } for
> pid=574 comm="consoletype" path="/dev/console" dev=devtmpfs ino=5569
> scontext=system_u:system_r:consoletype_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
> type=1400 audit(1275384895.685:8): avc:  denied  { read write } for
> pid=574 comm="consoletype" path="/dev/console" dev=devtmpfs ino=5569
> scontext=system_u:system_r:consoletype_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
> type=1400 audit(1275384895.685:9): avc:  denied  { read write } for
> pid=575 comm="consoletype" path="/dev/null" dev=devtmpfs ino=4055
> scontext=system_u:system_r:consoletype_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
> type=1400 audit(1275384895.859:10): avc:  denied  { open } for  pid=576
> comm="mount" name="null" dev=devtmpfs ino=4055
> scontext=system_u:system_r:mount_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
> type=1400 audit(1275384895.862:11): avc:  denied  { read write } for
> pid=578 comm="consoletype" path="/dev/console" dev=devtmpfs ino=5569
> scontext=system_u:system_r:consoletype_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=chr_file

Yes theres a bug in dracut. hhoyer said it would be fixed in an update soon. Heres how to fix it:

commit 769cf2477076a0ec0ab40de329eddc6d33435dde
Author: Dominick Grift <domg472 at gmail.com> 2010-05-14 18:26:02
Committer: Dominick Grift <domg472 at gmail.com> 2010-05-14 18:26:02
Parent: 05997000a2389e510dd924bcf37b61c93b09f83a (Remove unused comments.)
Child:  f68796e9a8fd8c5234faf06484c99f2028c7b652 (Version 3.7.19-16.3)

Added this:
                mount --bind /dev "$NEWROOT/dev"
                chroot "$NEWROOT" /sbin/restorecon -R /dev
to:
/usr/share/dracut/modules.d/99base/selinux-loadpolicy.sh
so that devtmpfs gets restored right after dracut loads policy.
So now we should be able to remove:
dev_rw_generic_chr_files for both init_t and initrc_t i guess.
instead add dev_read_urand(init_t)

Signed-off-by: Dominick Grift <domg472 at gmail.com>
------------------------ policy/modules/system/init.te ------------------------
index 8018498..2a784c1 100644
@@ -139,7 +139,8 @@
 corecmd_exec_bin(init_t)
 
 dev_read_sysfs(init_t)
-dev_rw_generic_chr_files(init_t)
+dev_read_urand(init_t)
+# dev_rw_generic_chr_files(init_t)
 
 domain_getpgid_all_domains(init_t)
 domain_kill_all_domains(init_t)
@@ -346,7 +347,7 @@
 dev_getattr_all_chr_files(initrc_t)
 dev_rw_xserver_misc(initrc_t)
 # Else readahead wont start
-dev_rw_generic_chr_files(initrc_t)
+# dev_rw_generic_chr_files(initrc_t)
 
 corecmd_exec_all_executables(initrc_t)
 



> 
> -- 
> Regards,
> 
> Frank Murphy
> UTF_8 Encoded
> Friend of Fedora
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100601/7ca7f446/attachment.bin

More information about the selinux mailing list