FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 05-24-2010, 06:54 PM
Karl-Michael Schneider
 
Default Device nodes have no type when booting a 2.6.32.*.fc12 kernel

I have fc12 installed on a Lenovo R61 laptop with two kernels:

kernel-2.6.31.12-174.2.22.fc12.i686
kernel-2.6.32.12-115.fc12.i686

The 2.6.31 kernel has no problem. But when I try to boot the 2.6.32
kernel it fails because SELinux is blocking access to device nodes. I
can only boot the 2.6.32 kernel in single user mode. The reason is
that /dev and all files in it have no type:

$ ls -lZ /dev
crw-------. root root system_ubject_r:unlabeled_t:s0 agpgart
drwxr-xr-x. root root system_ubject_r:unlabeled_t:s0 block
drwxr-xr-x. root root system_ubject_r:unlabeled_t:s0 bsg
drwxr-xr-x. root root system_ubject_r:unlabeled_t:s0 bus
drwxr-xr-x. root root system_ubject_r:unlabeled_t:s0 char
crw-------. root root system_ubject_r:unlabeled_t:s0 console
drwxr-xr-x. root root system_ubject_r:unlabeled_t:s0 cpu
crw-rw----. root root system_ubject_r:unlabeled_t:s0 cpu_dma_latency
drwxr-xr-x. root root system_ubject_r:unlabeled_t:s0 disk
brw-rw----. root root system_ubject_r:unlabeled_t:s0 dm-0
brw-rw----. root root system_ubject_r:unlabeled_t:s0 dm-1
drwxr-xr-x. root root system_ubject_r:unlabeled_t:s0 dri
crw-r--r--. root root system_ubject_r:unlabeled_t:s0 fb
crw-rw----. root root system_ubject_r:unlabeled_t:s0 fb0
crw-rw-rw-. root root system_ubject_r:unlabeled_t:s0 full
crw-rw----. root root system_ubject_r:unlabeled_t:s0 fw0
crw-rw----. root root system_ubject_r:unlabeled_t:s0 hpet
crw-r--r--. root root system_ubject_r:unlabeled_t:s0 hvc0
drwxr-xr-x. root root system_ubject_r:unlabeled_t:s0 input
crw-rw----. root root system_ubject_r:unlabeled_t:s0 kmsg
brw-rw----. root disk system_ubject_r:unlabeled_t:s0 loop0
brw-rw----. root disk system_ubject_r:unlabeled_t:s0 loop1
brw-rw----. root disk system_ubject_r:unlabeled_t:s0 loop2
brw-rw----. root disk system_ubject_r:unlabeled_t:s0 loop3
brw-rw----. root disk system_ubject_r:unlabeled_t:s0 loop4
brw-rw----. root disk system_ubject_r:unlabeled_t:s0 loop5
brw-rw----. root disk system_ubject_r:unlabeled_t:s0 loop6
brw-rw----. root disk system_ubject_r:unlabeled_t:s0 loop7
drwxr-xr-x. root root system_ubject_r:unlabeled_t:s0 mapper
crw-rw----. root root system_ubject_r:unlabeled_t:s0 mcelog
crw-r-----. root root system_ubject_r:unlabeled_t:s0 mem
crw-rw----. root root system_ubject_r:unlabeled_t:s0 network_latency
crw-rw----. root root system_ubject_r:unlabeled_t:s0 network_throughput
crw-rw-rw-. root root system_ubject_r:unlabeled_t:s0 null
crw-r-----. root root system_ubject_r:unlabeled_t:s0 nvram
crw-rw----. root root system_ubject_r:unlabeled_t:s0 oldmem
crw-r-----. root root system_ubject_r:unlabeled_t:s0 port
crw-rw-rw-. root root system_ubject_r:unlabeled_t:s0 ptmx
drwxr-xr-x. root root system_ubject_r:devpts_t:s0 pts
crw-rw-rw-. root root system_ubject_r:unlabeled_t:s0 random
drwxr-xr-x. root root system_ubject_r:unlabeled_t:s0 raw
lrwxrwxrwx. root root system_ubject_r:unlabeled_t:s0 root ->
/dev/VolGroup00/LogVol00
lrwxrwxrwx. root root system_ubject_r:unlabeled_t:s0 rtc -> rtc0
crw-rw----. root root system_ubject_r:unlabeled_t:s0 rtc0
lrwxrwxrwx. root root system_ubject_r:unlabeled_t:s0 scd0 -> sr0
brw-rw----. root root system_ubject_r:unlabeled_t:s0 sda
brw-rw----. root root system_ubject_r:unlabeled_t:s0 sda1
brw-rw----. root root system_ubject_r:unlabeled_t:s0 sda2
brw-rw----. root root system_ubject_r:unlabeled_t:s0 sda3
crw-rw----. root root system_ubject_r:unlabeled_t:s0 sg0
crw-rw----. root root system_ubject_r:unlabeled_t:s0 sg1
drwxrwxrwt. root root system_ubject_r:tmpfs_t:s0 shm
crw-rw----. root root system_ubject_r:unlabeled_t:s0 snapshot
brw-rw----. root root system_ubject_r:unlabeled_t:s0 sr0
crw-r--r--. root root system_ubject_r:unlabeled_t:s0 systty
crw-rw-rw-. root root system_ubject_r:unlabeled_t:s0 tty
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty0
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty1
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty10
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty11
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty12
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty13
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty14
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty15
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty16
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty17
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty18
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty19
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty2
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty20
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty21
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty22
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty23
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty24
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty25
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty26
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty27
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty28
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty29
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty3
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty30
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty31
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty32
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty33
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty34
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty35
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty36
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty37
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty38
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty39
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty4
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty40
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty41
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty42
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty43
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty44
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty45
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty46
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty47
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty48
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty49
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty5
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty50
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty51
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty52
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty53
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty54
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty55
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty56
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty57
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty58
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty59
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty6
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty60
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty61
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty62
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty63
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty7
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty8
crw--w----. root root system_ubject_r:unlabeled_t:s0 tty9
crw-rw----. root root system_ubject_r:unlabeled_t:s0 ttyS0
crw-rw----. root root system_ubject_r:unlabeled_t:s0 ttyS1
crw-rw----. root root system_ubject_r:unlabeled_t:s0 ttyS2
crw-rw----. root root system_ubject_r:unlabeled_t:s0 ttyS3
crw-rw-rw-. root root system_ubject_r:unlabeled_t:s0 urandom
crw-rw----. root root system_ubject_r:unlabeled_t:s0 usbmon0
crw-rw----. root root system_ubject_r:unlabeled_t:s0 usbmon1
crw-rw----. root root system_ubject_r:unlabeled_t:s0 usbmon2
crw-rw----. root root system_ubject_r:unlabeled_t:s0 usbmon3
crw-rw----. root root system_ubject_r:unlabeled_t:s0 usbmon4
crw-rw----. root root system_ubject_r:unlabeled_t:s0 usbmon5
crw-rw----. root root system_ubject_r:unlabeled_t:s0 usbmon6
crw-rw----. root root system_ubject_r:unlabeled_t:s0 usbmon7
crw-rw----. root root system_ubject_r:unlabeled_t:s0 vcs
crw-rw----. root root system_ubject_r:unlabeled_t:s0 vcs1
crw-rw----. root root system_ubject_r:unlabeled_t:s0 vcsa
crw-rw----. root root system_ubject_r:unlabeled_t:s0 vcsa1
crw-rw----. root root system_ubject_r:unlabeled_t:s0 vga_arbiter
drwxr-xr-x. root root system_ubject_r:unlabeled_t:s0 VolGroup00
crw-rw-rw-. root root system_ubject_r:unlabeled_t:s0 zero

When I boot the 2.6.31 kernel, the device files are correctly labeled:

$ ls -lZ /dev
crw-rw----. root audio system_ubject_r:sound_device_t:s0 adsp
crw-------. root video system_ubject_r:agp_device_t:s0 agpgart
crw-rw----. root audio system_ubject_r:sound_device_t:s0 audio
drwxr-xr-x. root root system_ubject_r:device_t:s0 block
drwxr-xr-x. root root system_ubject_r:device_t:s0 bsg
drwxr-xr-x. root root system_ubject_r:device_t:s0 bus
lrwxrwxrwx. root root system_ubject_r:device_t:s0 cdrom1 -> sr0
lrwxrwxrwx. root root system_ubject_r:device_t:s0 cdrw1 -> sr0
drwxr-xr-x. root root system_ubject_r:device_t:s0 char
crw-------. root root system_ubject_r:console_device_t:s0 console
lrwxrwxrwx. root root system_ubject_r:device_t:s0 core -> /proc/kcore
drwxr-xr-x. root root system_ubject_r:device_t:s0 cpu
crw-rw----. root root system_ubject_r:netcontrol_device_t:s0
cpu_dma_latency
drwxr-xr-x. root root system_ubject_r:device_t:s0 disk
brw-rw----. root disk system_ubject_r:fixed_disk_device_t:s0 dm-0
brw-rw----. root disk system_ubject_r:fixed_disk_device_t:s0 dm-1
drwxr-xr-x. root root system_ubject_r:device_t:s0 dri
crw-rw----. root audio system_ubject_r:sound_device_t:s0 dsp
lrwxrwxrwx. root root system_ubject_r:device_t:s0 dvd1 -> sr0
lrwxrwxrwx. root root system_ubject_r:device_t:s0 dvdrw1 -> sr0
crw-r--r--. root root system_ubject_r:framebuf_device_t:s0 fb
crw-rw----. root video system_ubject_r:framebuf_device_t:s0 fb0
lrwxrwxrwx. root root system_ubject_r:device_t:s0 fd -> /proc/self/fd
crw-rw-rw-. root root system_ubject_r:null_device_t:s0 full
crw-rw-rw-. root root system_ubject_r:fuse_device_t:s0 fuse
crw-rw----. root root system_ubject_r:usb_device_t:s0 fw0
crw-rw----. root root system_ubject_r:clock_device_t:s0 hpet
drwxr-xr-x. root root system_ubject_r:device_t:s0 hugepages
crw-r--r--. root root system_ubject_r:tty_device_t:s0 hvc0
drwxr-xr-x. root root system_ubject_r:device_t:s0 input
crw-rw----. root root system_ubject_r:kmsg_device_t:s0 kmsg
brw-rw----. root disk system_ubject_r:fixed_disk_device_t:s0 loop0
brw-rw----. root disk system_ubject_r:fixed_disk_device_t:s0 loop1
brw-rw----. root disk system_ubject_r:fixed_disk_device_t:s0 loop2
brw-rw----. root disk system_ubject_r:fixed_disk_device_t:s0 loop3
brw-rw----. root disk system_ubject_r:fixed_disk_device_t:s0 loop4
brw-rw----. root disk system_ubject_r:fixed_disk_device_t:s0 loop5
brw-rw----. root disk system_ubject_r:fixed_disk_device_t:s0 loop6
brw-rw----. root disk system_ubject_r:fixed_disk_device_t:s0 loop7
crw-rw----. root lp system_ubject_rrinter_device_t:s0 lp0
crw-rw----. root lp system_ubject_rrinter_device_t:s0 lp1
crw-rw----. root lp system_ubject_rrinter_device_t:s0 lp2
crw-rw----. root lp system_ubject_rrinter_device_t:s0 lp3
lrwxrwxrwx. root root system_ubject_r:device_t:s0 MAKEDEV ->
/sbin/MAKEDEV
drwxr-xr-x. root root system_ubject_r:device_t:s0 mapper
crw-rw----. root root system_ubject_r:kmsg_device_t:s0 mcelog
crw-r-----. root kmem system_ubject_r:memory_device_t:s0 mem
crw-rw----. root audio system_ubject_r:sound_device_t:s0 mixer
drwxr-xr-x. root root system_ubject_r:device_t:s0 net
crw-rw----. root root system_ubject_r:netcontrol_device_t:s0
network_latency
crw-rw----. root root system_ubject_r:netcontrol_device_t:s0
network_throughput
crw-rw-rw-. root root system_ubject_r:null_device_t:s0 null
crw-r-----. root kmem system_ubject_r:nvram_device_t:s0 nvram
crw-rw----. root root system_ubject_r:memory_device_t:s0 oldmem
crw-r-----. root kmem system_ubject_r:memory_device_t:s0 port
crw-------. root root system_ubject_rpp_device_t:s0 ppp
crw-rw-rw-. root tty system_ubject_rtmx_t:s0 ptmx
drwxr-xr-x. root root system_ubject_r:devpts_t:s0 pts
brw-rw----. root disk system_ubject_r:fixed_disk_device_t:s0 ram0
brw-rw----. root disk system_ubject_r:fixed_disk_device_t:s0 ram1
brw-rw----. root disk system_ubject_r:fixed_disk_device_t:s0 ram10
brw-rw----. root disk system_ubject_r:fixed_disk_device_t:s0 ram11
brw-rw----. root disk system_ubject_r:fixed_disk_device_t:s0 ram12
brw-rw----. root disk system_ubject_r:fixed_disk_device_t:s0 ram13
brw-rw----. root disk system_ubject_r:fixed_disk_device_t:s0 ram14
brw-rw----. root disk system_ubject_r:fixed_disk_device_t:s0 ram15
brw-rw----. root disk system_ubject_r:fixed_disk_device_t:s0 ram2
brw-rw----. root disk system_ubject_r:fixed_disk_device_t:s0 ram3
brw-rw----. root disk system_ubject_r:fixed_disk_device_t:s0 ram4
brw-rw----. root disk system_ubject_r:fixed_disk_device_t:s0 ram5
brw-rw----. root disk system_ubject_r:fixed_disk_device_t:s0 ram6
brw-rw----. root disk system_ubject_r:fixed_disk_device_t:s0 ram7
brw-rw----. root disk system_ubject_r:fixed_disk_device_t:s0 ram8
brw-rw----. root disk system_ubject_r:fixed_disk_device_t:s0 ram9
crw-rw-rw-. root root system_ubject_r:random_device_t:s0 random
drwxr-xr-x. root root system_ubject_r:device_t:s0 raw
crw-rw-r--. root root system_ubject_r:device_t:s0 rfkill
lrwxrwxrwx. root root system_ubject_r:device_t:s0 root ->
/dev/VolGroup00/LogVol00
lrwxrwxrwx. root root system_ubject_r:device_t:s0 rtc -> rtc0
crw-rw----. root root system_ubject_r:clock_device_t:s0 rtc0
lrwxrwxrwx. root root system_ubject_r:device_t:s0 scd0 -> sr0
brw-rw----. root disk system_ubject_r:fixed_disk_device_t:s0 sda
brw-rw----. root disk system_ubject_r:fixed_disk_device_t:s0 sda1
brw-rw----. root disk system_ubject_r:fixed_disk_device_t:s0 sda2
brw-rw----. root disk system_ubject_r:fixed_disk_device_t:s0 sda3
crw-rw----. root audio system_ubject_r:sound_device_t:s0 sequencer
crw-rw----. root audio system_ubject_r:sound_device_t:s0 sequencer2
crw-rw----. root disk system_ubject_r:scsi_generic_device_t:s0 sg0
crw-rw----. root cdrom system_ubject_r:scsi_generic_device_t:s0 sg1
drwxrwxrwt. root root system_ubject_r:device_t:s0 shm
crw-rw----. root root system_ubject_r:apm_bios_t:s0 snapshot
drwxr-xr-x. root root system_ubject_r:device_t:s0 snd
brw-rw----. root cdrom system_ubject_r:removable_device_t:s0 sr0
lrwxrwxrwx. root root system_ubject_r:device_t:s0 stderr ->
/proc/self/fd/2
lrwxrwxrwx. root root system_ubject_r:device_t:s0 stdin ->
/proc/self/fd/0
lrwxrwxrwx. root root system_ubject_r:device_t:s0 stdout ->
/proc/self/fd/1
crw-r--r--. root root system_ubject_r:tty_device_t:s0 systty
crw-rw-rw-. root tty system_ubject_r:devtty_t:s0 tty
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty0
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty1
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty10
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty11
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty12
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty13
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty14
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty15
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty16
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty17
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty18
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty19
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty2
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty20
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty21
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty22
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty23
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty24
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty25
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty26
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty27
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty28
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty29
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty3
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty30
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty31
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty32
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty33
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty34
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty35
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty36
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty37
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty38
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty39
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty4
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty40
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty41
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty42
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty43
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty44
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty45
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty46
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty47
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty48
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty49
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty5
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty50
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty51
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty52
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty53
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty54
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty55
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty56
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty57
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty58
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty59
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty6
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty60
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty61
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty62
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty63
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty7
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty8
crw--w----. root tty system_ubject_r:tty_device_t:s0 tty9
crw-rw----. root dialout system_ubject_r:tty_device_t:s0 ttyS0
crw-rw----. root dialout system_ubject_r:tty_device_t:s0 ttyS1
crw-rw----. root dialout system_ubject_r:tty_device_t:s0 ttyS2
crw-rw----. root dialout system_ubject_r:tty_device_t:s0 ttyS3
crw-rw-rw-. root root system_ubject_r:urandom_device_t:s0 urandom
crw-rw----. root root system_ubject_r:usb_device_t:s0 usbmon0
crw-rw----. root root system_ubject_r:usb_device_t:s0 usbmon1
crw-rw----. root root system_ubject_r:usb_device_t:s0 usbmon2
crw-rw----. root root system_ubject_r:usb_device_t:s0 usbmon3
crw-rw----. root root system_ubject_r:usb_device_t:s0 usbmon4
crw-rw----. root root system_ubject_r:usb_device_t:s0 usbmon5
crw-rw----. root root system_ubject_r:usb_device_t:s0 usbmon6
crw-rw----. root root system_ubject_r:usb_device_t:s0 usbmon7
crw-rw----. vcsa tty system_ubject_r:tty_device_t:s0 vcs
crw-rw----. vcsa tty system_ubject_r:tty_device_t:s0 vcs1
crw-rw----. vcsa tty system_ubject_r:tty_device_t:s0 vcsa
crw-rw----. vcsa tty system_ubject_r:tty_device_t:s0 vcsa1
crw-rw----. root root system_ubject_r:device_t:s0 vga_arbiter
drwxr-xr-x. root root system_ubject_r:device_t:s0 VolGroup00
crw-rw----. root root system_ubject_r:watchdog_device_t:s0 watchdog
crw-rw-rw-. root root system_ubject_r:zero_device_t:s0 zero

The filesystem is ext3 on LVM:

$ cat /etc/fstab
/dev/VolGroup00/LogVol00 / ext3 defaults 1 1
...

The filesystem was created when I installed FC9. Later I upgraded to
FC12. But the problem only appeared when the kernel was updated from
2.6.31 to 2.6.32. All 2.6.32 kernels so far had the same problem.

I have already relabeled the filesystem, but it didn't help. I tried
restorecon -R -v /dev after booting the 2.6.32 kernel but it didn't do
anything.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 05-24-2010, 07:07 PM
Stephen Smalley
 
Default Device nodes have no type when booting a 2.6.32.*.fc12 kernel

On Mon, 2010-05-24 at 11:54 -0700, Karl-Michael Schneider wrote:
> I have fc12 installed on a Lenovo R61 laptop with two kernels:
>
> kernel-2.6.31.12-174.2.22.fc12.i686
> kernel-2.6.32.12-115.fc12.i686
>
> The 2.6.31 kernel has no problem. But when I try to boot the 2.6.32
> kernel it fails because SELinux is blocking access to device nodes. I
> can only boot the 2.6.32 kernel in single user mode. The reason is
> that /dev and all files in it have no type:
>
> $ ls -lZ /dev
> crw-------. root root system_ubject_r:unlabeled_t:s0 agpgart
<snip>
> The filesystem is ext3 on LVM:
>
> $ cat /etc/fstab
> /dev/VolGroup00/LogVol00 / ext3 defaults 1 1
> ...
>
> The filesystem was created when I installed FC9. Later I upgraded to
> FC12. But the problem only appeared when the kernel was updated from
> 2.6.31 to 2.6.32. All 2.6.32 kernels so far had the same problem.
>
> I have already relabeled the filesystem, but it didn't help. I tried
> restorecon -R -v /dev after booting the 2.6.32 kernel but it didn't do
> anything.

Sounds like the devtmpfs mount with a policy that doesn't know about it.
dmesg | grep SELinux
grep /dev /proc/mounts

--
Stephen Smalley
National Security Agency

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 05-24-2010, 07:28 PM
Stephen Smalley
 
Default Device nodes have no type when booting a 2.6.32.*.fc12 kernel

On Mon, 2010-05-24 at 15:07 -0400, Stephen Smalley wrote:
> On Mon, 2010-05-24 at 11:54 -0700, Karl-Michael Schneider wrote:
> > I have fc12 installed on a Lenovo R61 laptop with two kernels:
> >
> > kernel-2.6.31.12-174.2.22.fc12.i686
> > kernel-2.6.32.12-115.fc12.i686
> >
> > The 2.6.31 kernel has no problem. But when I try to boot the 2.6.32
> > kernel it fails because SELinux is blocking access to device nodes. I
> > can only boot the 2.6.32 kernel in single user mode. The reason is
> > that /dev and all files in it have no type:
> >
> > $ ls -lZ /dev
> > crw-------. root root system_ubject_r:unlabeled_t:s0 agpgart
> <snip>
> > The filesystem is ext3 on LVM:
> >
> > $ cat /etc/fstab
> > /dev/VolGroup00/LogVol00 / ext3 defaults 1 1
> > ...
> >
> > The filesystem was created when I installed FC9. Later I upgraded to
> > FC12. But the problem only appeared when the kernel was updated from
> > 2.6.31 to 2.6.32. All 2.6.32 kernels so far had the same problem.
> >
> > I have already relabeled the filesystem, but it didn't help. I tried
> > restorecon -R -v /dev after booting the 2.6.32 kernel but it didn't do
> > anything.
>
> Sounds like the devtmpfs mount with a policy that doesn't know about it.
> dmesg | grep SELinux
> grep /dev /proc/mounts

I suspect your policy update didn't go cleanly and aborted during %post,
especially if you tried going all the way from F9 to F12. I'd suggest
doing:
mv /etc/selinux/targeted /etc/selinux/targeted.orig
yum reinstall selinux-policy-targeted

--
Stephen Smalley
National Security Agency

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 05-25-2010, 06:39 PM
Karl-Michael Schneider
 
Default Device nodes have no type when booting a 2.6.32.*.fc12 kernel

On Mon, May 24, 2010 at 12:07 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Mon, 2010-05-24 at 11:54 -0700, Karl-Michael Schneider wrote:
>> I have fc12 installed on a Lenovo R61 laptop with two kernels:
>>
>> kernel-2.6.31.12-174.2.22.fc12.i686
>> kernel-2.6.32.12-115.fc12.i686
>>
>> The 2.6.31 kernel has no problem. But when I try to boot the 2.6.32
>> kernel it fails because SELinux is blocking access to device nodes. I
>> can only boot the 2.6.32 kernel in single user mode. The reason is
>> that /dev and all files in it have no type:
>>
>> $ ls -lZ /dev
>> crw-------. root root system_ubject_r:unlabeled_t:s0 agpgart
> <snip>
>> The filesystem is ext3 on LVM:
>>
>> $ cat /etc/fstab
>> /dev/VolGroup00/LogVol00 / * * * * * * * * * * * ext3 * *defaults * * * *1 1
>> ...
>>
>> The filesystem was created when I installed FC9. Later I upgraded to
>> FC12. But the problem only appeared when the kernel was updated from
>> 2.6.31 to 2.6.32. All 2.6.32 kernels so far had the same problem.
>>
>> I have already relabeled the filesystem, but it didn't help. I tried
>> restorecon -R -v /dev after booting the 2.6.32 kernel but it didn't do
>> anything.
>
> Sounds like the devtmpfs mount with a policy that doesn't know about it.
> dmesg | grep SELinux
> grep /dev /proc/mounts

This is what I get after booting kernel-2.6.32.12-115.fc12.i686:

$ dmesg | grep SELinux
SELinux: Initializing.
SELinux: Starting in permissive mode
SELinux: Registering netfilter hooks
dracut: Loading SELinux policy
SELinux: 8192 avtab hash slots, 179545 rules.
SELinux: 8192 avtab hash slots, 179545 rules.
SELinux: 8 users, 12 roles, 2445 types, 119 bools, 1 sens, 1024 cats
SELinux: 73 classes, 179545 rules
SELinux: class kernel_service not defined in policy
SELinux: class tun_socket not defined in policy
SELinux: permission open in class sock_file not defined in policy
SELinux: permission module_request in class system not defined in policy
SELinux: permission nlmsg_tty_audit in class netlink_audit_socket not
defined in policy
SELinux: the above unknown classes and permissions will be allowed
SELinux: Completing initialization.
SELinux: Setting up existing superblocks.
SELinux: initialized (dev dm-0, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev securityfs, type securityfs), uses genfs_contexts
SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts
SELinux: initialized (dev devpts, type devpts), uses transition SIDs
SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts
SELinux: initialized (dev anon_inodefs, type anon_inodefs), uses genfs_contexts
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
SELinux: initialized (dev devtmpfs, type devtmpfs), not configured for labeling
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev proc, type proc), uses genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
SELinux: initialized (dev sda2, type ext3), uses xattr
SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts

$ grep /dev /proc/mounts
udev /dev devtmpfs rw,relatime,size=1020692k,nr_inodes=214745,mode=75 5 0 0
devpts /dev/pts devpts rw,seclabel,relatime,gid=5,mode=620,ptmxmode=000 0 0
tmpfs /dev/shm tmpfs rw,seclabel,relatime 0 0
/dev/mapper/VolGroup00-LogVol00 / ext3
rw,seclabel,relatime,errors=continue,user_xattr,ac l,data=ordered 0 0
/dev/sda2 /boot ext3
rw,seclabel,relatime,errors=continue,user_xattr,ac l,data=ordered 0 0

For comparison here is the latter after booting
kernel-2.6.31.12-174.2.22.fc12.i686:

udev /dev tmpfs rw,seclabel,relatime,mode=755 0 0
devpts /dev/pts devpts rw,seclabel,relatime,gid=5,mode=620,ptmxmode=000 0 0
tmpfs /dev/shm tmpfs rw,seclabel,relatime 0 0
/dev/mapper/VolGroup00-LogVol00 / ext3
rw,seclabel,relatime,errors=continue,user_xattr,ac l,data=ordered 0 0
/dev/sda2 /boot ext3
rw,seclabel,relatime,errors=continue,user_xattr,ac l,data=ordered 0 0
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 05-25-2010, 06:47 PM
Karl-Michael Schneider
 
Default Device nodes have no type when booting a 2.6.32.*.fc12 kernel

On Mon, May 24, 2010 at 12:28 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Mon, 2010-05-24 at 15:07 -0400, Stephen Smalley wrote:
>> On Mon, 2010-05-24 at 11:54 -0700, Karl-Michael Schneider wrote:
>> > I have fc12 installed on a Lenovo R61 laptop with two kernels:
>> >
>> > kernel-2.6.31.12-174.2.22.fc12.i686
>> > kernel-2.6.32.12-115.fc12.i686
>> >
>> > The 2.6.31 kernel has no problem. But when I try to boot the 2.6.32
>> > kernel it fails because SELinux is blocking access to device nodes. I
>> > can only boot the 2.6.32 kernel in single user mode. The reason is
>> > that /dev and all files in it have no type:
>> >
>> > $ ls -lZ /dev
>> > crw-------. root root system_ubject_r:unlabeled_t:s0 agpgart
>> <snip>
>> > The filesystem is ext3 on LVM:
>> >
>> > $ cat /etc/fstab
>> > /dev/VolGroup00/LogVol00 / * * * * * * * * * * * ext3 * *defaults * * * *1 1
>> > ...
>> >
>> > The filesystem was created when I installed FC9. Later I upgraded to
>> > FC12. But the problem only appeared when the kernel was updated from
>> > 2.6.31 to 2.6.32. All 2.6.32 kernels so far had the same problem.
>> >
>> > I have already relabeled the filesystem, but it didn't help. I tried
>> > restorecon -R -v /dev after booting the 2.6.32 kernel but it didn't do
>> > anything.
>>
>> Sounds like the devtmpfs mount with a policy that doesn't know about it.
>> dmesg | grep SELinux
>> grep /dev /proc/mounts
>
> I suspect your policy update didn't go cleanly and aborted during %post,
> especially if you tried going all the way from F9 to F12. *I'd suggest
> doing:
> mv /etc/selinux/targeted /etc/selinux/targeted.orig
> yum reinstall selinux-policy-targeted

Thanks. This resolved the /dev labeling problem.

Now I got security exceptions for a number of applications. I remember
I got the same exceptions after I upgraded to FC12. So I booted with
enforcing=0 and built a local policy module from audit.log as
described in the audit2allow man page. I post it here:

module local 1.0;

require {
type unconfined_t;
type system_dbusd_var_run_t;
type sound_device_t;
type usr_t;
type xdm_var_lib_t;
type dri_device_t;
type NetworkManager_t;
type user_home_t;
type var_spool_t;
type initrc_t;
type system_dbusd_t;
type var_lock_t;
type xdm_dbusd_t;
type session_dbusd_tmp_t;
type unlabeled_t;
type removable_device_t;
type consolekit_t;
type var_lib_t;
type gnomeclock_t;
type gconfd_exec_t;
type var_t;
type xdm_t;
class process sigchld;
class unix_stream_socket connectto;
class dbus send_msg;
class chr_file { getattr setattr };
class file { rename execute setattr read execmod getattr
execute_no_trans write ioctl unlink open create append };
class sock_file { write create unlink };
class blk_file { getattr setattr };
class dir { write search setattr read remove_name add_name };
}

#============= NetworkManager_t ==============
allow NetworkManager_t unlabeled_t:file { ioctl execute read open
getattr execute_no_trans };
allow NetworkManager_t var_lib_t:file { read create open getattr };
allow NetworkManager_t var_lock_t:dir search;

#============= consolekit_t ==============
allow consolekit_t dri_device_t:chr_file { getattr setattr };
allow consolekit_t removable_device_t:blk_file { getattr setattr };
allow consolekit_t sound_device_t:chr_file { getattr setattr };

#============= gnomeclock_t ==============
allow gnomeclock_t initrc_t:dbus send_msg;

#============= unconfined_t ==============
#!!!! This avc can be allowed using the boolean 'allow_execmod'

allow unconfined_t usr_t:file execmod;

#============= unlabeled_t ==============
allow unlabeled_t unconfined_trocess sigchld;

#============= xdm_dbusd_t ==============
allow xdm_dbusd_t gconfd_exec_t:file { read execute open execute_no_trans };
allow xdm_dbusd_t self:unix_stream_socket connectto;
allow xdm_dbusd_t session_dbusd_tmp_t:sock_file { write create unlink };
allow xdm_dbusd_t system_dbusd_t:dbus send_msg;
allow xdm_dbusd_t system_dbusd_t:unix_stream_socket connectto;
allow xdm_dbusd_t system_dbusd_var_run_t:dir search;
allow xdm_dbusd_t system_dbusd_var_run_t:sock_file write;
allow xdm_dbusd_t xdm_t:unix_stream_socket connectto;
#!!!! The source type 'xdm_dbusd_t' can write to a 'dir' of the following types:
# session_dbusd_tmp_t, tmp_t

allow xdm_dbusd_t xdm_var_lib_t:dir { read write add_name remove_name };
#!!!! The source type 'xdm_dbusd_t' can write to a 'file' of the following type:
# session_dbusd_tmp_t

allow xdm_dbusd_t xdm_var_lib_t:file { rename read create write
getattr unlink open append };

#============= xdm_t ==============
allow xdm_t initrc_t:dbus send_msg;
#!!!! This avc can be allowed using the boolean 'allow_polyinstantiation'

allow xdm_t session_dbusd_tmp_t:dir setattr;
#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
# xserver_log_t, var_log_t, xdm_log_t, pam_var_run_t, xdm_var_lib_t,
xdm_var_run_t, xdm_home_t, pam_var_console_t, pcscd_var_run_t,
xkb_var_lib_t, xdm_rw_etc_t, var_lock_t, root_t, tmp_t, var_t,
user_fonts_t, user_tmpfs_t, xdm_spool_t, fonts_cache_t,
user_home_dir_t, locale_t, var_auth_t, tmpfs_t, var_spool_t,
user_tmp_t, auth_cache_t, var_lib_t, var_run_t, xdm_tmpfs_t,
xdm_tmp_t, root_t, nfs_t

allow xdm_t session_dbusd_tmp_t:dir { write remove_name add_name };
allow xdm_t session_dbusd_tmp_t:sock_file { write create unlink };
#!!!! This avc can be allowed using the boolean 'allow_polyinstantiation'

allow xdm_t user_home_t:file { write rename };
allow xdm_t var_spool_t:file unlink;
allow xdm_t var_t:dir setattr;
allow xdm_t var_t:file { write rename create unlink setattr };
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 05-26-2010, 07:46 PM
Karl-Michael Schneider
 
Default Device nodes have no type when booting a 2.6.32.*.fc12 kernel

On Tue, May 25, 2010 at 11:47 AM, Karl-Michael Schneider
<karlmicha@gmail.com> wrote:
> On Mon, May 24, 2010 at 12:28 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> On Mon, 2010-05-24 at 15:07 -0400, Stephen Smalley wrote:
>>> On Mon, 2010-05-24 at 11:54 -0700, Karl-Michael Schneider wrote:
>>> > I have fc12 installed on a Lenovo R61 laptop with two kernels:
>>> >
>>> > kernel-2.6.31.12-174.2.22.fc12.i686
>>> > kernel-2.6.32.12-115.fc12.i686
>>> >
>>> > The 2.6.31 kernel has no problem. But when I try to boot the 2.6.32
>>> > kernel it fails because SELinux is blocking access to device nodes. I
>>> > can only boot the 2.6.32 kernel in single user mode. The reason is
>>> > that /dev and all files in it have no type:
>>> >
>>> > $ ls -lZ /dev
>>> > crw-------. root root system_ubject_r:unlabeled_t:s0 agpgart
>>> <snip>
>>> > The filesystem is ext3 on LVM:
>>> >
>>> > $ cat /etc/fstab
>>> > /dev/VolGroup00/LogVol00 / * * * * * * * * * * * ext3 * *defaults * * * *1 1
>>> > ...
>>> >
>>> > The filesystem was created when I installed FC9. Later I upgraded to
>>> > FC12. But the problem only appeared when the kernel was updated from
>>> > 2.6.31 to 2.6.32. All 2.6.32 kernels so far had the same problem.
>>> >
>>> > I have already relabeled the filesystem, but it didn't help. I tried
>>> > restorecon -R -v /dev after booting the 2.6.32 kernel but it didn't do
>>> > anything.
>>>
>>> Sounds like the devtmpfs mount with a policy that doesn't know about it.
>>> dmesg | grep SELinux
>>> grep /dev /proc/mounts
>>
>> I suspect your policy update didn't go cleanly and aborted during %post,
>> especially if you tried going all the way from F9 to F12. *I'd suggest
>> doing:
>> mv /etc/selinux/targeted /etc/selinux/targeted.orig
>> yum reinstall selinux-policy-targeted
>
> Thanks. This resolved the /dev labeling problem.
>
> Now I got security exceptions for a number of applications. I remember
> I got the same exceptions after I upgraded to FC12. So I booted with
> enforcing=0 and built a local policy module from audit.log as
> described in the audit2allow man page. I post it here:
>
> module local 1.0;
>
> require {
> * * * type unconfined_t;
> * * * type system_dbusd_var_run_t;
> * * * type sound_device_t;
> * * * type usr_t;
> * * * type xdm_var_lib_t;
> * * * type dri_device_t;
> * * * type NetworkManager_t;
> * * * type user_home_t;
> * * * type var_spool_t;
> * * * type initrc_t;
> * * * type system_dbusd_t;
> * * * type var_lock_t;
> * * * type xdm_dbusd_t;
> * * * type session_dbusd_tmp_t;
> * * * type unlabeled_t;
> * * * type removable_device_t;
> * * * type consolekit_t;
> * * * type var_lib_t;
> * * * type gnomeclock_t;
> * * * type gconfd_exec_t;
> * * * type var_t;
> * * * type xdm_t;
> * * * class process sigchld;
> * * * class unix_stream_socket connectto;
> * * * class dbus send_msg;
> * * * class chr_file { getattr setattr };
> * * * class file { rename execute setattr read execmod getattr
> execute_no_trans write ioctl unlink open create append };
> * * * class sock_file { write create unlink };
> * * * class blk_file { getattr setattr };
> * * * class dir { write search setattr read remove_name add_name };
> }
>
> #============= NetworkManager_t ==============
> allow NetworkManager_t unlabeled_t:file { ioctl execute read open
> getattr execute_no_trans };
> allow NetworkManager_t var_lib_t:file { read create open getattr };
> allow NetworkManager_t var_lock_t:dir search;
>
> #============= consolekit_t ==============
> allow consolekit_t dri_device_t:chr_file { getattr setattr };
> allow consolekit_t removable_device_t:blk_file { getattr setattr };
> allow consolekit_t sound_device_t:chr_file { getattr setattr };
>
> #============= gnomeclock_t ==============
> allow gnomeclock_t initrc_t:dbus send_msg;
>
> #============= unconfined_t ==============
> #!!!! This avc can be allowed using the boolean 'allow_execmod'
>
> allow unconfined_t usr_t:file execmod;
>
> #============= unlabeled_t ==============
> allow unlabeled_t unconfined_trocess sigchld;
>
> #============= xdm_dbusd_t ==============
> allow xdm_dbusd_t gconfd_exec_t:file { read execute open execute_no_trans };
> allow xdm_dbusd_t self:unix_stream_socket connectto;
> allow xdm_dbusd_t session_dbusd_tmp_t:sock_file { write create unlink };
> allow xdm_dbusd_t system_dbusd_t:dbus send_msg;
> allow xdm_dbusd_t system_dbusd_t:unix_stream_socket connectto;
> allow xdm_dbusd_t system_dbusd_var_run_t:dir search;
> allow xdm_dbusd_t system_dbusd_var_run_t:sock_file write;
> allow xdm_dbusd_t xdm_t:unix_stream_socket connectto;
> #!!!! The source type 'xdm_dbusd_t' can write to a 'dir' of the following types:
> # session_dbusd_tmp_t, tmp_t
>
> allow xdm_dbusd_t xdm_var_lib_t:dir { read write add_name remove_name };
> #!!!! The source type 'xdm_dbusd_t' can write to a 'file' of the following type:
> # session_dbusd_tmp_t
>
> allow xdm_dbusd_t xdm_var_lib_t:file { rename read create write
> getattr unlink open append };
>
> #============= xdm_t ==============
> allow xdm_t initrc_t:dbus send_msg;
> #!!!! This avc can be allowed using the boolean 'allow_polyinstantiation'
>
> allow xdm_t session_dbusd_tmp_t:dir setattr;
> #!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
> # xserver_log_t, var_log_t, xdm_log_t, pam_var_run_t, xdm_var_lib_t,
> xdm_var_run_t, xdm_home_t, pam_var_console_t, pcscd_var_run_t,
> xkb_var_lib_t, xdm_rw_etc_t, var_lock_t, root_t, tmp_t, var_t,
> user_fonts_t, user_tmpfs_t, xdm_spool_t, fonts_cache_t,
> user_home_dir_t, locale_t, var_auth_t, tmpfs_t, var_spool_t,
> user_tmp_t, auth_cache_t, var_lib_t, var_run_t, xdm_tmpfs_t,
> xdm_tmp_t, root_t, nfs_t
>
> allow xdm_t session_dbusd_tmp_t:dir { write remove_name add_name };
> allow xdm_t session_dbusd_tmp_t:sock_file { write create unlink };
> #!!!! This avc can be allowed using the boolean 'allow_polyinstantiation'
>
> allow xdm_t user_home_t:file { write rename };
> allow xdm_t var_spool_t:file unlink;
> allow xdm_t var_t:dir setattr;
> allow xdm_t var_t:file { write rename create unlink setattr };
>

Adding the local policy module did not fix all the problems. I had to
relabel the filesystem, and that fixed it (no need for a local policy
module anymore).
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 06:41 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org