Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   dmesg entries Rawhide (http://www.linux-archive.org/fedora-selinux-support/379731-dmesg-entries-rawhide.html)

Dominick Grift 06-01-2010 10:42 AM
dmesg entries Rawhide
 
On Tue, Jun 01, 2010 at 11:01:31AM +0100, Frank Murphy wrote:
> Is following anything to worry about, no alerts once on Desktop.
> ------------------------------------------------------------------
> dracut: Loading SELinux policy
> --snip--
> SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
> type=1403 audit(1275384894.833:3): policy loaded auid=4294967295
> ses=4294967295
> dracut: Switching root
> type=1400 audit(1275384895.605:4): avc: denied { read write } for
> pid=571 comm="hostname" path="/dev/console" dev=devtmpfs ino=5569
> scontext=system_u:system_r:hostname_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
> type=1400 audit(1275384895.607:5): avc: denied { read write } for
> pid=571 comm="hostname" path="/dev/console" dev=devtmpfs ino=5569
> scontext=system_u:system_r:hostname_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
> type=1400 audit(1275384895.682:6): avc: denied { read write } for
> pid=575 comm="consoletype" path="/dev/null" dev=devtmpfs ino=4055
> scontext=system_u:system_r:consoletype_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
> type=1400 audit(1275384895.682:7): avc: denied { read write } for
> pid=574 comm="consoletype" path="/dev/console" dev=devtmpfs ino=5569
> scontext=system_u:system_r:consoletype_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
> type=1400 audit(1275384895.685:8): avc: denied { read write } for
> pid=574 comm="consoletype" path="/dev/console" dev=devtmpfs ino=5569
> scontext=system_u:system_r:consoletype_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
> type=1400 audit(1275384895.685:9): avc: denied { read write } for
> pid=575 comm="consoletype" path="/dev/null" dev=devtmpfs ino=4055
> scontext=system_u:system_r:consoletype_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
> type=1400 audit(1275384895.859:10): avc: denied { open } for pid=576
> comm="mount" name="null" dev=devtmpfs ino=4055
> scontext=system_u:system_r:mount_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
> type=1400 audit(1275384895.862:11): avc: denied { read write } for
> pid=578 comm="consoletype" path="/dev/console" dev=devtmpfs ino=5569
> scontext=system_u:system_r:consoletype_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=chr_file

Yes theres a bug in dracut. hhoyer said it would be fixed in an update soon. Heres how to fix it:

commit 769cf2477076a0ec0ab40de329eddc6d33435dde
Author: Dominick Grift <domg472@gmail.com> 2010-05-14 18:26:02
Committer: Dominick Grift <domg472@gmail.com> 2010-05-14 18:26:02
Parent: 05997000a2389e510dd924bcf37b61c93b09f83a (Remove unused comments.)
Child: f68796e9a8fd8c5234faf06484c99f2028c7b652 (Version 3.7.19-16.3)

Added this:
mount --bind /dev "$NEWROOT/dev"
chroot "$NEWROOT" /sbin/restorecon -R /dev
to:
/usr/share/dracut/modules.d/99base/selinux-loadpolicy.sh
so that devtmpfs gets restored right after dracut loads policy.
So now we should be able to remove:
dev_rw_generic_chr_files for both init_t and initrc_t i guess.
instead add dev_read_urand(init_t)

Signed-off-by: Dominick Grift <domg472@gmail.com>
------------------------ policy/modules/system/init.te ------------------------
index 8018498..2a784c1 100644
@@ -139,7 +139,8 @@
corecmd_exec_bin(init_t)

dev_read_sysfs(init_t)
-dev_rw_generic_chr_files(init_t)
+dev_read_urand(init_t)
+# dev_rw_generic_chr_files(init_t)

domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
@@ -346,7 +347,7 @@
dev_getattr_all_chr_files(initrc_t)
dev_rw_xserver_misc(initrc_t)
# Else readahead wont start
-dev_rw_generic_chr_files(initrc_t)
+# dev_rw_generic_chr_files(initrc_t)

corecmd_exec_all_executables(initrc_t)




>
> --
> Regards,
>
> Frank Murphy
> UTF_8 Encoded
> Friend of Fedora
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh 06-01-2010 01:07 PM
dmesg entries Rawhide
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/01/2010 06:01 AM, Frank Murphy wrote:
> Is following anything to worry about, no alerts once on Desktop.
> ------------------------------------------------------------------
> dracut: Loading SELinux policy
> --snip--
> SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
> type=1403 audit(1275384894.833:3): policy loaded auid=4294967295
> ses=4294967295
> dracut: Switching root
> type=1400 audit(1275384895.605:4): avc: denied { read write } for
> pid=571 comm="hostname" path="/dev/console" dev=devtmpfs ino=5569
> scontext=system_u:system_r:hostname_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
> type=1400 audit(1275384895.607:5): avc: denied { read write } for
> pid=571 comm="hostname" path="/dev/console" dev=devtmpfs ino=5569
> scontext=system_u:system_r:hostname_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
> type=1400 audit(1275384895.682:6): avc: denied { read write } for
> pid=575 comm="consoletype" path="/dev/null" dev=devtmpfs ino=4055
> scontext=system_u:system_r:consoletype_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
> type=1400 audit(1275384895.682:7): avc: denied { read write } for
> pid=574 comm="consoletype" path="/dev/console" dev=devtmpfs ino=5569
> scontext=system_u:system_r:consoletype_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
> type=1400 audit(1275384895.685:8): avc: denied { read write } for
> pid=574 comm="consoletype" path="/dev/console" dev=devtmpfs ino=5569
> scontext=system_u:system_r:consoletype_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
> type=1400 audit(1275384895.685:9): avc: denied { read write } for
> pid=575 comm="consoletype" path="/dev/null" dev=devtmpfs ino=4055
> scontext=system_u:system_r:consoletype_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
> type=1400 audit(1275384895.859:10): avc: denied { open } for pid=576
> comm="mount" name="null" dev=devtmpfs ino=4055
> scontext=system_u:system_r:mount_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
> type=1400 audit(1275384895.862:11): avc: denied { read write } for
> pid=578 comm="consoletype" path="/dev/console" dev=devtmpfs ino=5569
> scontext=system_u:system_r:consoletype_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
>
No bug a bug should be opened. Dracut should be relabeling the /dev
directory immediately after loading policy, in order to fix the labels
of all devices created before the load.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkwFBfkACgkQrlYvE4MpobNz8ACghdgSJ4A/H2Yp5wqOFKj816ou
SdkAnRDitotAI2hlszbfMuNKilT9oUsb
=OCoE
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Tom London 06-01-2010 01:26 PM
dmesg entries Rawhide
 
On Tue, Jun 1, 2010 at 6:07 AM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 06/01/2010 06:01 AM, Frank Murphy wrote:
>> Is following anything to worry about, no alerts once on Desktop.
>> ------------------------------------------------------------------
>> dracut: Loading SELinux policy
>> --snip--
>> SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
>> type=1403 audit(1275384894.833:3): policy loaded auid=4294967295
>> ses=4294967295
>> dracut: Switching root
>> type=1400 audit(1275384895.605:4): avc: *denied *{ read write } for
>> pid=571 comm="hostname" path="/dev/console" dev=devtmpfs ino=5569
>> scontext=system_u:system_r:hostname_t:s0
>> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
>> type=1400 audit(1275384895.607:5): avc: *denied *{ read write } for
>> pid=571 comm="hostname" path="/dev/console" dev=devtmpfs ino=5569
>> scontext=system_u:system_r:hostname_t:s0
>> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
>> type=1400 audit(1275384895.682:6): avc: *denied *{ read write } for
>> pid=575 comm="consoletype" path="/dev/null" dev=devtmpfs ino=4055
>> scontext=system_u:system_r:consoletype_t:s0
>> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
>> type=1400 audit(1275384895.682:7): avc: *denied *{ read write } for
>> pid=574 comm="consoletype" path="/dev/console" dev=devtmpfs ino=5569
>> scontext=system_u:system_r:consoletype_t:s0
>> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
>> type=1400 audit(1275384895.685:8): avc: *denied *{ read write } for
>> pid=574 comm="consoletype" path="/dev/console" dev=devtmpfs ino=5569
>> scontext=system_u:system_r:consoletype_t:s0
>> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
>> type=1400 audit(1275384895.685:9): avc: *denied *{ read write } for
>> pid=575 comm="consoletype" path="/dev/null" dev=devtmpfs ino=4055
>> scontext=system_u:system_r:consoletype_t:s0
>> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
>> type=1400 audit(1275384895.859:10): avc: *denied *{ open } for *pid=576
>> comm="mount" name="null" dev=devtmpfs ino=4055
>> scontext=system_u:system_r:mount_t:s0
>> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
>> type=1400 audit(1275384895.862:11): avc: *denied *{ read write } for
>> pid=578 comm="consoletype" path="/dev/console" dev=devtmpfs ino=5569
>> scontext=system_u:system_r:consoletype_t:s0
>> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
>>
> No bug a bug should be opened. *Dracut should be relabeling the /dev
> directory immediately after loading policy, in order to fix the labels
> of all devices created before the load.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkwFBfkACgkQrlYvE4MpobNz8ACghdgSJ4A/H2Yp5wqOFKj816ou
> SdkAnRDitotAI2hlszbfMuNKilT9oUsb
> =OCoE
> -----END PGP SIGNATURE-----

I've opened this BZ on dracut for this:
https://bugzilla.redhat.com/show_bug.cgi?id=598475

tom
--
Tom London
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Frank Murphy 06-01-2010 01:37 PM
dmesg entries Rawhide
 
On 01/06/10 14:26, Tom London wrote:

> I've opened this BZ on dracut for this:
> https://bugzilla.redhat.com/show_bug.cgi?id=598475

> tom

Just opened a dupe before I saw you comment :(
https://bugzilla.redhat.com/show_bug.cgi?id=598484

Now re-directed to above.
--

Regards,

Frank Murphy
UTF_8 Encoded
Friend of Fedora
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Frank Murphy 06-01-2010 01:37 PM
dmesg entries Rawhide
 
On 01/06/10 14:26, Tom London wrote:

> I've opened this BZ on dracut for this:
> https://bugzilla.redhat.com/show_bug.cgi?id=598475

> tom

Just opened a dupe before I saw you comment :(
https://bugzilla.redhat.com/show_bug.cgi?id=598484

Now re-directed to #598475
--

Regards,

Frank Murphy
UTF_8 Encoded
Friend of Fedora
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 08:03 PM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.