Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Gentoo Hardened (http://www.linux-archive.org/gentoo-hardened/)
-   -   Problem with udev and enforcing policy (http://www.linux-archive.org/gentoo-hardened/127768-problem-udev-enforcing-policy.html)

07-19-2008 04:15 PM

Problem with udev and enforcing policy
 
François Valenduc writes:
> Hello everybody,
> I have installed selinux and I tried to switch from permissive to
> enforcing policy. Following that, I get plenty of errors like
> run_program exec of /lib64/udev/net.sh failed
> This occurs for all scripts in this folder. I have rebuild udev to
> include selinux patches, but it doesn't work very well.

> Does anybody know a solution to this problem ?

I received similar error an year ago, when I'm using SELinux on my
gentoo-hardened box. To fix it, I labelled all scripts in /lib64/udev
with 'system_u:object_r:udev_helper_exec_t' context. So try following,
and see if everything works:

---->8---->8----
# chcon -Rc system_u:object_r:udev_helper_exec_t /lib64/udev
----8<----8<----

Following is the denials I received:

---->8---->8----
Dec 7 00:04:13 [kernel] audit(1196985843.508:4): avc: denied { execute_no_trans } for pid=1055 comm="udevd" name="cdrom_id" dev=sdb5 ino=8160366 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file
Dec 7 00:04:13 [kernel] audit(1196985843.564:5): avc: denied { execute_no_trans } for pid=1089 comm="udevd" name="modprobe.sh" dev=sdb5 ino=8160362 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file
Dec 7 00:04:13 [kernel] audit(1196985843.564:6): avc: denied { execute_no_trans } for pid=1090 comm="udevd" name="modprobe.sh" dev=sdb5 ino=8160362 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file
Dec 7 00:04:13 [kernel] audit(1196985843.564:7): avc: denied { execute_no_trans } for pid=1087 comm="udevd" name="usb_id" dev=sdb5 ino=8160365 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file
Dec 7 00:04:13 [kernel] audit(1196985843.568:8): avc: denied { execute_no_trans } for pid=1088 comm="udevd" name="modprobe.sh" dev=sdb5 ino=8160362 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file
Dec 7 00:04:13 [kernel] audit(1196985843.568:9): avc: denied { execute_no_trans } for pid=1096 comm="udevd" name="ata_id" dev=sdb5 ino=8160381 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file
Dec 7 00:04:13 [kernel] audit(1196985843.568:10): avc: denied { execute_no_trans } for pid=1091 comm="udevd" name="usb_id" dev=sdb5 ino=8160365 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file
Dec 7 00:04:13 [kernel] audit(1196985843.576:12): avc: denied { execute_no_trans } for pid=1101 comm="udevd" name="path_id" dev=sdb5 ino=8160374 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file
Dec 7 00:04:13 [kernel] audit(1196985843.576:13): avc: denied { execute_no_trans } for pid=1102 comm="udevd" name="path_id" dev=sdb5 ino=8160374 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file
Dec 7 00:04:13 [kernel] audit(1196985843.576:14): avc: denied { execute_no_trans } for pid=1104 comm="udevd" name="scsi_id" dev=sdb5 ino=8160369 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file
Dec 7 00:04:13 [kernel] audit(1196985843.576:15): avc: denied { execute_no_trans } for pid=1103 comm="udevd" name="path_id" dev=sdb5 ino=8160374 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file
----8<----8<----

If you receive more errors, try fixing udev's policy in
serefpolicy. It'll be better if you work with latest release.

I'm not using SELinux these days, so won't be able to help you further.

HTH
--
·-- ·- ···· ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- --


All times are GMT. The time now is 11:14 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.