FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Hardened

 
 
LinkBack Thread Tools
 
Old 07-19-2008, 04:15 PM
 
Default Problem with udev and enforcing policy

François Valenduc writes:
> Hello everybody,
> I have installed selinux and I tried to switch from permissive to
> enforcing policy. Following that, I get plenty of errors like
> run_program exec of /lib64/udev/net.sh failed
> This occurs for all scripts in this folder. I have rebuild udev to
> include selinux patches, but it doesn't work very well.

> Does anybody know a solution to this problem ?

I received similar error an year ago, when I'm using SELinux on my
gentoo-hardened box. To fix it, I labelled all scripts in /lib64/udev
with 'system_ubject_r:udev_helper_exec_t' context. So try following,
and see if everything works:

---->8---->8----
# chcon -Rc system_ubject_r:udev_helper_exec_t /lib64/udev
----8<----8<----

Following is the denials I received:

---->8---->8----
Dec 7 00:04:13 [kernel] audit(1196985843.508:4): avc: denied { execute_no_trans } for pid=1055 comm="udevd" name="cdrom_id" dev=sdb5 ino=8160366 scontext=system_u:system_r:udev_t tcontext=system_ubject_r:lib_t tclass=file
Dec 7 00:04:13 [kernel] audit(1196985843.564:5): avc: denied { execute_no_trans } for pid=1089 comm="udevd" name="modprobe.sh" dev=sdb5 ino=8160362 scontext=system_u:system_r:udev_t tcontext=system_ubject_r:lib_t tclass=file
Dec 7 00:04:13 [kernel] audit(1196985843.564:6): avc: denied { execute_no_trans } for pid=1090 comm="udevd" name="modprobe.sh" dev=sdb5 ino=8160362 scontext=system_u:system_r:udev_t tcontext=system_ubject_r:lib_t tclass=file
Dec 7 00:04:13 [kernel] audit(1196985843.564:7): avc: denied { execute_no_trans } for pid=1087 comm="udevd" name="usb_id" dev=sdb5 ino=8160365 scontext=system_u:system_r:udev_t tcontext=system_ubject_r:lib_t tclass=file
Dec 7 00:04:13 [kernel] audit(1196985843.568:8): avc: denied { execute_no_trans } for pid=1088 comm="udevd" name="modprobe.sh" dev=sdb5 ino=8160362 scontext=system_u:system_r:udev_t tcontext=system_ubject_r:lib_t tclass=file
Dec 7 00:04:13 [kernel] audit(1196985843.568:9): avc: denied { execute_no_trans } for pid=1096 comm="udevd" name="ata_id" dev=sdb5 ino=8160381 scontext=system_u:system_r:udev_t tcontext=system_ubject_r:lib_t tclass=file
Dec 7 00:04:13 [kernel] audit(1196985843.568:10): avc: denied { execute_no_trans } for pid=1091 comm="udevd" name="usb_id" dev=sdb5 ino=8160365 scontext=system_u:system_r:udev_t tcontext=system_ubject_r:lib_t tclass=file
Dec 7 00:04:13 [kernel] audit(1196985843.576:12): avc: denied { execute_no_trans } for pid=1101 comm="udevd" name="path_id" dev=sdb5 ino=8160374 scontext=system_u:system_r:udev_t tcontext=system_ubject_r:lib_t tclass=file
Dec 7 00:04:13 [kernel] audit(1196985843.576:13): avc: denied { execute_no_trans } for pid=1102 comm="udevd" name="path_id" dev=sdb5 ino=8160374 scontext=system_u:system_r:udev_t tcontext=system_ubject_r:lib_t tclass=file
Dec 7 00:04:13 [kernel] audit(1196985843.576:14): avc: denied { execute_no_trans } for pid=1104 comm="udevd" name="scsi_id" dev=sdb5 ino=8160369 scontext=system_u:system_r:udev_t tcontext=system_ubject_r:lib_t tclass=file
Dec 7 00:04:13 [kernel] audit(1196985843.576:15): avc: denied { execute_no_trans } for pid=1103 comm="udevd" name="path_id" dev=sdb5 ino=8160374 scontext=system_u:system_r:udev_t tcontext=system_ubject_r:lib_t tclass=file
----8<----8<----

If you receive more errors, try fixing udev's policy in
serefpolicy. It'll be better if you work with latest release.

I'm not using SELinux these days, so won't be able to help you further.

HTH
--
·-- ·- ···· ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- --
 

Thread Tools




All times are GMT. The time now is 07:16 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org