Progress! .532 boots! -- but dbus/hotplug/udev pro: msg#00200

Newest Rawhide updates (including udev-030-10, mkinitrd-4.1.8-1,
kernel-2.6.8-1.532, and selinux-policy-strict-1.17.5-2)
now boots in strict/enforcing.

Many AVCs, and there is a problem
with runlevel 5 (graphical login, etc.) preventing
login, (but text login works).

Here are the first, early AVCs:  (I'll dig for more later.)

Aug 28 10:23:40 fedora kernel: usbcore: registered new driver usblp

Aug 28 10:23:40 fedora kernel: drivers/usb/class/usblp.c: v0.13: USBPrinter Device Class driver

Aug 28 10:23:40 fedora acpid: acpid startup succeeded
Aug 28 10:23:40 fedora kernel: ACPI: Power Button (FF) [PWRF]
Aug 28 10:23:40 fedora kernel: ACPI: Sleep Button (CM) [FUTS]
Aug 28 10:23:40 fedora kernel: EXT3 FS on hda2, internal journal

Aug 28 10:23:41 fedora kernel: audit(1093713783.757:0): avc: denied {search } for pid=1264 exe=/sbin/udev name=contexts dev=hda2 ino=4509745scontext=system_u:system_r:udev_ttcontext=system_u:object_r:default_context_t tclass=dirAug 28 10:23:41 fedora kernel: audit(1093713783.790:0): avc: denied {execute_no_trans } for pid=1271 exe=/sbin/udevpath=/etc/udev/scripts/pam_console.dev dev=hda2 ino=574019scontext=system_u:system_r:udev_t tcontext=system_u:object_r:etc_ttclass=fileAug 28 10:23:41 fedora kernel: audit(1093713783.790:0): avc: denied {write }for pid=1264 exe=/sbin/udev name=fscreate dev=proc ino=82837526scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_ttclass=file

There repeat many times. When run in permissive mode, this sequencebecomes:


Aug 28 10:32:25 fedora kernel: EXT3 FS on hda2, internal journal

Aug 28 10:32:25 fedora kernel: audit(1093714297.852:0): avc: denied {search } for pid=1283 exe=/sbin/udev name=contexts dev=hda2 ino=4509745scontext=system_u:system_r:udev_ttcontext=system_u:object_r:default_context_t tclass=dirAug 28 10:32:25 fedora kernel: audit(1093714297.859:0): avc: denied {search } for pid=1283 exe=/sbin/udev name=files dev=hda2 ino=4509746scontext=system_u:system_r:udev_ttcontext=system_u:object_r:file_context_t tclass=dirAug 28 10:32:25 fedora kernel: audit(1093714297.872:0): avc: denied {read } for pid=1283 exe=/sbin/udev name=file_contexts dev=hda2ino=4505700 scontext=system_u:system_r:udev_ttcontext=system_u:object_r:file_context_t tclass=fileAug 28 10:32:25 fedora kernel: audit(1093714297.872:0): avc: denied {getattr} for pid=1283 exe=/sbin/udevpath=/etc/selinux/strict/contexts/files/file_contexts dev=hda2ino=4505700 scontext=system_u:system_r:udev_ttcontext=system_u:object_r:file_context_t tclass=fileAug 28 10:32:25 fedora kernel: audit(1093714298.077:0): avc: denied {execute_no_trans } for pid=1285 exe=/sbin/udevpath=/etc/udev/scripts/pam_console.dev dev=hda2 ino=574019scontext=system_u:system_r:udev_t tcontext=system_u:object_r:etc_ttclass=fileAug 28 10:32:25 fedora kernel: audit(1093714298.109:0): avc: denied {search } for pid=1285 exe=/bin/bash name=console dev=hda2 ino=4456494scontext=system_u:system_r:udev_ttcontext=system_u:object_r:pam_var_console_t tclass=dirAug 28 10:32:25 fedora kernel: audit(1093714298.113:0): avc: denied {write }for pid=1283 exe=/sbin/udev name=fscreate dev=proc ino=84082710scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_ttclass=fileAug 28 10:32:25 fedora kernel: audit(1093714298.113:0): avc: denied {setfscreate } for pid=1283 exe=/sbin/udevscontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_ttclass=processAug 28 10:32:25 fedora kernel: audit(1093714317.126:0): avc: denied {search } for pid=1671 exe=/sbin/udev name=files dev=hda2 ino=4509746scontext=system_u:system_r:udev_ttcontext=system_u:object_r:file_context_t tclass=dir


Audit2allow on this says:
allow  : { write };
allow udev_t default_context_t:dir { search };
allow udev_t etc_t:file { execute_no_trans };
allow udev_t file_context_t:dir { search };
allow udev_t file_context_t:file { read };
allow udev_t pam_var_console_t:dir { search };
allow udev_t udev_t:process { setfscreate };

The funny 'allow : { write };' is for the write of 'fscreate' in /proc.

After obtaining the graphical login screen, here is the offending AVC:

Aug 28 10:24:42 fedora gdm(pam_unix)[3888]: session opened for user tblby (uid=0)Aug 28 10:24:43 fedora kernel: audit(1093713883.626:0): avc: denied {create } for pid=4042 exe=/usr/bin/dbus-daemon-1scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_ttclass=netlink_selinux_socket


An error window pops up reporting an SELinux/AVC type failure. It then
returns to the login screen.

Just prior to that, there are many 'denied's from udev and hald. Hereare a few:

Aug 28 10:24:21 fedora dbus: avc: denied { send_msg } forscontext=system_u:system_r:hald_t tcontext=system_u:system_r:updfstab_ttclass=dbusAug 28 10:24:21 fedora kernel: audit(1093713853.755:0): avc: denied {execute} for pid=3466 exe=/usr/sbin/hald name=hal-hotplug-map dev=hda2ino=606213 scontext=system_u:system_r:hald_ttcontext=system_u:object_r:bin_t tclass=file

Aug 28 10:24:21 fedora udev[3953]: creating device node '/dev/vcs7'

Aug 28 10:24:22 fedora dbus: avc: denied { send_msg } forscontext=system_u:system_r:hald_t tcontext=system_u:system_r:updfstab_ttclass=dbusAug 28 10:24:22 fedora kernel: audit(1093713853.817:0): avc: denied {search } for pid=3798 exe=/sbin/udev name=contexts dev=hda2 ino=4509745scontext=system_u:system_r:udev_ttcontext=system_u:object_r:default_context_t tclass=dirAug 28 10:24:22 fedora dbus: avc: denied { send_msg } forscontext=system_u:system_r:hald_t tcontext=system_u:system_r:updfstab_ttclass=dbusAug 28 10:24:22 fedora kernel: audit(1093713853.819:0): avc: denied {execute_no_trans } for pid=3846 exe=/sbin/udevpath=/etc/udev/scripts/pam_console.dev dev=hda2 ino=574019scontext=system_u:system_r:udev_t tcontext=system_u:object_r:etc_ttclass=fileAug 28 10:24:22 fedora dbus: avc: denied { send_msg } forscontext=system_u:system_r:updfstab_t tcontext=system_u:system_r:hald_ttclass=dbusAug 28 10:24:22 fedora kernel: audit(1093713853.820:0): avc: denied {write }for pid=3798 exe=/sbin/udev name=fscreate dev=proc ino=248905750scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_ttclass=file

[BTW: When I reboot, /etc/fstab has been relabeled to type tmp_t.Is the above causing this?]


I rebooted strict/permissive, and things appear OK, including loading
of sound modules.

However, as noted above, something is relabeling /etc/fstab to tmp_t:

Aug 28 10:33:21 fedora gdm(pam_unix)[3786]: session opened for user tblby (uid=0)Aug 28 10:33:21 fedora kernel: audit(1093714401.349:0): avc: denied {read } for pid=3786 exe=/usr/bin/gdm-binary name=fstab dev=hda2ino=4654141 scontext=system_u:system_r:xdm_ttcontext=system_u:object_r:tmp_t tclass=fileAug 28 10:33:21 fedora kernel: audit(1093714401.350:0): avc: denied {getattr} for pid=3786 exe=/usr/bin/gdm-binary path=/etc/fstab dev=hda2ino=4654141 scontext=system_u:system_r:xdm_ttcontext=system_u:object_r:tmp_t tclass=file


I believe I'm running a 'stock' Rawhide system.

tom

Previous by Date:	Re: dot directory - (exceptions), Jim Cornette
Next by Date:	fstab-sync - relabeling /etc/fstab?, Tom London
Previous by Thread:	dot directory - .mozilla, .gqview, ETC:, Jim Cornette
Next by Thread:	Re: Progress! .532 boots! -- but dbus/hotplug/udev problems remain?, Russell Coker
Indexes:	[Date] [Thread] [Top] [All Lists]

Progress! .532 boots! -- but dbus/hotplug/udev problems remain?: msg#00200

Free Magazines

<Prev in Thread]	Current Thread	[Next in Thread>