* [gentoo-hardened] UDEV AVC Denials on with strict SELinux policy
@ 2009-12-11 2:41 Chris Richards
0 siblings, 0 replies; only message in thread
From: Chris Richards @ 2009-12-11 2:41 UTC (permalink / raw
To: gentoo-hardened
I'm seeing some AVC denials that don't make any sense to me.
When I boot the system, I see the following on my console:
* Mounting /dev ... [ok]
/etc/init.d/udev-mount: line 63: /dev/null: Permission denied
/etc/init.d/udev: line 69: /dev/null: Permission denied
* Starting udevd ... [ok]
* Populating /dev with existing devices through uevents ... [ok]
* Waiting for uevents to be processed ...
error sending message: Permission denied [ok]
error sending message: Permission denied
udevadm[601]: error sending message: Permission denied
/var/log/dmesg shows the following:
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
type=1400 audit(1260416495.426:3): avc: denied { write } for pid=461
comm="bash" name="null" dev=tmpfs ino=1367
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t
tclass=chr_file
type=1400 audit(1260416495.640:4): avc: denied { read write } for
pid=470 comm="write_root_link" name="tty" dev=tmpfs ino=1366
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t
tclass=chr_file
type=1400 audit(1260416495.640:5): avc: denied { read write } for
pid=470 comm="write_root_link" name="console" dev=tmpfs ino=1364
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t
tclass=chr_file
type=1400 audit(1260416495.695:6): avc: denied { read } for pid=471
comm="udevadm" name="file_contexts" dev=sda3 ino=737895
scontext=system_u:system_r:initrc_t
tcontext=root:object_r:file_context_t tclass=file
type=1400 audit(1260416495.736:7): avc: denied { write } for pid=475
comm="bash" name="null" dev=tmpfs ino=1367
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t
tclass=chr_file
udev: starting version 146
type=1400 audit(1260416496.041:8): avc: denied { read } for pid=479
comm="udevadm" name="file_contexts" dev=sda3 ino=737895
scontext=system_u:system_r:initrc_t
tcontext=root:object_r:file_context_t tclass=file
type=1400 audit(1260416496.057:9): avc: denied { read write } for
pid=481 comm="modprobe" path="/dev/null" dev=tmpfs ino=1367
scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:device_t
tclass=chr_file
type=1400 audit(1260416496.057:10): avc: denied { read write } for
pid=481 comm="modprobe" path="/dev/null" dev=tmpfs ino=1367
scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:device_t
tclass=chr_file
type=1400 audit(1260416496.057:11): avc: denied { read write } for
pid=481 comm="modprobe" path="/dev/null" dev=tmpfs ino=1367
scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:device_t
tclass=chr_file
If I'm reading these right, then /dev/null, /dev/tty, /dev/console all
have the wrong context: device_t.
Thing is, they don't:
/dev/null is null_device_t, /dev/tty is devtty_t, /dev/console is
console_device_t verified for both udev mounted and static dev mounted.
The denial on file_contexts I don't understand, unless there is no rule
to transistion from initrc_t to file_contexts_t.
Can any one offer any guidance? I'm suspicious of some sort of race
condition, given where these errors are being generated, but I don't know.
Thanks,
Chris
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2009-12-11 4:00 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-12-11 2:41 [gentoo-hardened] UDEV AVC Denials on with strict SELinux policy Chris Richards
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox