From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1NIwgQ-0006vx-9w for garchives@archives.gentoo.org; Fri, 11 Dec 2009 04:00:46 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 5B92DE0ACD for ; Fri, 11 Dec 2009 04:00:45 +0000 (UTC) Received: from mail.aoaforums.com (www.aoaforums.com [174.123.188.106]) by pigeon.gentoo.org (Postfix) with ESMTP id 06C6FE0794 for ; Fri, 11 Dec 2009 02:41:48 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.aoaforums.com (Postfix) with ESMTP id 5F8BA2AF12 for ; Fri, 11 Dec 2009 02:41:48 +0000 (GMT) X-DKIM: Sendmail DKIM Filter v2.8.3 mail.aoaforums.com 5F8BA2AF12 DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=giz-works.com; s=20080229-giz-works-com; t=1260499308; bh=opFkYOejwlO8eBLPYwD8Qdo65J0=; h=Message-ID:Date:From:MIME-Version:To:Subject:Content-Type: Content-Transfer-Encoding; b=iDtO80dnWyBnz1/oph8byZD+HCONVXl6TOUyfgjTp6w/QGkthiimlt4bGg/yvEC4i Gd9rz+orhRrOnMG+64hy8IcvtVGHlqg8+NDxO1NYg31WeHJ1OdcmBOfAoEdMN9AxDF CNoCTN7YsPbKkkBW8q5M8smfIDf/Pm2hBfKaAbDw= X-Virus-Scanned: by amavisd-new using ClamAV at aoaforums.com Received: from mail.aoaforums.com ([127.0.0.1]) by localhost (aoaforums.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 47TC6OjLlvyu for ; Fri, 11 Dec 2009 02:41:44 +0000 (GMT) Received: from chris.localdomain (adsl-75-50-52-5.dsl.spfdmo.sbcglobal.net [75.50.52.5]) by mail.aoaforums.com (Postfix) with ESMTPSA id CFD132AF10 for ; Fri, 11 Dec 2009 02:41:44 +0000 (GMT) Message-ID: <4B21B168.3030703@giz-works.com> Date: Thu, 10 Dec 2009 20:41:44 -0600 From: Chris Richards User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.4pre) Gecko/20090922 Fedora/3.0-3.9.b4.fc12 Thunderbird/3.0b4 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 To: gentoo-hardened@lists.gentoo.org Subject: [gentoo-hardened] UDEV AVC Denials on with strict SELinux policy Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: 8cc68ca9-484d-4606-92ca-1c2b3db6c81e X-Archives-Hash: 08698d576e33eb89bc6161838381ef92 I'm seeing some AVC denials that don't make any sense to me. When I boot the system, I see the following on my console: * Mounting /dev ... [ok] /etc/init.d/udev-mount: line 63: /dev/null: Permission denied /etc/init.d/udev: line 69: /dev/null: Permission denied * Starting udevd ... [ok] * Populating /dev with existing devices through uevents ... [ok] * Waiting for uevents to be processed ... error sending message: Permission denied [ok] error sending message: Permission denied udevadm[601]: error sending message: Permission denied /var/log/dmesg shows the following: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs type=1400 audit(1260416495.426:3): avc: denied { write } for pid=461 comm="bash" name="null" dev=tmpfs ino=1367 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=chr_file type=1400 audit(1260416495.640:4): avc: denied { read write } for pid=470 comm="write_root_link" name="tty" dev=tmpfs ino=1366 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=chr_file type=1400 audit(1260416495.640:5): avc: denied { read write } for pid=470 comm="write_root_link" name="console" dev=tmpfs ino=1364 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=chr_file type=1400 audit(1260416495.695:6): avc: denied { read } for pid=471 comm="udevadm" name="file_contexts" dev=sda3 ino=737895 scontext=system_u:system_r:initrc_t tcontext=root:object_r:file_context_t tclass=file type=1400 audit(1260416495.736:7): avc: denied { write } for pid=475 comm="bash" name="null" dev=tmpfs ino=1367 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=chr_file udev: starting version 146 type=1400 audit(1260416496.041:8): avc: denied { read } for pid=479 comm="udevadm" name="file_contexts" dev=sda3 ino=737895 scontext=system_u:system_r:initrc_t tcontext=root:object_r:file_context_t tclass=file type=1400 audit(1260416496.057:9): avc: denied { read write } for pid=481 comm="modprobe" path="/dev/null" dev=tmpfs ino=1367 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:device_t tclass=chr_file type=1400 audit(1260416496.057:10): avc: denied { read write } for pid=481 comm="modprobe" path="/dev/null" dev=tmpfs ino=1367 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:device_t tclass=chr_file type=1400 audit(1260416496.057:11): avc: denied { read write } for pid=481 comm="modprobe" path="/dev/null" dev=tmpfs ino=1367 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:device_t tclass=chr_file If I'm reading these right, then /dev/null, /dev/tty, /dev/console all have the wrong context: device_t. Thing is, they don't: /dev/null is null_device_t, /dev/tty is devtty_t, /dev/console is console_device_t verified for both udev mounted and static dev mounted. The denial on file_contexts I don't understand, unless there is no rule to transistion from initrc_t to file_contexts_t. Can any one offer any guidance? I'm suspicious of some sort of race condition, given where these errors are being generated, but I don't know. Thanks, Chris