1 |
I'm seeing some AVC denials that don't make any sense to me. |
2 |
|
3 |
When I boot the system, I see the following on my console: |
4 |
|
5 |
* Mounting /dev ... [ok] |
6 |
/etc/init.d/udev-mount: line 63: /dev/null: Permission denied |
7 |
/etc/init.d/udev: line 69: /dev/null: Permission denied |
8 |
* Starting udevd ... [ok] |
9 |
* Populating /dev with existing devices through uevents ... [ok] |
10 |
* Waiting for uevents to be processed ... |
11 |
error sending message: Permission denied [ok] |
12 |
error sending message: Permission denied |
13 |
udevadm[601]: error sending message: Permission denied |
14 |
|
15 |
/var/log/dmesg shows the following: |
16 |
|
17 |
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs |
18 |
type=1400 audit(1260416495.426:3): avc: denied { write } for pid=461 |
19 |
comm="bash" name="null" dev=tmpfs ino=1367 |
20 |
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t |
21 |
tclass=chr_file |
22 |
|
23 |
type=1400 audit(1260416495.640:4): avc: denied { read write } for |
24 |
pid=470 comm="write_root_link" name="tty" dev=tmpfs ino=1366 |
25 |
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t |
26 |
tclass=chr_file |
27 |
|
28 |
type=1400 audit(1260416495.640:5): avc: denied { read write } for |
29 |
pid=470 comm="write_root_link" name="console" dev=tmpfs ino=1364 |
30 |
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t |
31 |
tclass=chr_file |
32 |
|
33 |
type=1400 audit(1260416495.695:6): avc: denied { read } for pid=471 |
34 |
comm="udevadm" name="file_contexts" dev=sda3 ino=737895 |
35 |
scontext=system_u:system_r:initrc_t |
36 |
tcontext=root:object_r:file_context_t tclass=file |
37 |
|
38 |
type=1400 audit(1260416495.736:7): avc: denied { write } for pid=475 |
39 |
comm="bash" name="null" dev=tmpfs ino=1367 |
40 |
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t |
41 |
tclass=chr_file |
42 |
|
43 |
udev: starting version 146 |
44 |
|
45 |
type=1400 audit(1260416496.041:8): avc: denied { read } for pid=479 |
46 |
comm="udevadm" name="file_contexts" dev=sda3 ino=737895 |
47 |
scontext=system_u:system_r:initrc_t |
48 |
tcontext=root:object_r:file_context_t tclass=file |
49 |
|
50 |
type=1400 audit(1260416496.057:9): avc: denied { read write } for |
51 |
pid=481 comm="modprobe" path="/dev/null" dev=tmpfs ino=1367 |
52 |
scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:device_t |
53 |
tclass=chr_file |
54 |
|
55 |
type=1400 audit(1260416496.057:10): avc: denied { read write } for |
56 |
pid=481 comm="modprobe" path="/dev/null" dev=tmpfs ino=1367 |
57 |
scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:device_t |
58 |
tclass=chr_file |
59 |
|
60 |
type=1400 audit(1260416496.057:11): avc: denied { read write } for |
61 |
pid=481 comm="modprobe" path="/dev/null" dev=tmpfs ino=1367 |
62 |
scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:device_t |
63 |
tclass=chr_file |
64 |
|
65 |
|
66 |
If I'm reading these right, then /dev/null, /dev/tty, /dev/console all |
67 |
have the wrong context: device_t. |
68 |
|
69 |
Thing is, they don't: |
70 |
/dev/null is null_device_t, /dev/tty is devtty_t, /dev/console is |
71 |
console_device_t verified for both udev mounted and static dev mounted. |
72 |
|
73 |
The denial on file_contexts I don't understand, unless there is no rule |
74 |
to transistion from initrc_t to file_contexts_t. |
75 |
|
76 |
Can any one offer any guidance? I'm suspicious of some sort of race |
77 |
condition, given where these errors are being generated, but I don't know. |
78 |
|
79 |
Thanks, |
80 |
Chris |