Gentoo Archives: gentoo-hardened

From: Chris Richards <gizmo@×××××××××.com>
To: gentoo-hardened@l.g.o
Subject: [gentoo-hardened] UDEV AVC Denials on with strict SELinux policy
Date: Fri, 11 Dec 2009 04:00:46
Message-Id: 4B21B168.3030703@giz-works.com
1 I'm seeing some AVC denials that don't make any sense to me.
2
3 When I boot the system, I see the following on my console:
4
5 * Mounting /dev ... [ok]
6 /etc/init.d/udev-mount: line 63: /dev/null: Permission denied
7 /etc/init.d/udev: line 69: /dev/null: Permission denied
8 * Starting udevd ... [ok]
9 * Populating /dev with existing devices through uevents ... [ok]
10 * Waiting for uevents to be processed ...
11 error sending message: Permission denied [ok]
12 error sending message: Permission denied
13 udevadm[601]: error sending message: Permission denied
14
15 /var/log/dmesg shows the following:
16
17 SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
18 type=1400 audit(1260416495.426:3): avc: denied { write } for pid=461
19 comm="bash" name="null" dev=tmpfs ino=1367
20 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t
21 tclass=chr_file
22
23 type=1400 audit(1260416495.640:4): avc: denied { read write } for
24 pid=470 comm="write_root_link" name="tty" dev=tmpfs ino=1366
25 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t
26 tclass=chr_file
27
28 type=1400 audit(1260416495.640:5): avc: denied { read write } for
29 pid=470 comm="write_root_link" name="console" dev=tmpfs ino=1364
30 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t
31 tclass=chr_file
32
33 type=1400 audit(1260416495.695:6): avc: denied { read } for pid=471
34 comm="udevadm" name="file_contexts" dev=sda3 ino=737895
35 scontext=system_u:system_r:initrc_t
36 tcontext=root:object_r:file_context_t tclass=file
37
38 type=1400 audit(1260416495.736:7): avc: denied { write } for pid=475
39 comm="bash" name="null" dev=tmpfs ino=1367
40 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t
41 tclass=chr_file
42
43 udev: starting version 146
44
45 type=1400 audit(1260416496.041:8): avc: denied { read } for pid=479
46 comm="udevadm" name="file_contexts" dev=sda3 ino=737895
47 scontext=system_u:system_r:initrc_t
48 tcontext=root:object_r:file_context_t tclass=file
49
50 type=1400 audit(1260416496.057:9): avc: denied { read write } for
51 pid=481 comm="modprobe" path="/dev/null" dev=tmpfs ino=1367
52 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:device_t
53 tclass=chr_file
54
55 type=1400 audit(1260416496.057:10): avc: denied { read write } for
56 pid=481 comm="modprobe" path="/dev/null" dev=tmpfs ino=1367
57 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:device_t
58 tclass=chr_file
59
60 type=1400 audit(1260416496.057:11): avc: denied { read write } for
61 pid=481 comm="modprobe" path="/dev/null" dev=tmpfs ino=1367
62 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:device_t
63 tclass=chr_file
64
65
66 If I'm reading these right, then /dev/null, /dev/tty, /dev/console all
67 have the wrong context: device_t.
68
69 Thing is, they don't:
70 /dev/null is null_device_t, /dev/tty is devtty_t, /dev/console is
71 console_device_t verified for both udev mounted and static dev mounted.
72
73 The denial on file_contexts I don't understand, unless there is no rule
74 to transistion from initrc_t to file_contexts_t.
75
76 Can any one offer any guidance? I'm suspicious of some sort of race
77 condition, given where these errors are being generated, but I don't know.
78
79 Thanks,
80 Chris