1 |
François Valenduc writes: |
2 |
> Hello everybody, |
3 |
> I have installed selinux and I tried to switch from permissive to |
4 |
> enforcing policy. Following that, I get plenty of errors like |
5 |
> run_program exec of /lib64/udev/net.sh failed |
6 |
> This occurs for all scripts in this folder. I have rebuild udev to |
7 |
> include selinux patches, but it doesn't work very well. |
8 |
|
9 |
> Does anybody know a solution to this problem ? |
10 |
|
11 |
I received similar error an year ago, when I'm using SELinux on my |
12 |
gentoo-hardened box. To fix it, I labelled all scripts in /lib64/udev |
13 |
with 'system_u:object_r:udev_helper_exec_t' context. So try following, |
14 |
and see if everything works: |
15 |
|
16 |
---->8---->8---- |
17 |
# chcon -Rc system_u:object_r:udev_helper_exec_t /lib64/udev |
18 |
----8<----8<---- |
19 |
|
20 |
Following is the denials I received: |
21 |
|
22 |
---->8---->8---- |
23 |
Dec 7 00:04:13 [kernel] audit(1196985843.508:4): avc: denied { execute_no_trans } for pid=1055 comm="udevd" name="cdrom_id" dev=sdb5 ino=8160366 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file |
24 |
Dec 7 00:04:13 [kernel] audit(1196985843.564:5): avc: denied { execute_no_trans } for pid=1089 comm="udevd" name="modprobe.sh" dev=sdb5 ino=8160362 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file |
25 |
Dec 7 00:04:13 [kernel] audit(1196985843.564:6): avc: denied { execute_no_trans } for pid=1090 comm="udevd" name="modprobe.sh" dev=sdb5 ino=8160362 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file |
26 |
Dec 7 00:04:13 [kernel] audit(1196985843.564:7): avc: denied { execute_no_trans } for pid=1087 comm="udevd" name="usb_id" dev=sdb5 ino=8160365 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file |
27 |
Dec 7 00:04:13 [kernel] audit(1196985843.568:8): avc: denied { execute_no_trans } for pid=1088 comm="udevd" name="modprobe.sh" dev=sdb5 ino=8160362 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file |
28 |
Dec 7 00:04:13 [kernel] audit(1196985843.568:9): avc: denied { execute_no_trans } for pid=1096 comm="udevd" name="ata_id" dev=sdb5 ino=8160381 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file |
29 |
Dec 7 00:04:13 [kernel] audit(1196985843.568:10): avc: denied { execute_no_trans } for pid=1091 comm="udevd" name="usb_id" dev=sdb5 ino=8160365 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file |
30 |
Dec 7 00:04:13 [kernel] audit(1196985843.576:12): avc: denied { execute_no_trans } for pid=1101 comm="udevd" name="path_id" dev=sdb5 ino=8160374 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file |
31 |
Dec 7 00:04:13 [kernel] audit(1196985843.576:13): avc: denied { execute_no_trans } for pid=1102 comm="udevd" name="path_id" dev=sdb5 ino=8160374 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file |
32 |
Dec 7 00:04:13 [kernel] audit(1196985843.576:14): avc: denied { execute_no_trans } for pid=1104 comm="udevd" name="scsi_id" dev=sdb5 ino=8160369 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file |
33 |
Dec 7 00:04:13 [kernel] audit(1196985843.576:15): avc: denied { execute_no_trans } for pid=1103 comm="udevd" name="path_id" dev=sdb5 ino=8160374 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file |
34 |
----8<----8<---- |
35 |
|
36 |
If you receive more errors, try fixing udev's policy in |
37 |
serefpolicy. It'll be better if you work with latest release. |
38 |
|
39 |
I'm not using SELinux these days, so won't be able to help you further. |
40 |
|
41 |
HTH |
42 |
-- |
43 |
·-- ·- ···· ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- -- |