| 1 |
François Valenduc writes: |
| 2 |
> Hello everybody, |
| 3 |
> I have installed selinux and I tried to switch from permissive to |
| 4 |
> enforcing policy. Following that, I get plenty of errors like |
| 5 |
> run_program exec of /lib64/udev/net.sh failed |
| 6 |
> This occurs for all scripts in this folder. I have rebuild udev to |
| 7 |
> include selinux patches, but it doesn't work very well. |
| 8 |
|
| 9 |
> Does anybody know a solution to this problem ? |
| 10 |
|
| 11 |
I received similar error an year ago, when I'm using SELinux on my |
| 12 |
gentoo-hardened box. To fix it, I labelled all scripts in /lib64/udev |
| 13 |
with 'system_u:object_r:udev_helper_exec_t' context. So try following, |
| 14 |
and see if everything works: |
| 15 |
|
| 16 |
---->8---->8---- |
| 17 |
# chcon -Rc system_u:object_r:udev_helper_exec_t /lib64/udev |
| 18 |
----8<----8<---- |
| 19 |
|
| 20 |
Following is the denials I received: |
| 21 |
|
| 22 |
---->8---->8---- |
| 23 |
Dec 7 00:04:13 [kernel] audit(1196985843.508:4): avc: denied { execute_no_trans } for pid=1055 comm="udevd" name="cdrom_id" dev=sdb5 ino=8160366 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file |
| 24 |
Dec 7 00:04:13 [kernel] audit(1196985843.564:5): avc: denied { execute_no_trans } for pid=1089 comm="udevd" name="modprobe.sh" dev=sdb5 ino=8160362 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file |
| 25 |
Dec 7 00:04:13 [kernel] audit(1196985843.564:6): avc: denied { execute_no_trans } for pid=1090 comm="udevd" name="modprobe.sh" dev=sdb5 ino=8160362 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file |
| 26 |
Dec 7 00:04:13 [kernel] audit(1196985843.564:7): avc: denied { execute_no_trans } for pid=1087 comm="udevd" name="usb_id" dev=sdb5 ino=8160365 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file |
| 27 |
Dec 7 00:04:13 [kernel] audit(1196985843.568:8): avc: denied { execute_no_trans } for pid=1088 comm="udevd" name="modprobe.sh" dev=sdb5 ino=8160362 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file |
| 28 |
Dec 7 00:04:13 [kernel] audit(1196985843.568:9): avc: denied { execute_no_trans } for pid=1096 comm="udevd" name="ata_id" dev=sdb5 ino=8160381 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file |
| 29 |
Dec 7 00:04:13 [kernel] audit(1196985843.568:10): avc: denied { execute_no_trans } for pid=1091 comm="udevd" name="usb_id" dev=sdb5 ino=8160365 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file |
| 30 |
Dec 7 00:04:13 [kernel] audit(1196985843.576:12): avc: denied { execute_no_trans } for pid=1101 comm="udevd" name="path_id" dev=sdb5 ino=8160374 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file |
| 31 |
Dec 7 00:04:13 [kernel] audit(1196985843.576:13): avc: denied { execute_no_trans } for pid=1102 comm="udevd" name="path_id" dev=sdb5 ino=8160374 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file |
| 32 |
Dec 7 00:04:13 [kernel] audit(1196985843.576:14): avc: denied { execute_no_trans } for pid=1104 comm="udevd" name="scsi_id" dev=sdb5 ino=8160369 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file |
| 33 |
Dec 7 00:04:13 [kernel] audit(1196985843.576:15): avc: denied { execute_no_trans } for pid=1103 comm="udevd" name="path_id" dev=sdb5 ino=8160374 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:lib_t tclass=file |
| 34 |
----8<----8<---- |
| 35 |
|
| 36 |
If you receive more errors, try fixing udev's policy in |
| 37 |
serefpolicy. It'll be better if you work with latest release. |
| 38 |
|
| 39 |
I'm not using SELinux these days, so won't be able to help you further. |
| 40 |
|
| 41 |
HTH |
| 42 |
-- |
| 43 |
·-- ·- ···· ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- -- |
Archives