1 |
On Tue, 2007-06-19 at 20:55 -0400, Bill Sharer wrote: |
2 |
> I'm on the 2006.1 unstable profile for selinux and think I may have a |
3 |
> race condition that results in avc denials before selinux has finished |
4 |
> labeling things like /dev. For example, the first denial below appears |
5 |
> to be where /etc/hotplug.d/default/default.hotplug is peeking and poking |
6 |
> around with /dev/null. The denial has it as a system_u:object_r:file_t, |
7 |
> but when I look at it from a running system I see it as a |
8 |
> system_u:object_r:null_device_t. Should I be messing around in |
9 |
> /etc/runlevels/boot to put dependencies in various scripts (although |
10 |
> selinux isn't a script so how would I make it a dependency?) |
11 |
|
12 |
This is indeed a race. Hotplug events can happen at any time, and when |
13 |
that happens it results in the kernel calling userland to do some |
14 |
handling, and in your case its happening during SELinux initialization. |
15 |
This type of problem has been reported in the past, but its so |
16 |
infrequent that I can't remember nor find the workaround. :x Its not a |
17 |
boot runlevel fix as this is happening while init (the program, pid 1) |
18 |
is starting, so the init scripts haven't started. |
19 |
|
20 |
> snippet from a dmesg: |
21 |
> |
22 |
> security: 5 users, 5 roles, 1376 types, 81 bools |
23 |
> security: 59 classes, 61906 rules |
24 |
> security: class dccp_socket not defined in policy |
25 |
> security: permission dccp_recv in class node not defined in policy |
26 |
> security: permission dccp_send in class node not defined in policy |
27 |
> security: permission dccp_recv in class netif not defined in policy |
28 |
> security: permission dccp_send in class netif not defined in policy |
29 |
> SELinux: Completing initialization. |
30 |
> SELinux: Setting up existing superblocks. |
31 |
> SELinux: initialized (dev sda5, type ext3), uses xattr |
32 |
> inode_doinit_with_dentry: context_to_sid(unlabeled) returned 22 for |
33 |
> dev=sda5 ino=1938273 |
34 |
> audit(1182137416.171:2): avc: denied { ioctl } for pid=884 |
35 |
> comm="default.hotplug" name="null" dev=sda5 ino=733068 |
36 |
> scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t |
37 |
> tclass=chr_file |
38 |
> audit(1182137416.203:3): avc: denied { read } for pid=889 comm="env" |
39 |
> name="urandom" dev=sda5 ino=732962 scontext=system_u:system_r:kernel_t |
40 |
> tcontext=system_u:object_r:file_t tclass=chr_file |
41 |
> audit(1182137416.204:4): avc: denied { read } for pid=884 |
42 |
> comm="default.hotplug" name="default.hotplug" dev=sda5 ino=1356280 |
43 |
> scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sbin_t |
44 |
> tclass=file |
45 |
> audit(1182137416.206:5): avc: denied { search } for pid=884 |
46 |
> comm="default.hotplug" name="var" dev=sda5 ino=1254177 |
47 |
> scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:var_t |
48 |
> tclass=dir |
49 |
> audit(1182137416.221:6): avc: denied { search } for pid=884 |
50 |
> comm="default.hotplug" name="log" dev=sda5 ino=1255669 |
51 |
> scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:var_log_t |
52 |
> tclass=dir |
53 |
> SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts |
54 |
> SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts |
55 |
> SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs |
56 |
> SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts |
57 |
> SELinux: initialized (dev devpts, type devpts), uses transition SIDs |
58 |
> SELinux: initialized (dev eventpollfs, type eventpollfs), uses task SIDs |
59 |
> SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts |
60 |
> SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs |
61 |
> SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts |
62 |
> SELinux: initialized (dev pipefs, type pipefs), uses task SIDs |
63 |
> SELinux: initialized (dev sockfs, type sockfs), uses task SIDs |
64 |
> SELinux: initialized (dev proc, type proc), uses genfs_contexts |
65 |
> SELinux: initialized (dev bdev, type bdev), uses genfs_contexts |
66 |
> SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts |
67 |
> SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts |
68 |
> audit(1182137416.259:7): policy loaded auid=4294967295 |
69 |
> audit(1182137416.261:8): avc: denied { read write } for pid=1 |
70 |
> comm="init" name="console" dev=sda5 ino=734292 |
71 |
> scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t |
72 |
> tclass=chr_file |
73 |
> audit(1182137416.275:9): avc: denied { ioctl } for pid=1 comm="init" |
74 |
> name="tty0" dev=sda5 ino=735467 scontext=system_u:system_r:init_t |
75 |
> tcontext=system_u:object_r:file_t tclass=chr_file |
76 |
> audit(1182137416.277:10): avc: denied { read } for pid=891 |
77 |
> comm="hotplug" name="urandom" dev=sda5 ino=732962 |
78 |
> scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:file_t |
79 |
> tclass=chr_file |
80 |
> audit(1182137416.279:11): avc: denied { write } for pid=891 |
81 |
> comm="hotplug" name="tty" dev=sda5 ino=734192 |
82 |
> scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:file_t |
83 |
> tclass=chr_file |
84 |
> audit(1182137416.296:12): avc: denied { ioctl } for pid=893 |
85 |
> comm="default.hotplug" name="null" dev=sda5 ino=733068 |
86 |
> scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:file_t |
87 |
> tclass=chr_file |
88 |
> audit(1182137416.758:13): avc: denied { read write } for pid=970 |
89 |
> comm="rc" name="console" dev=sda5 ino=734292 |
90 |
> scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t |
91 |
> tclass=chr_file |
92 |
> audit(1182137417.033:14): avc: denied { read write } for pid=994 |
93 |
> comm="consoletype" name="console" dev=sda5 ino=734292 |
94 |
> scontext=system_u:system_r:consoletype_t |
95 |
> tcontext=system_u:object_r:file_t tclass=chr_file |
96 |
> audit(1182137417.034:15): avc: denied { search } for pid=994 |
97 |
> comm="consoletype" name="dev" dev=sda5 ino=732961 |
98 |
> scontext=system_u:system_r:consoletype_t |
99 |
> tcontext=system_u:object_r:file_t tclass=dir |
100 |
> audit(1182137417.034:16): avc: denied { getattr } for pid=994 |
101 |
> comm="consoletype" name="console" dev=sda5 ino=734292 |
102 |
> scontext=system_u:system_r:consoletype_t |
103 |
> tcontext=system_u:object_r:file_t tclass=chr_file |
104 |
> audit(1182137417.035:17): avc: denied { ioctl } for pid=994 |
105 |
> comm="consoletype" name="console" dev=sda5 ino=734292 |
106 |
> scontext=system_u:system_r:consoletype_t |
107 |
> tcontext=system_u:object_r:file_t tclass=chr_file |
108 |
> audit(1182137417.082:18): avc: denied { ioctl } for pid=997 |
109 |
> comm="stty" name="console" dev=sda5 ino=734292 |
110 |
> scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t |
111 |
> tclass=chr_file |
112 |
> audit(1182137417.172:19): avc: denied { getattr } for pid=970 |
113 |
> comm="bash" name="null" dev=sda5 ino=733068 |
114 |
> scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t |
115 |
> tclass=chr_file |
116 |
> audit(1182137417.196:20): avc: denied { read write } for pid=1001 |
117 |
> comm="dmesg" name="console" dev=sda5 ino=734292 |
118 |
> scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:file_t |
119 |
> tclass=chr_file |
120 |
> audit(1182137417.220:21): avc: denied { read write } for pid=1004 |
121 |
> comm="mount" name="console" dev=sda5 ino=734292 |
122 |
> scontext=system_u:system_r:mount_t tcontext=system_u:object_r:file_t |
123 |
> tclass=chr_file |
124 |
> SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs |
125 |
> audit(1182137417.478:22): avc: denied { read write } for pid=1038 |
126 |
> comm="restorecon" name="console" dev=sda5 ino=734292 |
127 |
> scontext=system_u:system_r:restorecon_t |
128 |
> tcontext=system_u:object_r:file_t tclass=chr_file |
129 |
> audit(1182137417.716:23): avc: denied { write } for pid=1042 |
130 |
> comm="bash" name="null" dev=tmpfs ino=2106 |
131 |
> scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t |
132 |
> tclass=chr_file |
133 |
> audit(1182137417.875:24): avc: denied { read write } for pid=1062 |
134 |
> comm="udevd" name="console" dev=sda5 ino=734292 |
135 |
> scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_t |
136 |
> tclass=chr_file |
137 |
> audit(1182137418.770:25): avc: denied { read } for pid=1194 |
138 |
> comm="modprobe" name="console" dev=tmpfs ino=2100 |
139 |
> scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:device_t |
140 |
> tclass=chr_file |
141 |
> audit(1182137424.374:26): avc: denied { getattr } for pid=2059 |
142 |
> comm="modprobe.sh" name="modprobe.conf" dev=sda5 ino=1515100 |
143 |
> scontext=system_u:system_r:udev_t tcontext=root:object_r:modules_conf_t |
144 |
> tclass=file |
145 |
> audit(1182137424.376:27): avc: denied { read } for pid=2112 |
146 |
> comm="grep" name="modprobe.conf" dev=sda5 ino=1515100 |
147 |
> scontext=system_u:system_r:udev_t tcontext=root:object_r:modules_conf_t |
148 |
> tclass=file |
149 |
-- |
150 |
Chris PeBenito |
151 |
<pebenito@g.o> |
152 |
Developer, |
153 |
Hardened Gentoo Linux |
154 |
|
155 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
156 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |