Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: Eugen Wagner <wagner.eugen@××××××××××.com>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] troubles with selinux (strange avc-messages)
Date: Wed, 03 Jun 2009 18:01:32
Message-Id: 1244052007.3518.40.camel@laptop
In Reply to: Re: [gentoo-hardened] troubles with selinux (strange avc-messages) by William Keaney
1 On Wednesday 03 June 2009, 08:46 -0400 William Keaney wrote::
2
3 > I had similar issues a while back. The problem is that the static device
4 > nodes in /dev on your root filesystem do not have the proper labels. Once udev
5 > starts, it mounts its own fs over that location and replaces the files with
6 > correctly labeled nodes.
7 > Try booting with "init=/bin/bash", then run "mount -o remount,rw /". This
8 > should give you access to the static nodes in /dev, and you can relabel them
9 > with the correct contexts.
10 >
11 > Will Keaney
12
13 William Keaney, Thank you for your quick answer!
14 i forgot that there could be static files in /dev :-)
15 i did 'mount --bind / /mnt/fixdev'
16 and executed setfiles on fixdev/dev. It works fine and i have no more
17 avc-messages from init. All the static files in /dev (files dev=hda2)
18 are now correct labeled. But i'm still getting:
19 ----------------------------------------------------------------------
20 audit(1244054432.619:3): avc: denied { write } for pid=1126
21 comm="bash" name="null" dev=tmpfs ino=1445
22 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t
23 tclass=chr_file
24 audit(1244054432.719:4): avc: denied { read } for pid=1133
25 comm="write_root_link" name="console" dev=tmpfs ino=1439
26 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t
27 tclass=chr_file
28 audit(1244054433.191:5): avc: denied { read write } for pid=1184
29 comm="modprobe" name="null" dev=tmpfs ino=1445
30 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:device_t
31 tclass=chr_file
32 audit(1244054433.191:6): avc: denied { getattr } for pid=1184
33 comm="modprobe" name="null" dev=tmpfs ino=1445
34 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:device_t
35 tclass=chr_file
36 ----------------------------------------------------------------------
37 ls -iZ /dev/{null,console}
38 1439 system_u:object_r:console_device_t /dev/console 1445
39 system_u:object_r:null_device_t /dev/null
40
41 Now are /dev/null and /dev/console the dynamically created files on
42 tmpfs. But the type in avc-message is distinguished from the type i get
43 with
44 ls -Z
Report Message
Find on MARC Find on Google Groups