| 1 |
On Wednesday 03 June 2009 07:55:12 Eugen Wagner wrote: |
| 2 |
> Hello list! |
| 3 |
> a have something strange :-) I'm playing with selinux and i got a lot of |
| 4 |
> avc messages(the complete dmesg output is attached). I suppose the |
| 5 |
> reason of the most avc-messages is the wrong labeling, wrong |
| 6 |
> booleans-settings, missing modules ... But my problem is that i don't |
| 7 |
> understand how some messages can occur. |
| 8 |
> One these msg: |
| 9 |
> avc: denied { getattr } for pid=1 comm="init" name="initctl" dev=hda2 |
| 10 |
> ino=219229 scontext=system_u:system_r:init_t |
| 11 |
> tcontext=root:object_r:device_t tclass=fifo_file |
| 12 |
> But the fifo /dev/initctl has the context system_u:object_r:initctl_t |
| 13 |
> and the inode of /dev/initctl is 10609. |
| 14 |
> It looks as if udev after creating of /dev/... devices would first label |
| 15 |
> files in /dev as device_t, then init-process would access the file and |
| 16 |
> finally the /dev/initctl would be relabeled to initctl_t. |
| 17 |
> The similar story with /dev/null: |
| 18 |
> avc: denied { write } for pid=1126 comm="bash" name="null" dev=tmpfs |
| 19 |
> ino=1445 scontext=system_u:system_r:initrc_t |
| 20 |
> tcontext=system_u:object_r:device_t tclass=chr_file |
| 21 |
> but now the inode 1445 belongs to /dev/null |
| 22 |
> |
| 23 |
> I tried to relabel again and again(with 'rlpkg -a' and with 'make |
| 24 |
> restorelabels'), i restarted the machine a lot of times. |
| 25 |
> Any ideas? |
| 26 |
> |
| 27 |
> I'm using gentoo with hardened profile |
| 28 |
> (/usr/portage/profiles/selinux/2007.0/x86/hardened), reference-policy |
| 29 |
> version 20080402(compiled manually), xen-3.3 and kernel 2.6.21-xen |
| 30 |
> Sorry for my bad English :-) |
| 31 |
> |
| 32 |
> |
| 33 |
> Kind regards |
| 34 |
> Eugen |
| 35 |
I had similar issues a while back. The problem is that the static device |
| 36 |
nodes in /dev on your root filesystem do not have the proper labels. Once udev |
| 37 |
starts, it mounts its own fs over that location and replaces the files with |
| 38 |
correctly labeled nodes. |
| 39 |
Try booting with "init=/bin/bash", then run "mount -o remount,rw /". This |
| 40 |
should give you access to the static nodes in /dev, and you can relabel them |
| 41 |
with the correct contexts. |
| 42 |
|
| 43 |
Will Keaney |
Archives