| 1 |
Hello list! |
| 2 |
a have something strange :-) I'm playing with selinux and i got a lot of |
| 3 |
avc messages(the complete dmesg output is attached). I suppose the |
| 4 |
reason of the most avc-messages is the wrong labeling, wrong |
| 5 |
booleans-settings, missing modules ... But my problem is that i don't |
| 6 |
understand how some messages can occur. |
| 7 |
One these msg: |
| 8 |
avc: denied { getattr } for pid=1 comm="init" name="initctl" dev=hda2 |
| 9 |
ino=219229 scontext=system_u:system_r:init_t |
| 10 |
tcontext=root:object_r:device_t tclass=fifo_file |
| 11 |
But the fifo /dev/initctl has the context system_u:object_r:initctl_t |
| 12 |
and the inode of /dev/initctl is 10609. |
| 13 |
It looks as if udev after creating of /dev/... devices would first label |
| 14 |
files in /dev as device_t, then init-process would access the file and |
| 15 |
finally the /dev/initctl would be relabeled to initctl_t. |
| 16 |
The similar story with /dev/null: |
| 17 |
avc: denied { write } for pid=1126 comm="bash" name="null" dev=tmpfs |
| 18 |
ino=1445 scontext=system_u:system_r:initrc_t |
| 19 |
tcontext=system_u:object_r:device_t tclass=chr_file |
| 20 |
but now the inode 1445 belongs to /dev/null |
| 21 |
|
| 22 |
I tried to relabel again and again(with 'rlpkg -a' and with 'make |
| 23 |
restorelabels'), i restarted the machine a lot of times. |
| 24 |
Any ideas? |
| 25 |
|
| 26 |
I'm using gentoo with hardened profile |
| 27 |
(/usr/portage/profiles/selinux/2007.0/x86/hardened), reference-policy |
| 28 |
version 20080402(compiled manually), xen-3.3 and kernel 2.6.21-xen |
| 29 |
Sorry for my bad English :-) |
| 30 |
|
| 31 |
|
| 32 |
Kind regards |
| 33 |
Eugen |
Archives