1 |
On Mon, Feb 20, 2012 at 07:17:02AM +0100, TomᨠDobrovolný wrote: |
2 |
> I think, that /dev/console has correct label (on --bind / /mn/gentoo) - |
3 |
> |
4 |
> crw-------. 1 root root system_u:object_r:console_device_t 5, 1 Feb 20 |
5 |
> 01:34 /mnt/gentoo/dev/console |
6 |
|
7 |
Weird, your previous denial logs showed the following: |
8 |
|
9 |
type=1400 audit(1329556527.347:3): avc: denied { read write } for |
10 |
pid=1 comm="init" path="/dev/console" dev="rootfs" ino=99 |
11 |
scontext=system_u:system_r:init_t tcontext=system_u:object_r:root_t |
12 |
tclass=chr_file |
13 |
|
14 |
Either the mislabeling then was already solved, or the /dev on your root |
15 |
file system isn't the same as the one that init found back then. Can you |
16 |
check if /dev/console has inode 99? |
17 |
|
18 |
> But for now I have one avc denials -- the /etc/init.d/sysctl cannot set |
19 |
> kernel parameters, but direct calling of syctl -p can. avc error is: |
20 |
> avc: denied { sys_admin } for pid=1860 comm="sysctl" capability=21 |
21 |
> scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t |
22 |
> tclass=capabilty |
23 |
|
24 |
Hmm... for some reason, refpolicy has explicitly disabled the sys_admin |
25 |
capability for the initrc_t domain: |
26 |
|
27 |
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; |
28 |
allow initrc_t self:capability ~{ sys_admin sys_module }; |
29 |
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this |
30 |
|
31 |
I'll need to check the commit history to see if there was a particular |
32 |
reason why it is explicitly not set. |
33 |
|
34 |
Wkr, |
35 |
Sven Vermeulen |