| 1 |
On Mon, Feb 20, 2012 at 07:17:02AM +0100, TomᨠDobrovolný wrote: |
| 2 |
> I think, that /dev/console has correct label (on --bind / /mn/gentoo) - |
| 3 |
> |
| 4 |
> crw-------. 1 root root system_u:object_r:console_device_t 5, 1 Feb 20 |
| 5 |
> 01:34 /mnt/gentoo/dev/console |
| 6 |
|
| 7 |
Weird, your previous denial logs showed the following: |
| 8 |
|
| 9 |
type=1400 audit(1329556527.347:3): avc: denied { read write } for |
| 10 |
pid=1 comm="init" path="/dev/console" dev="rootfs" ino=99 |
| 11 |
scontext=system_u:system_r:init_t tcontext=system_u:object_r:root_t |
| 12 |
tclass=chr_file |
| 13 |
|
| 14 |
Either the mislabeling then was already solved, or the /dev on your root |
| 15 |
file system isn't the same as the one that init found back then. Can you |
| 16 |
check if /dev/console has inode 99? |
| 17 |
|
| 18 |
> But for now I have one avc denials -- the /etc/init.d/sysctl cannot set |
| 19 |
> kernel parameters, but direct calling of syctl -p can. avc error is: |
| 20 |
> avc: denied { sys_admin } for pid=1860 comm="sysctl" capability=21 |
| 21 |
> scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t |
| 22 |
> tclass=capabilty |
| 23 |
|
| 24 |
Hmm... for some reason, refpolicy has explicitly disabled the sys_admin |
| 25 |
capability for the initrc_t domain: |
| 26 |
|
| 27 |
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; |
| 28 |
allow initrc_t self:capability ~{ sys_admin sys_module }; |
| 29 |
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this |
| 30 |
|
| 31 |
I'll need to check the commit history to see if there was a particular |
| 32 |
reason why it is explicitly not set. |
| 33 |
|
| 34 |
Wkr, |
| 35 |
Sven Vermeulen |
Archives