'unable to relabel' in /dev.... MAKEDEV-3.7-2, AVCs provided
Tom London
selinux at comcast.net
Tue Jun 15 22:07:36 UTC 2004
Relabeling works in permissive mode.
I worked around a broken sysklogd to get AVCs for this. These were
produced by running 'restorecon -v /dev/ircomm0; setenforce 0;
restorecon -v /dev/ircomm0':
audit(1087336052.916:0): avc: denied { relabelto } for pid=4459
exe=/sbin/restorecon name=ircomm0 dev=hdb3 ino=153075
scontext=root:sysadm_r:restorecon_t tcontext=system_u:object_r:device_t
tclass=chr_file
audit(1087336122.785:0): avc: granted { setenforce } for pid=4461
exe=/usr/bin/setenforce scontext=root:sysadm_r:sysadm_t
tcontext=system_u:object_r:security_t tclass=security
audit(1087336125.404:0): avc: denied { relabelto } for pid=4462
exe=/sbin/restorecon name=ircomm0 dev=hdb3 ino=153075
scontext=root:sysadm_r:restorecon_t tcontext=system_u:object_r:device_t
tclass=chr_file
I'm confused.... restorecon.te has entries:
allow restorecon_t device_type:{ chr_file blk_file } { getattr
relabelfrom relabelto };
allow restorecon_t device_t:{ chr_file blk_file } { getattr relabelfrom };
The AVCs imply 'relabelto' is needed on the second line too, or is this
an issue with MAKEDEV creating the files improperly?
tom
Tom London wrote:
> Running off of the development tree, MAKEDEV-3.7-2 creates lots of new
> files. Running 'fixfiles relabel' or 'setfiles -v $FC /dev' generates
> lots of error messages like:
>
> /dev/ptyu7: Permission denied
> /usr/sbin/setfiles: unable to relabel /dev/ptyu7 to
> system_u:object_r:device_t
> /dev/ptyd7: Permission denied
> /usr/sbin/setfiles: unable to relabel /dev/ptyd7 to
> system_u:object_r:device_t
> /dev/ptyde: Permission denied
> /usr/sbin/setfiles: unable to relabel /dev/ptyde to
> system_u:object_r:device_t
> /dev/ptyac: Permission denied
> /usr/sbin/setfiles: unable to relabel /dev/ptyac to
> system_u:object_r:device_t
> /dev/ptys1: Permission denied
> /usr/sbin/setfiles: unable to relabel /dev/ptys1 to
> system_u:object_r:device_t
> /dev/ircomm9: Permission denied
> /usr/sbin/setfiles: unable to relabel /dev/ircomm9 to
> system_u:object_r:device_t
> /dev/ptyre: Permission denied
> /usr/sbin/setfiles: unable to relabel /dev/ptyre to
> system_u:object_r:device_t
>
> Here is an 'ls -l' of one of the files:
> [root at dell dev]# ls -l ptyu7
> crw-rw-rw- 1 root tty 2, 87 Jun 14 12:42 ptyu7
> [root at dell dev]# ls -lZ $_
> crw-rw-rw- root tty root:object_r:device_t ptyu7
> [root at dell dev]#
>
> I'm running selinux-policy-strict-1.13.4-6, with file_contexts
> augmented with Russell Coker's fix for /udev/microcode.
>
> tom
>
More information about the fedora-selinux-list
mailing list