kudzu (kmodule) and /dev/zero: latest rawhide issues....
Tom London
selinux at gmail.com
Mon Nov 8 16:40:14 UTC 2004
Latest rawhide packages, kudzu has problems with /dev/zero
and /dev/mem
kudzu generates:
Nov 7 17:20:13 fedora kernel: audit(1099847973.501:0): avc: denied
{ read } for pid=826 exe=/sbin/kmodule name=zero dev=tmpfs ino=3510
scontext=system_u:system_r:kudzu_t
tcontext=system_u:object_r:zero_device_t tclass=chr_file
Nov 7 17:20:13 fedora kernel: audit(1099847973.501:0): avc: denied
{ read } for pid=826 exe=/sbin/kmodule name=zero dev=tmpfs ino=3510
scontext=system_u:system_r:kudzu_t
tcontext=system_u:object_r:zero_device_t tclass=chr_file
after fixing this, it fails on mmap of /dev/zero, so need to
also add execute.
Here's a patch:
--- SAVE/kudzu.te 2004-11-07 18:18:24.889196971 -0800
+++ ./kudzu.te 2004-11-07 18:18:52.095994659 -0800
@@ -18,6 +18,7 @@
allow kudzu_t modules_object_t:dir r_dir_perms;
allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read };
allow kudzu_t mouse_device_t:chr_file { read write };
+allow kudzu_t zero_device_t:chr_file { read execute };
allow kudzu_t proc_t:file { getattr read };
allow kudzu_t { fixed_disk_device_t removable_device_t }:blk_file
rw_file_perms;
allow kudzu_t scsi_generic_device_t:chr_file r_file_perms;
But, it now produces:
Nov 8 06:53:38 fedora kernel: audit(1099896764.946:0): avc: denied
{ read write } for pid=826 exe=/sbin/kmodule name=mem dev=tmpfs
ino=909 scontext=system_u:system_r:kudzu_t
tcontext=system_u:object_r:memory_device_t tclass=chr_file
Adding
allow kudzu_t memory_device_t:chr_file { read write };
produces
/usr/bin/checkpolicy: loading policy configuration from policy.conf
security: 5 users, 6 roles, 1323 types, 31 bools
security: 53 classes, 313479 rules
assertion on line 269956 violated by allow kudzu_t
memory_device_t:chr_file { read write };
make: *** [/etc/selinux/strict/policy/policy.18] Error 1
Some help, please?
thanks,
tom
--
Tom London
More information about the fedora-selinux-list
mailing list