pam_console_apply, udev, selinux, and /var
Orion Poplawski
orion at cora.nwra.com
Thu Aug 10 16:07:44 UTC 2006
If you install FC (including FC6T2) with /var as a separate partition,
you will get lots of the following at boot:
audit(1155060024.471:4): avc: denied { search } for pid=496
comm="pam_console_app" name="var" dev=hda2 ino=251905
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:file_t:s0 tclass=dir
This is because pam_console_apply is being run before /var is mounted
and the unmounted /var directory does not have the appropriate selinux
context (var_t). pam_console_apply is apparently looking for the fine
/var/run/console.lock.
I believe pam_console_apply is being run before /var is mounted by udev.
udev is started before /var is mounted, and the following udev rule
exists:
# cat /etc/udev/rules.d/95-pam-console.rules
ACTION=="add", SYSFS{dev}=="?*", KERNEL=="?*",
RUN+="/sbin/pam_console_apply $env{DEVNAME} $env{DEVLINKS}"
Which appears to run pam_console_apply for every device, which would
explain why there are so many messages.
Now, I think the proper solution is to have anaconda properly label the
/var mount point var_t. Indeed, putting "restorecon /var" early in
rc.sysinit and rebooting a couple times has been to favored hack to this
point and doesn't not appear to result in any other error messages. But
I'm posting this here so that hopefully all of the various parties
(initscripts, udev, anaconda, selinux, pam) have a chance to weigh in.
--
Orion Poplawski
System Administrator 303-415-9701 x222
NWRA/CoRA Division FAX: 303-415-9702
3380 Mitchell Lane orion at cora.nwra.com
Boulder, CO 80301 http://www.cora.nwra.com
More information about the fedora-devel-list
mailing list