[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

pam_console_apply, udev, selinux, and /var



If you install FC (including FC6T2) with /var as a separate partition, you will get lots of the following at boot:

audit(1155060024.471:4): avc: denied { search } for pid=496 comm="pam_console_app" name="var" dev=hda2 ino=251905 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir

This is because pam_console_apply is being run before /var is mounted and the unmounted /var directory does not have the appropriate selinux context (var_t). pam_console_apply is apparently looking for the fine /var/run/console.lock.

I believe pam_console_apply is being run before /var is mounted by udev. udev is started before /var is mounted, and the following udev rule exists:

# cat /etc/udev/rules.d/95-pam-console.rules
ACTION=="add", SYSFS{dev}=="?*", KERNEL=="?*", RUN+="/sbin/pam_console_apply $env{DEVNAME} $env{DEVLINKS}"

Which appears to run pam_console_apply for every device, which would explain why there are so many messages.

Now, I think the proper solution is to have anaconda properly label the /var mount point var_t. Indeed, putting "restorecon /var" early in rc.sysinit and rebooting a couple times has been to favored hack to this point and doesn't not appear to result in any other error messages. But I'm posting this here so that hopefully all of the various parties (initscripts, udev, anaconda, selinux, pam) have a chance to weigh in.

--
Orion Poplawski
System Administrator                  303-415-9701 x222
NWRA/CoRA Division                    FAX: 303-415-9702
3380 Mitchell Lane                  orion cora nwra com
Boulder, CO 80301              http://www.cora.nwra.com


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]