Long XFS filesystem avc errors on boot

Russell Coker russell at coker.com.au
Thu Apr 15 09:16:25 UTC 2004 

On Thu, 15 Apr 2004 18:33, Dennis Gilmore <dennis at ausil.us> wrote:
> Apr 15 11:26:06 asgard kernel: audit(1081992347.449:0): avc:  denied
> { getattr } for  pid=774 exe=/sbin/pam_console_apply path=/dev/input/js2
> dev=hde2 ino=234962788 scontext=system_u:system_r:pam_console_t
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file

/dev/input/js* should have the type mouse_device_t.  Please do a "ls -Z" on 
them and tell me what it says.  NB It is not going to say unlabeled_t, it 
will say whatever is on disk, the kernel uses unlabeled_t if what's on disk 
makes no sense with the currently loaded policy.

> Apr 15 11:26:06 asgard kernel: audit(1081992347.464:0): avc:  denied
> { dac_override } for  pid=774 exe=/sbin/pam_console_apply capability=1
> scontext=system_u:system_r:pam_console_t
> tcontext=system_u:system_r:pam_console_t tclass=capability

What is it trying to do here?

> Apr 15 11:26:06 asgard kernel: audit(1081992347.464:0): avc:  denied
> { dac_read_search } for  pid=774 exe=/sbin/pam_console_apply capability=2
> scontext=system_u:system_r:pam_console_t
> tcontext=system_u:system_r:pam_console_t tclass=capability

The fact that it tries both in quick succession means that all it really 
wanted is read.

> Apr 15 11:26:06 asgard kernel: inode_doinit_with_dentry:  getxattr returned
> 13 for dev=hde2 ino=234962799

13 == EACCES?  That can't be right.  Steve, what do you think about this?

> Apr 15 11:27:19 asgard /sbin/mingetty[1796]: tty1: Operation not permitted
> Apr 15 11:27:19 asgard /sbin/mingetty[1797]: tty2: Operation not permitted
> Apr 15 11:27:19 asgard /sbin/mingetty[1798]: tty3: Operation not permitted
> Apr 15 11:27:19 asgard kernel: audit(1081992439.217:0): avc:  denied
> { fowner } for  pid=1796 exe=/sbin/mingetty capability=3
> scontext=system_u:system_r:getty_t tcontext=system_u:system_r:getty_t
> tclass=capability

Interesting.  Who owns your tty devices?

Granting this capability should not cause a problem so please test allowing 
this and see if it does some good.  We don't want to grant capabilities 
wildly, but this will be OK if there are cases that need it.

> Apr 15 11:27:19 asgard kernel: audit(1081992439.880:0): avc:  denied  {
> read } for  pid=1802 exe=/usr/bin/kdm name=mem dev=hde2 ino=33580795
> scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:memory_device_t
> tclass=chr_file
> Apr 15 11:27:19 asgard kdm[1802]: Cannot read randomFile "/dev/mem"; X
> cookies may be easily guessable

This one is already in bugzilla.  You could put an allow rule in custom.te if 
you want to reduce the noise.  But we deliberately don't want to allow this 
in the default policy.  kdm needs to be fixed (it was always broken).

> Apr 15 11:27:19 asgard kernel: audit(1081992439.921:0): avc:  denied
> { getattr } for  pid=1818 exe=/usr/X11R6/bin/Xorg path=/var/log/Xorg.0.log
> dev=hde2 ino=302135865 scontext=system_u:system_r:xdm_t
> tcontext=system_u:object_r:var_log_t tclass=file

Put the following in file_contexts/program/xserver.fc
/var/log/XOrg.*         --      system_u:object_r:xserver_log_t

I have attached a suitable xserver.fc file.

Then you have to relabel /var/log after rebuilding the file_contexts file.

Regarding the long message, all the messages after 11:27:19 appeared to be 
repeats.  The X server and getty will continue restarting forever so will 
produce an unlimited amount of messages if they can't startup correctly.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page
-------------- next part --------------
# X server
/dev/agpgart		-c	system_u:object_r:agp_device_t
/dev/dri(/.*)?			system_u:object_r:dri_device_t
/usr/X11R6/bin/Xwrapper	--	system_u:object_r:xserver_exec_t
/usr/X11R6/bin/X	--	system_u:object_r:xserver_exec_t
/usr/X11R6/bin/XFree86	--	system_u:object_r:xserver_exec_t
/usr/X11R6/bin/Xipaq	--	system_u:object_r:xserver_exec_t
/var/lib/xkb(/.*)?		system_u:object_r:var_lib_xkb_t
/usr/X11R6/lib(64)?/X11/xkb	-d	system_u:object_r:var_lib_xkb_t
/usr/X11R6/lib(64)?/X11/xkb/.* --	system_u:object_r:var_lib_xkb_t
/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- system_u:object_r:bin_t
/var/log/XFree86.*	--	system_u:object_r:xserver_log_t
/var/log/XOrg.*		--	system_u:object_r:xserver_log_t
/etc/init\.d/xfree86-common --	system_u:object_r:xserver_exec_t
/tmp/\.X11-unix		-d	system_u:object_r:xdm_xserver_tmp_t
/tmp/\.X11-unix/.*	-s	<<none>>
/tmp/\.ICE-unix		-d	system_u:object_r:xdm_xserver_tmp_t
/tmp/\.ICE-unix/.*	-s	<<none>>

More information about the fedora-selinux-list mailing list