.525 kernel and strict/enforcing (!?!?)
Tom London
selinux at comcast.net
Sat Aug 21 18:43:29 UTC 2004
Wow, the new kernel (.525) seems to not quite work with strict/enforcing.
(Took me a while to recover, so tread carefully!)
It manages to boot with strict/permissive, but there are hordes of
avc messages.... Here are just the first....
Also, I notice that the initrd for .525 is about 625KB, compared
with about 180KB for previous versions.
Is it running udev, etc., off of the initrd?
tom
> Aug 21 11:28:46 fedora kernel: SELinux: initialized (dev rootfs, type
> rootfs), uses genfs_contexts
> Aug 21 11:28:46 fedora kernel: SELinux: initialized (dev sysfs, type
> sysfs), uses genfs_contexts
> Aug 21 11:28:46 fedora kernel: audit(1093087655.962:0): avc: denied
> { read write } for pid=1 exe=/sbin/init path=/dev/console dev=ramfs
> ino=847 scontext=system_u:system_r:init_t
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087655.962:0): avc: denied
> { read } for pid=1 exe=/sbin/init path=/init dev=rootfs ino=17
> scontext=system_u:system_r:init_t
> tcontext=system_u:object_r:unlabeled_t tclass=file
> Aug 21 11:28:46 fedora kernel: audit(1093087655.963:0): avc: denied
> { ioctl } for pid=1 exe=/sbin/init path=/dev/tty0 dev=ramfs ino=1126
> scontext=system_u:system_r:init_t
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087656.509:0): avc: denied
> { write } for pid=1 exe=/sbin/init dev=ramfs ino=846
> scontext=system_u:system_r:init_t tcontext=system_u:object_r:ramfs_t
> tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087656.509:0): avc: denied
> { add_name } for pid=1 exe=/sbin/init name=initctl
> scontext=system_u:system_r:init_t tcontext=system_u:object_r:ramfs_t
> tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087656.509:0): avc: denied
> { create } for pid=1 exe=/sbin/init name=initctl
> scontext=system_u:system_r:init_t tcontext=system_u:object_r:ramfs_t
> tclass=fifo_file
> Aug 21 11:28:46 fedora kernel: audit(1093087656.509:0): avc: denied
> { read write } for pid=1 exe=/sbin/init name=initctl dev=ramfs
> ino=1787 scontext=system_u:system_r:init_t
> tcontext=system_u:object_r:ramfs_t tclass=fifo_file
> Aug 21 11:28:46 fedora kernel: audit(1093087656.509:0): avc: denied
> { getattr } for pid=1 exe=/sbin/init path=/dev/initctl dev=ramfs
> ino=1787 scontext=system_u:system_r:init_t
> tcontext=system_u:object_r:ramfs_t tclass=fifo_file
> Aug 21 11:28:46 fedora kernel: audit(1093087657.094:0): avc: denied
> { read write } for pid=403 exe=/bin/hostname path=/dev/console
> dev=ramfs ino=847 scontext=system_u:system_r:hostname_t
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087657.565:0): avc: denied
> { read write } for pid=449 exe=/bin/mount path=/dev/console dev=ramfs
> ino=847 scontext=system_u:system_r:mount_t
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087657.566:0): avc: denied
> { search } for pid=449 exe=/bin/mount dev=ramfs ino=846
> scontext=system_u:system_r:mount_t tcontext=system_u:object_r:ramfs_t
> tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087657.640:0): avc: denied
> { search } for pid=451 exe=/bin/bash dev=ramfs ino=846
> scontext=system_u:system_r:udev_t tcontext=system_u:object_r:ramfs_t
> tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087657.640:0): avc: denied
> { read write } for pid=451 exe=/bin/bash name=tty dev=ramfs ino=1120
> scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087657.898:0): avc: denied
> { read write } for pid=513 exe=/sbin/consoletype path=/dev/console
> dev=ramfs ino=847 scontext=system_u:system_r:consoletype_t
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087657.899:0): avc: denied
> { getattr } for pid=513 exe=/sbin/consoletype path=/dev/console
> dev=ramfs ino=847 scontext=system_u:system_r:consoletype_t
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087657.900:0): avc: denied
> { ioctl } for pid=513 exe=/sbin/consoletype path=/dev/console
> dev=ramfs ino=847 scontext=system_u:system_r:consoletype_t
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087658.598:0): avc: denied
> { read write } for pid=536 exe=/sbin/minilogd path=/dev/null
> dev=ramfs ino=848 scontext=system_u:system_r:syslogd_t
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087658.598:0): avc: denied
> { use } for pid=536 exe=/sbin/minilogd path=/init dev=rootfs ino=17
> scontext=system_u:system_r:syslogd_t
> tcontext=system_u:system_r:kernel_t tclass=fd
> Aug 21 11:28:46 fedora kernel: audit(1093087658.598:0): avc: denied
> { search } for pid=536 exe=/sbin/minilogd dev=ramfs ino=846
> scontext=system_u:system_r:syslogd_t
> tcontext=system_u:object_r:ramfs_t tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087658.599:0): avc: denied
> { write } for pid=536 exe=/sbin/minilogd dev=ramfs ino=846
> scontext=system_u:system_r:syslogd_t
> tcontext=system_u:object_r:ramfs_t tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087658.599:0): avc: denied
> { add_name } for pid=536 exe=/sbin/minilogd name=log
> scontext=system_u:system_r:syslogd_t
> tcontext=system_u:object_r:ramfs_t tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087658.599:0): avc: denied
> { create } for pid=536 exe=/sbin/minilogd name=log
> scontext=system_u:system_r:syslogd_t
> tcontext=system_u:object_r:ramfs_t tclass=sock_file
> Aug 21 11:28:46 fedora kernel: audit(1093087658.599:0): avc: denied
> { getattr } for pid=540 exe=/sbin/minilogd path=/dev/log dev=ramfs
> ino=2057 scontext=system_u:system_r:syslogd_t
> tcontext=system_u:object_r:ramfs_t tclass=sock_file
> Aug 21 11:28:46 fedora kernel: audit(1093087658.614:0): avc: denied
> { read write } for pid=538 exe=/sbin/udev name=.udev.tdb dev=ramfs
> ino=855 scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:unlabeled_t tclass=file
> Aug 21 11:28:46 fedora kernel: audit(1093087658.614:0): avc: denied
> { lock } for pid=538 exe=/sbin/udev path=/dev/.udev.tdb dev=ramfs
> ino=855 scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:unlabeled_t tclass=file
> Aug 21 11:28:46 fedora kernel: audit(1093087658.614:0): avc: denied
> { getattr } for pid=538 exe=/sbin/udev path=/dev/.udev.tdb dev=ramfs
> ino=855 scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:unlabeled_t tclass=file
> Aug 21 11:28:46 fedora kernel: audit(1093087658.665:0): avc: denied
> { write } for pid=538 exe=/sbin/udev name=log dev=ramfs ino=2057
> scontext=system_u:system_r:udev_t tcontext=system_u:object_r:ramfs_t
> tclass=sock_file
> Aug 21 11:28:46 fedora kernel: audit(1093087658.666:0): avc: denied
> { write } for pid=538 exe=/sbin/udev dev=ramfs ino=846
> scontext=system_u:system_r:udev_t tcontext=system_u:object_r:ramfs_t
> tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087658.666:0): avc: denied
> { add_name } for pid=538 exe=/sbin/udev name=input
> scontext=system_u:system_r:udev_t tcontext=system_u:object_r:ramfs_t
> tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087658.666:0): avc: denied
> { create } for pid=538 exe=/sbin/udev name=input
> scontext=system_u:system_r:udev_t tcontext=system_u:object_r:ramfs_t
> tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087658.679:0): avc: denied
> { create } for pid=538 exe=/sbin/udev name=event0
> scontext=system_u:system_r:udev_t tcontext=system_u:object_r:ramfs_t
> tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087658.679:0): avc: denied
> { setattr } for pid=538 exe=/sbin/udev name=event0 dev=ramfs ino=2069
> scontext=system_u:system_r:udev_t tcontext=system_u:object_r:ramfs_t
> tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087659.059:0): avc: denied
> { read write } for pid=546 exe=/sbin/restorecon path=/dev/console
> dev=ramfs ino=847 scontext=system_u:system_r:restorecon_t
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087659.061:0): avc: denied
> { getattr } for pid=546 exe=/sbin/restorecon path=/dev/input/event0
> dev=ramfs ino=2069 scontext=system_u:system_r:restorecon_t
> tcontext=system_u:object_r:ramfs_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087659.226:0): avc: denied
> { getattr } for pid=547 exe=/sbin/udev path=/dev/input dev=ramfs
> ino=2066 scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:ramfs_t tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087661.046:0): avc: denied
> { write } for pid=540 exe=/sbin/minilogd name=log dev=ramfs ino=2057
> scontext=system_u:system_r:syslogd_t
> tcontext=system_u:object_r:ramfs_t tclass=sock_file
> Aug 21 11:28:46 fedora kernel: audit(1093087661.320:0): avc: denied
> { getattr } for pid=568 exe=/sbin/udev path=/dev/full dev=ramfs
> ino=883 scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087661.320:0): avc: denied
> { setattr } for pid=568 exe=/sbin/udev name=full dev=ramfs ino=883
> scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087661.893:0): avc: denied
> { create } for pid=596 exe=/sbin/udev name=XOR
> scontext=system_u:system_r:udev_t tcontext=system_u:object_r:ramfs_t
> tclass=lnk_file
> Aug 21 11:28:46 fedora kernel: audit(1093087667.935:0): avc: denied
> { remove_name } for pid=897 exe=/sbin/udev name=vcs1 dev=ramfs
> ino=1564 scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:ramfs_t tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087667.935:0): avc: denied
> { unlink } for pid=897 exe=/sbin/udev name=vcs1 dev=ramfs ino=1564
> scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087668.270:0): avc: denied
> { unlink } for pid=919 exe=/sbin/udev name=vcsa1 dev=ramfs ino=2889
> scontext=system_u:system_r:udev_t tcontext=system_u:object_r:ramfs_t
> tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087679.159:0): avc: denied
> { getattr } for pid=1476 exe=/sbin/udev path=/dev/vcs1 dev=ramfs
> ino=3133 scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:ramfs_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087679.590:0): avc: denied
> { getattr } for pid=1497 exe=/sbin/udev path=/dev/hda dev=ramfs
> ino=1582 scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:unlabeled_t tclass=blk_file
> Aug 21 11:28:46 fedora kernel: audit(1093087679.590:0): avc: denied
> { setattr } for pid=1497 exe=/sbin/udev name=hda dev=ramfs ino=1582
> scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:unlabeled_t tclass=blk_file
> Aug 21 11:28:46 fedora kernel: audit(1093087682.418:0): avc: denied
> { remove_name } for pid=1637 exe=/sbin/minilogd name=log dev=ramfs
> ino=2057 scontext=system_u:system_r:syslogd_t
> tcontext=system_u:object_r:ramfs_t tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087682.418:0): avc: denied
> { unlink } for pid=1637 exe=/sbin/minilogd name=log dev=ramfs
> ino=2057 scontext=system_u:system_r:syslogd_t
> tcontext=system_u:object_r:ramfs_t tclass=sock_file
> Aug 21 11:28:46 fedora kernel: audit(1093087683.376:0): avc: denied
> { read write } for pid=1836 exe=/bin/dmesg path=/dev/console
> dev=ramfs ino=847 scontext=system_u:system_r:dmesg_t
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087683.406:0): avc: denied
> { mounton } for pid=1837 exe=/bin/mount path=/dev/pts dev=ramfs
> ino=850 scontext=system_u:system_r:mount_t
> tcontext=system_u:object_r:unlabeled_t tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087683.700:0): avc: denied
> { read write } for pid=1849 exe=/sbin/hwclock path=/dev/console
> dev=ramfs ino=847 scontext=system_u:system_r:hwclock_t
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: audit(1093087683.701:0): avc: denied
> { search } for pid=1849 exe=/sbin/hwclock dev=ramfs ino=846
> scontext=system_u:system_r:hwclock_t
> tcontext=system_u:object_r:ramfs_t tclass=dir
> Aug 21 11:28:46 fedora kernel: audit(1093087683.701:0): avc: denied
> { ioctl } for pid=1849 exe=/sbin/hwclock path=/dev/rtc dev=ramfs
> ino=941 scontext=system_u:system_r:hwclock_t
> tcontext=system_u:object_r:unlabeled_t tclass=chr_file
> Aug 21 11:28:46 fedora kernel: ACPI: Power Button (FF) [PWRF]
More information about the fedora-selinux-list
mailing list