haldaemon, run_init

Tom London selinux at comcast.net
Thu Sep 16 18:06:07 UTC 2004 

Running strict/enforcing w/ latest from Dan's tree.
When haldaemon starts:

Sep 16 07:52:29 fedora haldaemon: haldaemon startup succeeded
Sep 16 07:52:30 fedora fstab-sync[3132]: removed all generated mount points
Sep 16 07:52:30 fedora kernel: audit(1095346350.044:0): avc:  denied  { 
execute } for  pid=3134 exe=/usr/sbin/hald name=bash dev=hda2 ino=229395 
scontext=system_u:system_r:hald_t 
tcontext=system_u:object_r:shell_exec_t tclass=file
Sep 16 07:52:30 fedora mdmonitor: mdadm startup succeeded

Believe the AVC is generated when hald tries to run hal_lpadmin from
/etc/hal/device.d/printer_remove.hal

When I put system into permissive mode and restart haldaemon, I get
(sorry for running this as root, but run_init seems busted:
Sep 16 11:03:12 fedora kernel: audit(1095357792.163:0): avc:  denied  { 
use } for  pid=4262 exe=/usr/sbin/run_init path=/dev/pts/2 dev=devpts 
ino=4 scontext=root:sysadm_r:run_init_t tcontext=user_u:user_r:user_t 
tclass=fd
Sep 16 11:03:12 fedora last message repeated 2 times
Sep 16 11:03:12 fedora run_init(pam_unix)[4262]: authentication failure; 
logname= uid=0 euid=0 tty= ruser= rhost=  user=root
)

Here are the permissive AVCs:
Sep 16 10:44:43 fedora kernel: audit(1095356683.853:0): avc:  denied  { 
relabelfrom } for  pid=8333 exe=/usr/sbin/fstab-sync name=fstab dev=hda2 
ino=4475247 scontext=root:system_r:updfstab_t 
tcontext=root:object_r:etc_t tclass=file
Sep 16 10:44:43 fedora kernel: audit(1095356683.854:0): avc:  denied  { 
relabelto } for  pid=8333 exe=/usr/sbin/fstab-sync name=fstab dev=hda2 
ino=4475247 scontext=root:system_r:updfstab_t 
tcontext=system_u:object_r:etc_t tclass=file
Sep 16 10:44:43 fedora fstab-sync[8333]: removed all generated mount points
Sep 16 10:44:43 fedora kernel: audit(1095356683.893:0): avc:  denied  { 
execute } for  pid=8335 exe=/usr/sbin/hald name=bash dev=hda2 ino=229395 
scontext=root:system_r:hald_t tcontext=system_u:object_r:shell_exec_t 
tclass=file
Sep 16 10:44:43 fedora kernel: audit(1095356683.894:0): avc:  denied  { 
read } for  pid=8335 exe=/usr/sbin/hald path=/bin/bash dev=hda2 
ino=229395 scontext=root:system_r:hald_t 
tcontext=system_u:object_r:shell_exec_t tclass=file
Sep 16 10:44:43 fedora kernel: audit(1095356683.899:0): avc:  denied  { 
execute } for  pid=8336 exe=/bin/bash name=hal_lpadmin dev=hda2 
ino=278545 scontext=root:system_r:hald_t 
tcontext=system_u:object_r:sbin_t tclass=file
Sep 16 10:44:43 fedora kernel: audit(1095356683.900:0): avc:  denied  { 
execute_no_trans } for  pid=8336 exe=/bin/bash 
path=/usr/sbin/hal_lpadmin dev=hda2 ino=278545 
scontext=root:system_r:hald_t tcontext=system_u:object_r:sbin_t tclass=file
Sep 16 10:44:43 fedora kernel: audit(1095356683.900:0): avc:  denied  { 
read } for  pid=8336 exe=/bin/bash path=/usr/sbin/hal_lpadmin dev=hda2 
ino=278545 scontext=root:system_r:hald_t 
tcontext=system_u:object_r:sbin_t tclass=file
Sep 16 10:44:44 fedora kernel: audit(1095356684.672:0): avc:  denied  { 
search } for  pid=8381 exe=/usr/libexec/hal-hotplug-map name=hotplug 
dev=hda2 ino=4472955 scontext=root:system_r:hald_t 
tcontext=system_u:object_r:hotplug_etc_t tclass=dir
Sep 16 10:44:44 fedora kernel: audit(1095356684.674:0): avc:  denied  { 
read } for  pid=8381 exe=/usr/libexec/hal-hotplug-map name=usb.usermap 
dev=hda2 ino=4474609 scontext=root:system_r:hald_t 
tcontext=system_u:object_r:hotplug_etc_t tclass=file
Sep 16 10:44:44 fedora kernel: audit(1095356684.674:0): avc:  denied  { 
getattr } for  pid=8381 exe=/usr/libexec/hal-hotplug-map 
path=/etc/hotplug/usb.usermap dev=hda2 ino=4474609 
scontext=root:system_r:hald_t tcontext=system_u:object_r:hotplug_etc_t 
tclass=file
Sep 16 10:44:45 fedora kernel: audit(1095356685.450:0): avc:  denied  { 
use } for  pid=8430 exe=/bin/mount path=pipe:[13184] dev=pipefs 
ino=13184 scontext=user_u:user_r:user_mount_t 
tcontext=system_u:system_r:xdm_t tclass=fd
Sep 16 10:44:45 fedora kernel: audit(1095356685.450:0): avc:  denied  { 
write } for  pid=8430 exe=/bin/mount path=pipe:[13184] dev=pipefs 
ino=13184 scontext=user_u:user_r:user_mount_t 
tcontext=system_u:system_r:xdm_t tclass=fifo_file
Sep 16 10:44:46 fedora kernel: audit(1095356686.042:0): avc:  denied  { 
execute } for  pid=8330 exe=/usr/sbin/hald name=printer_update.hal 
dev=hda2 ino=280646 scontext=root:system_r:hald_t 
tcontext=system_u:object_r:etc_t tclass=file
Sep 16 10:44:46 fedora kernel: audit(1095356686.075:0): avc:  denied  { 
read write } for  pid=8330 exe=/usr/sbin/hald name=lp0 dev=tmpfs 
ino=6883 scontext=root:system_r:hald_t 
tcontext=system_u:object_r:printer_device_t tclass=chr_file
Sep 16 10:44:46 fedora kernel: audit(1095356686.121:0): avc:  denied  { 
execute_no_trans } for  pid=8479 exe=/usr/sbin/hald 
path=/etc/hal/capability.d/printer_update.hal dev=hda2 ino=280646 
scontext=root:system_r:hald_t tcontext=system_u:object_r:etc_t tclass=file
Sep 16 10:44:46 fedora kernel: audit(1095356686.140:0): avc:  denied  { 
ioctl } for  pid=8479 exe=/bin/bash 
path=/etc/hal/capability.d/printer_update.hal dev=hda2 ino=280646 
scontext=root:system_r:hald_t tcontext=system_u:object_r:etc_t tclass=file

More information about the fedora-selinux-list mailing list