selinux-policy-targeted-1.23.12-4: /proc {search} failures ?
Tom London
selinux at gmail.com
Sat Apr 23 20:24:33 UTC 2005
Running targeted/enforcing, latest rawhide.
Rebooting after today's updates (including .1261 and
selinux-policy-targeted-1.23.12-4), graphical logins fail.
Looks like search access to /proc/PROCESS-ID directories are failing.
(Also show an early hotplug attempt at writing to sysfs_t).
I worked around this by doing an 'ALT-CTL-F2', and logging in on the
text console, and doing a 'setenforce 0'. Reverting to graphical via
'ALT-CTL-F7' now allows login.
/var/log messages show a very large number of avcs, including many
that look like:
Apr 23 13:04:18 localhost dhclient: DHCPREQUEST on eth0 to
255.255.255.255 port 67
Apr 23 13:04:18 localhost dhclient: DHCPACK from 10.10.192.1
Apr 23 13:04:18 localhost kernel: audit(1114286658.747:0): avc:
denied { write } for name=vcs7 dev=sysfs ino=6997
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:sysfs_t tclass=dir
Apr 23 13:04:18 localhost kernel: audit(1114286658.747:0): avc:
denied { write } for name=vcsa7 dev=sysfs ino=7003
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:sysfs_t tclass=dir
Apr 23 13:04:19 localhost NET[2301]: /sbin/dhclient-script : updated
/etc/resolv.conf
and
Apr 23 13:05:15 localhost kernel: audit(1114286715.636:0): avc:
denied { search } for name=2 dev=proc ino=131074
scontext=system_u:system_r:init_t tcontext=system_u:system_r:kernel_t
tclass=dir
Apr 23 13:05:15 localhost kernel: audit(1114286715.636:0): avc:
denied { search } for name=3 dev=proc ino=196610
scontext=system_u:system_r:init_t tcontext=system_u:system_r:kernel_t
tclass=dir
Apr 23 13:05:15 localhost kernel: audit(1114286715.636:0): avc:
denied { search } for name=4 dev=proc ino=262146
scontext=system_u:system_r:init_t tcontext=system_u:system_r:kernel_t
tclass=dir
<<<<SNIP many, many >>>>
Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc:
denied { search } for name=2103 dev=proc ino=137822210
scontext=system_u:system_r:init_t tcontext=system_u:system_r:initrc_t
tclass=dir
Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc:
denied { search } for name=2111 dev=proc ino=138346498
scontext=system_u:system_r:init_t tcontext=system_u:system_r:initrc_t
tclass=dir
Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc:
denied { search } for name=2303 dev=proc ino=150929410
scontext=system_u:system_r:init_t tcontext=system_u:system_r:dhcpc_t
tclass=dir
Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc:
denied { search } for name=2476 dev=proc ino=162267138
scontext=system_u:system_r:init_t tcontext=system_u:system_r:initrc_t
tclass=dir
Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc:
denied { search } for name=2530 dev=proc ino=165806082
scontext=system_u:system_r:init_t tcontext=system_u:system_r:portmap_t
tclass=dir
Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc:
denied { search } for name=2548 dev=proc ino=166985730
scontext=system_u:system_r:init_t tcontext=system_u:system_r:rpcd_t
tclass=dir
Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc:
denied { search } for name=2575 dev=proc ino=168755202
scontext=system_u:system_r:init_t tcontext=system_u:system_r:rpcd_t
tclass=dir
<<<<SNIP many, many.... >>>>
etc. etc.
Is this a policy change, or did something else change? Or, did I just
botch it again?
thanks,
tom
--
Tom London
More information about the fedora-selinux-list
mailing list