Help with avc's on /init

Stephen Smalley sds at
Wed Jul 13 14:32:38 UTC 2005

On Wed, 2005-07-13 at 15:23 +0100, Ruth Ivimey-Cook wrote:
> Thanks. I wondered if it was in initramfs, but it's hard to check. Is there
> anything I can do to shut it up?

Looks like there is already a dontaudit rule in init.te for file
descriptors inherited from the rootfs, but that dontaudit rule only
deals with the file checks, not the descriptor use check.  So I'd add:
	dontaudit init_t kernel_t:fd use;

But I also see that init_t is unconfined in targeted policy (unlike
strict), so that would mean that /sbin/init is being allowed to inherit
the descriptor, so it is then passed along to all of its children.
Which means you'd have to essentially dontaudit it for all domains to
suppress, e.g.
	dontaudit domain kernel_t:fd use;

Regardless, it should be bracketed with some ifdef, e.g.
hide_broken_symptoms, because this does reflect a base kernel bug (not a
bug in SELinux, but descriptor leakage by the base kernel) that needs to
be fixed.

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list