selinux and udev ?

Daniel J Walsh dwalsh at redhat.com
Tue Nov 29 20:01:41 UTC 2005 

Nicolas Mailhot wrote:
> Le mardi 29 novembre 2005 à 13:23 -0500, Stephen Smalley a écrit :
>   
>> On Tue, 2005-11-29 at 18:56 +0100, Nicolas Mailhot wrote:
>>     
>>> Le mardi 29 novembre 2005 à 11:48 -0500, Stephen Smalley a écrit :
>>>       
>>>> On Tue, 2005-11-29 at 08:20 -0800, Tom London wrote:
>>>>         
>>>>> There are reports in fedora-test about the 2.X policy slowing down
>>>>> udev. (Appears that folks are comparing booting with selinxux=1 with
>>>>> selinux=0).
>>>>>
>>>>> I have to admit that udev is running slower (targeted/enforcing).
>>>>>
>>>>> Any validity to this?  Known issue? How to track down?
>>>>>           
>>>> First, check whether you have any avc denials associated with udev in
>>>> your audit.log.
>>>>         
>>> There are certainly many denials with the new 2.0 policy, including udev
>>> stuff (at least it was the case a week ago). I've posted 2.0 audit logs
>>> many times in bugzilla.
>>>       
>> I think many of those avc issues have been resolved, although there may
>> still be lingering ones.  I think that the udev slowdown is more likely
>> matchpathcon / file_contexts issues.
>>     
>
> The udev denial seems fixed with selinux-policy-targeted-2.0.6-1. So
> things get (slowly) fixed. But most issues are still there :
>
> audit2allow < /var/log/audit/audit.log
> allow dovecot_auth_t var_lib_t:dir search;
> allow system_chkpwd_t devpts_t:chr_file { read write };
> allow procmail_t spamd_port_t:tcp_socket name_connect;
> allow updfstab_t tmpfs_t:dir getattr;
> allow dovecot_auth_t etc_runtime_t:file read;
> allow spamd_t port_t:udp_socket name_bind;
> (this bit is the spamassassin resolver issue Steven Stern just reported
> for FC4. It was briefly fixed in Rawhide, then regressed to broken stage
> with the 2.x policy change)
>
> (generated on a clean fully relabeled system after 3 min of activity)
>
> That's almost the same list I had with selinux-policy-targeted-2.0.0
>
> Regards,
>
>   
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux-policy-2.0.6-2 should fix most of those.  Available on
ftp://people.redhat.com/dwalsh/SELinux/Fedora


--

More information about the fedora-selinux-list mailing list