mknod denials, avcs from dmesg please help
Antonio Olivares
olivares14031 at yahoo.com
Mon Jun 4 18:30:43 UTC 2007
Dear Selinux experts,
I have successfully loaded Fedora 7 on a machine that refused to boot it with a kernel panic. I am on track with it but selinux is getting in my way.
I have done
[root at localhost ~]# restorecon -v /
[root at localhost ~]# touch /.autorelabel; reboot
three times and still these avcs refuse to go away.
Summary
SELinux is preventing access to files with the default label, default_t.
Detailed Description
SELinux permission checks on files labeled default_t are being denied.
These files/directories have the default label on them. This can indicate a
labeling problem, especially if the files being referred to are not top
level directories. Any files/directories under standard system directories,
/usr, /var. /dev, /tmp, ..., should not be labeled with the default label.
The default label is for files/directories which do not have a label on a
parent directory. So if you create a new directory in / you might
legitimately get this label.
Allowing Access
If you want a confined domain to use these files you will probably need to
relabel the file/directory with chcon. In some cases it is just easier to
relabel the system, to relabel execute: "touch /.autorelabel; reboot"
Additional Information
Source Context system_u:system_r:consolekit_t
Target Context system_u:object_r:default_t
Target Objects root [ dir ]
Affected RPM Packages ConsoleKit-x11-0.2.1-2.fc7
[application]filesystem-2.4.6-1.fc7 [target]
Policy RPM selinux-policy-2.6.4-8.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.default
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.21-1.3194.fc7 #1
SMP Wed May 23 22:35:01 EDT 2007 i686 athlon
Alert Count 1
First Seen Sun 03 Jun 2007 11:10:16 PM CDT
Last Seen Sun 03 Jun 2007 11:10:16 PM CDT
Local ID 2ea0300c-de6c-4cb1-a4a7-edbca6d8fcf1
Line Numbers
Raw Audit Messages
avc: denied { search } for comm="ck-get-x11-serv" dev=dm-0 egid=0 euid=0
exe="/usr/libexec/ck-get-x11-server-pid" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
name="root" pid=2512 scontext=system_u:system_r:consolekit_t:s0 sgid=0
subj=system_u:system_r:consolekit_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:default_t:s0 tty=(none) uid=0
Summary
SELinux is preventing /bin/mknod (insmod_t) "write" to / (device_t).
Detailed Description
SELinux denied access requested by /bin/mknod. It is not expected that this
access is required by /bin/mknod and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of
the application is causing it to require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for /, restorecon -v / If this does
not work, there is currently no automatic way to allow this access. Instead,
you can generate a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.
Additional Information
Source Context system_u:system_r:insmod_t
Target Context system_u:object_r:device_t
Target Objects / [ dir ]
Affected RPM Packages coreutils-6.9-2.fc7
[application]filesystem-2.4.6-1.fc7 [target]
Policy RPM selinux-policy-2.6.4-8.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall_file
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.21-1.3194.fc7 #1
SMP Wed May 23 22:35:01 EDT 2007 i686 athlon
Alert Count 1
First Seen Sun 03 Jun 2007 11:52:01 PM CDT
Last Seen Sun 03 Jun 2007 11:52:01 PM CDT
Local ID 2f4ccd0d-5eab-4194-9ce2-9b424aed8163
Line Numbers
Raw Audit Messages
avc: denied { write } for comm="mknod" dev=tmpfs egid=0 euid=0 exe="/bin/mknod"
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=2893
scontext=system_u:system_r:insmod_t:s0 sgid=0 subj=system_u:system_r:insmod_t:s0
suid=0 tclass=dir tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0
Here are them again from dmesg.
audit(1180944508.786:4): avc: denied { write } for pid=655 comm="mknod" name="/" dev=tmpfs ino=752 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir
and
SELinux: initialized (dev sda1, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
audit(1180944512.785:5): enforcing=0 old_enforcing=1 auid=4294967295
audit(1180944712.754:6): avc: denied { getattr } for pid=996 comm="setfiles" name="mdstat" dev=proc ino=-268435296 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_mdstat_t:s0 tclass=file
audit(1180944712.754:7): avc: denied { getattr } for pid=996 comm="setfiles" name="irq" dev=proc ino=-268435418 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir
audit(1180944712.754:8): avc: denied { read } for pid=996 comm="setfiles" name="irq" dev=proc ino=-268435418 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir
audit(1180944712.754:9): avc: denied { search } for pid=996 comm="setfiles" name="irq" dev=proc ino=-268435418 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir
audit(1180944712.754:10): avc: denied { getattr } for pid=996 comm="setfiles" name="smp_affinity" dev=proc ino=-268435372 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=file
audit(1180944712.754:11): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file
audit(1180944712.754:12): avc: denied { search } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
audit(1180944712.754:13): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file
audit(1180944712.754:14): avc: denied { search } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=dir
audit(1180944712.754:15): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
audit(1180944712.754:16): avc: denied { search } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
audit(1180944712.754:17): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
audit(1180944712.754:18): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_net_unix_t:s0 tclass=file
audit(1180944712.754:19): avc: denied { search } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_net_unix_t:s0 tclass=dir
audit(1180944712.754:20): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file
audit(1180944712.754:21): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=file
audit(1180944712.754:22): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_dev_t:s0 tclass=file
audit(1180944712.754:23): avc: denied { search } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_dev_t:s0 tclass=dir
audit(1180944712.754:24): avc: denied { getattr } for pid=996 comm="setfiles" name="net" dev=proc ino=-268435431 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=dir
audit(1180944712.754:25): avc: denied { read } for pid=996 comm="setfiles" name="net" dev=proc ino=-268435431 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=dir
audit(1180944712.754:26): avc: denied { search } for pid=996 comm="setfiles" name="net" dev=proc ino=-268435431 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=dir
audit(1180944712.754:27): avc: denied { getattr } for pid=996 comm="setfiles" name="packet" dev=proc ino=-268435293 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
audit(1180944712.754:28): avc: denied { getattr } for pid=996 comm="setfiles" name="kcore" dev=proc ino=-268435434 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file
audit(1180944712.754:29): avc: denied { getattr } for pid=996 comm="setfiles" name="kmsg" dev=proc ino=-268435447 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_kmsg_t:s0 tclass=file
audit(1180944712.754:30): avc: denied { getattr } for pid=996 comm="setfiles" name="1" dev=proc ino=1288 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir
audit(1180944712.754:31): avc: denied { read } for pid=996 comm="setfiles" name="1" dev=proc ino=1288 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir
audit(1180944712.754:32): avc: denied { search } for pid=996 comm="setfiles" name="1" dev=proc ino=1288 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir
audit(1180944712.754:33): avc: denied { getattr } for pid=996 comm="setfiles" name="10" dev=proc ino=7925 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=lnk_file
audit(1180944712.754:34): avc: denied { getattr } for pid=996 comm="setfiles" name="environ" dev=proc ino=7905 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file
audit(1180944712.754:35): avc: denied { getattr } for pid=996 comm="setfiles" name="2" dev=proc ino=1289 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir
audit(1180944712.754:36): avc: denied { read } for pid=996 comm="setfiles" name="2" dev=proc ino=1289 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir
audit(1180944712.754:37): avc: denied { search } for pid=996 comm="setfiles" name="2" dev=proc ino=1289 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir
audit(1180944712.754:38): avc: denied { getattr } for pid=996 comm="setfiles" name="environ" dev=proc ino=7962 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=file
audit(1180944712.754:39): avc: denied { getattr } for pid=996 comm="setfiles" name="cwd" dev=proc ino=7970 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=lnk_file
audit(1180944716.754:40): avc: denied { getattr } for pid=996 comm="setfiles" name="292" dev=proc ino=1195 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dir
audit(1180944716.754:41): avc: denied { read } for pid=996 comm="setfiles" name="292" dev=proc ino=1195 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dir
audit(1180944716.754:42): avc: denied { search } for pid=996 comm="setfiles" name="292" dev=proc ino=1195 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dir
audit(1180944716.754:43): avc: denied { getattr } for pid=996 comm="setfiles" name="0" dev=proc ino=9478 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=lnk_file
audit(1180944716.754:44): avc: denied { getattr } for pid=996 comm="setfiles" name="environ" dev=proc ino=9458 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=file
audit(1180944716.754:45): avc: denied { getattr } for pid=996 comm="setfiles" name="360" dev=proc ino=1549 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=dir
audit(1180944716.754:46): avc: denied { read } for pid=996 comm="setfiles" name="360" dev=proc ino=1549 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=dir
audit(1180944716.754:47): avc: denied { search } for pid=996 comm="setfiles" name="360" dev=proc ino=1549 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=dir
audit(1180944716.754:48): avc: denied { getattr } for pid=996 comm="setfiles" name="0" dev=proc ino=9597 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=lnk_file
audit(1180944716.754:49): avc: denied { getattr } for pid=996 comm="setfiles" name="environ" dev=proc ino=9577 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=file
audit(1180944820.238:50): avc: denied { create } for pid=995 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=netlink_audit_socket
audit(1180944820.238:51): avc: denied { write } for pid=995 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=netlink_audit_socket
audit(1180944820.238:52): avc: denied { nlmsg_relay } for pid=995 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=netlink_audit_socket
audit(1180944820.238:53): avc: denied { audit_write } for pid=995 comm="setfiles" capability=29 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=capability
audit(1180944820.238:54): avc: denied { read } for pid=995 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=netlink_audit_socket
audit(1180944820.238:55): enforcing=1 old_enforcing=0 auid=4294967295
Suggestions/advice as to how to fix this are greatly appreciated.
[olivares at localhost ~]$ uname -a
Linux localhost.localdomain 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 athlon i386 GNU/Linux
[olivares at localhost ~]$ cat /etc/fedora-release
Fedora release 7 (Moonshine)
[olivares at localhost ~]$
Regards,
Antonio
____________________________________________________________________________________
We won't tell. Get more on shows you hate to love
(and love to hate): Yahoo! TV's Guilty Pleasures list.
http://tv.yahoo.com/collections/265
More information about the fedora-selinux-list
mailing list