mknod denials, avcs from dmesg please help

Daniel J Walsh dwalsh at redhat.com
Tue Jun 5 13:19:55 UTC 2007


Antonio Olivares wrote:
> ----- Original Message ----
> From: Daniel J Walsh <dwalsh at redhat.com>
> To: Antonio Olivares <olivares14031 at yahoo.com>
> Cc: fedora-selinux-list at redhat.com
> Sent: Monday, June 4, 2007 3:52:18 PM
> Subject: Re: mknod denials, avcs from dmesg please help
>
> Antonio Olivares wrote:
>   
>> ----- Original Message ----
>> From: Daniel J Walsh <dwalsh at redhat.com>
>> To: Antonio Olivares <olivares14031 at yahoo.com>
>> Cc: fedora-selinux-list at redhat.com
>> Sent: Monday, June 4, 2007 1:55:57 PM
>> Subject: Re: mknod denials, avcs from dmesg please help
>>
>> Ok the avc
>>
>> audit(1180944508.786:4): avc:  denied  { write } for  pid=655 comm="mknod" name="/" dev=tmpfs ino=752 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir
>>
>> Looks like the interesting one.  The rest were caused by you doing a restorecon -R -v /, or the original mislabeling of /root.
>>
>> What node is insmod trying to create in /dev?  Do  you have any idea what is going on here?
>>
>> This is very strange that you would get this avc since insmod_t is supposed to be unconfined in FC-7
>>
>> Also
>>
>>
>> Thank you for responding.  Indeed it is the mknod entry that is causing trouble.  I use smartlink modem and thus I have added to /etc/modprobe.conf
>>
>> alias char-major-243 slusb
>> alias char-major-242 slamr
>> install slamr modprobe --ignore-install ungrab-winmodem ; modprobe --ignore-install slamr; test -e /dev/slamr0 || (/bin/mknod -m 660 /dev/slamr0 c 242 0 2>/dev/null && chgrp dialout /dev/slamr0)
>>
>> so that I do not have to type as root user (su -)  modprobe ungrab-winmodem, modprobe slamr, slmodemd -c USA /dev/slamr0 everytime I start up the computer.  This is for automation.  As a result of this denied avc, automation of loading slamr module fails.  
>>
>> This is the only one now causing trouble
>>
>> audit(1180952201.602:4): avc:  denied  { write } for  pid=675 comm="mknod" name="/" dev=tmpfs ino=752 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir
>>
>> How should I tackle this one, without disabling selinux, or setting it to permissive?
>>
>> Thanks,
>>
>> Antonio 
>>
>>
>>   
>>     
> # grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod
> # semodule -i myinsmod.pp
>
> will customize your policy to allow mknod to work.
>   
>>  
>> ____________________________________________________________________________________
>> Be a PS3 game guru.
>> Get your game face on with the latest PS3 news and previews at Yahoo! Games.
>> http://videogames.yahoo.com/platform?platform=120121
>>   
>>     
>
> Thanks for the help, but 
>
> [root at localhost ~]# grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod
> compilation failed:
> sh: /usr/bin/checkmodule: No such file or directory
> [root at localhost ~]# semodule -i myinsmod.pp
> semodule:  Could not read file 'myinsmod.pp':
> [root at localhost ~]# 
>
> which packages should I have to install in order for this to work?
>
> Regards,
>
> Antonio 
>
>
>   
yum install checkpolicy

>
>
>  
> ____________________________________________________________________________________
> The fish are biting. 
> Get more visitors on your site using Yahoo! Search Marketing.
> http://searchmarketing.yahoo.com/arp/sponsoredsearch_v2.php
>   




More information about the fedora-selinux-list mailing list