mknod problem still present denied avc's

Daniel J Walsh dwalsh at redhat.com
Fri Jun 15 11:03:32 UTC 2007 

Antonio Olivares wrote:
> ----- Original Message ----
> From: Daniel J Walsh <dwalsh at redhat.com>
> To: Antonio Olivares <olivares14031 at yahoo.com>
> Cc: fedora-selinux-list at redhat.com
> Sent: Thursday, June 14, 2007 9:02:35 AM
> Subject: Re: mknod problem still present denied avc's
>
> Antonio Olivares wrote:
>   
>> dmesg returns
>>
>> audit(1181681041.681:4): avc:  denied  { add_name } for  pid=739 comm="mknod" name="slamr0" scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir
>>
>> After I did this again
>>
>> [olivares at localhost ~]$ su -
>> Password: 
>> [root at localhost ~]# grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod
>> ******************** IMPORTANT ***********************
>> To make this policy package active, execute:
>>
>> semodule -i myinsmod.pp
>>
>> [root at localhost ~]# semodule -i myinsmod.pp
>> [root at localhost ~]# 
>>
>> Selinux troubleshooter returned this:
>>
>> avc: denied { write } for comm="mknod" dev=tmpfs egid=0 euid=0 exe="/bin/mknod" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=2766 scontext=user_u:system_r:insmod_t:s0 sgid=0 subj=user_u:system_r:insmod_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:device_t:s0 tty=pts0 uid=0 
>>
>>   
>>     
> Yes you allowed add_name to the directory now it is complaing about the 
> write. It is best to put the machine in permissive mode,  Run the app to 
> completion, then generate the policy and
> retest in enforcing mode.
>
> setenforce 0
> run test
> grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod
> semodule -i myinsmod.pp
> setenforce 1
> run test
>   
>> Policy RPM:  selinux-policy-2.6.4-8.fc7
>>
>> Affected RPM Packages:  coreutils-6.9-2.fc7 [application]Policy RPM:  selinux-policy-2.6.4-12.fc7
>>
>>
>> How can I effectively fix this?
>>
>> This is my /etc/modprobe.conf
>>
>> [root at localhost Download]# cat /etc/modprobe.conf
>> alias eth0 8139too
>> alias scsi_hostadapter sata_via
>> alias scsi_hostadapter1 pata_via
>> alias snd-card-0 snd-via82xx
>> options snd-card-0 index=0  
>> options snd-via82xx index=0  
>> install slamr modprobe --ignore-install ungrab-winmodem ; modprobe --ignore-install slamr; test -e /dev/slamr0 || (/bin/mknod -m 660 /dev/slamr0 c 242 0 2>/dev/null && chgrp dialout /dev/slamr0)
>> [root at localhost Download]#
>>
>> Thanks,
>>
>> Antonio 
>>
>>
>>
>>        
>> ____________________________________________________________________________________
>> Yahoo! oneSearch: Finally, mobile search 
>> that gives answers, not web links. 
>> http://mobile.yahoo.com/mobileweb/onesearch?refer=1ONXIC
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>   
>>     
>
> Did as you instructed.  Set Selinux to permissive mode, recreated the dev/slamr0 using mknod and upon rebooting with selinux enabled it works!! 
>
> [root at localhost ~]# grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod
> ******************** IMPORTANT ***********************
> To make this policy package active, execute:
>
> semodule -i myinsmod.pp
>
> [root at localhost ~]# semodule -i myinsmod.pp
> [root at localhost ~]# setenforce 1
>
> but the message still appears
>
> audit(1181873499.608:3): avc:  denied  { create } for  pid=751 comm="mknod" name="slamr0" scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
>
> I have checked with the troubleshooter and it recommends me to do
> restorecon -v /dev/slamr0
>
> [root at localhost ~]# restorecon -v /dev/slamr0
> [root at localhost ~]# ls /dev/slamr0 -l
> crw-rw---- 1 root root 242, 0 2007-06-14 21:11 /dev/slamr0
> [root at localhost ~]# 
>
> Here is the summary from setroubleshoot browser.  
>
> Summary
>     SELinux is preventing sh (insmod_t) "getattr" access to device /dev/slamr0.
>
> Detailed Description
>     SELinux has denied the sh (insmod_t) "getattr" access to device /dev/slamr0.
>     /dev/slamr0 is mislabeled, this device has the default label of the /dev
>     directory, which should not happen.  All Character and/or Block Devices
>     should have a label. You can attempt to change the label of the file using
>     restorecon -v /dev/slamr0. If this device remains labeled device_t, then
>     this is a bug in SELinux policy. Please file a
>     http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against the selinux-policy
>     package. If you look at the other similar devices labels, ls -lZ
>     /dev/SIMILAR, and find a type that would work for /dev/slamr0, you can use
>     chcon -t SIMILAR_TYPE /dev/slamr0, If this fixes the problem, you can make
>     this permanent by executing semanage fcontext -a -t SIMILAR_TYPE /dev/slamr0
>     If the restorecon changes the context, this indicates that the application
>     that created the device, created it without using SELinux APIs.  If you can
>     figure out which application created the device, please file a
>     http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this application.
>
> Allowing Access
>     Attempt restorecon -v /dev/slamr0 or chcon -t SIMILAR_TYPE /dev/slamr0
>
> Additional Information        
>
> Source Context                system_u:system_r:insmod_t
> Target Context                system_u:object_r:device_t
> Target Objects                /dev/slamr0 [ chr_file ]
> Affected RPM Packages         
> Policy RPM                    selinux-policy-2.6.4-12.fc7
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Permissive
> Plugin Name                   plugins.device
> Host Name                     localhost.localdomain
> Platform                      Linux localhost.localdomain 2.6.21-1.3226.fc7 #1
>                               SMP Sat Jun 9 22:23:35 EDT 2007 i686 athlon
> Alert Count                   1
> First Seen                    Thu 14 Jun 2007 06:26:18 PM CDT
> Last Seen                     Thu 14 Jun 2007 06:26:18 PM CDT
> Local ID                      04c18a63-7a70-462e-8937-018923ab95bf
> Line Numbers                  
>
> Raw Audit Messages            
>
> avc: denied { getattr } for comm="sh" dev=tmpfs egid=0 euid=0 exe="/bin/bash"
> exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="slamr0" path="/dev/slamr0" pid=2265
> scontext=system_u:system_r:insmod_t:s0 sgid=0 subj=system_u:system_r:insmod_t:s0
> suid=0 tclass=chr_file tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0
>
>
> Thanks for helping,
>
> Antonio 
>
>
>
>
>
>        
> ____________________________________________________________________________________
> Be a better Globetrotter. Get better travel answers from someone who knows. Yahoo! Answers - Check it out.
> http://answers.yahoo.com/dir/?link=list&sid=396545469
>   

Please attach the te file that you have generated.  Also please update to

selinux-policy-2.6.4-14.fc7  to see if the fix in there solves your problem.

More information about the fedora-selinux-list mailing list