mknod problem still present denied avc's
Daniel J Walsh
dwalsh at redhat.com
Fri Jun 15 11:03:32 UTC 2007
Antonio Olivares wrote:
> ----- Original Message ----
> From: Daniel J Walsh <dwalsh at redhat.com>
> To: Antonio Olivares <olivares14031 at yahoo.com>
> Cc: fedora-selinux-list at redhat.com
> Sent: Thursday, June 14, 2007 9:02:35 AM
> Subject: Re: mknod problem still present denied avc's
>
> Antonio Olivares wrote:
>
>> dmesg returns
>>
>> audit(1181681041.681:4): avc: denied { add_name } for pid=739 comm="mknod" name="slamr0" scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir
>>
>> After I did this again
>>
>> [olivares at localhost ~]$ su -
>> Password:
>> [root at localhost ~]# grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod
>> ******************** IMPORTANT ***********************
>> To make this policy package active, execute:
>>
>> semodule -i myinsmod.pp
>>
>> [root at localhost ~]# semodule -i myinsmod.pp
>> [root at localhost ~]#
>>
>> Selinux troubleshooter returned this:
>>
>> avc: denied { write } for comm="mknod" dev=tmpfs egid=0 euid=0 exe="/bin/mknod" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=2766 scontext=user_u:system_r:insmod_t:s0 sgid=0 subj=user_u:system_r:insmod_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:device_t:s0 tty=pts0 uid=0
>>
>>
>>
> Yes you allowed add_name to the directory now it is complaing about the
> write. It is best to put the machine in permissive mode, Run the app to
> completion, then generate the policy and
> retest in enforcing mode.
>
> setenforce 0
> run test
> grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod
> semodule -i myinsmod.pp
> setenforce 1
> run test
>
>> Policy RPM: selinux-policy-2.6.4-8.fc7
>>
>> Affected RPM Packages: coreutils-6.9-2.fc7 [application]Policy RPM: selinux-policy-2.6.4-12.fc7
>>
>>
>> How can I effectively fix this?
>>
>> This is my /etc/modprobe.conf
>>
>> [root at localhost Download]# cat /etc/modprobe.conf
>> alias eth0 8139too
>> alias scsi_hostadapter sata_via
>> alias scsi_hostadapter1 pata_via
>> alias snd-card-0 snd-via82xx
>> options snd-card-0 index=0
>> options snd-via82xx index=0
>> install slamr modprobe --ignore-install ungrab-winmodem ; modprobe --ignore-install slamr; test -e /dev/slamr0 || (/bin/mknod -m 660 /dev/slamr0 c 242 0 2>/dev/null && chgrp dialout /dev/slamr0)
>> [root at localhost Download]#
>>
>> Thanks,
>>
>> Antonio
>>
>>
>>
>>
>> ____________________________________________________________________________________
>> Yahoo! oneSearch: Finally, mobile search
>> that gives answers, not web links.
>> http://mobile.yahoo.com/mobileweb/onesearch?refer=1ONXIC
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>>
>
> Did as you instructed. Set Selinux to permissive mode, recreated the dev/slamr0 using mknod and upon rebooting with selinux enabled it works!!
>
> [root at localhost ~]# grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod
> ******************** IMPORTANT ***********************
> To make this policy package active, execute:
>
> semodule -i myinsmod.pp
>
> [root at localhost ~]# semodule -i myinsmod.pp
> [root at localhost ~]# setenforce 1
>
> but the message still appears
>
> audit(1181873499.608:3): avc: denied { create } for pid=751 comm="mknod" name="slamr0" scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
>
> I have checked with the troubleshooter and it recommends me to do
> restorecon -v /dev/slamr0
>
> [root at localhost ~]# restorecon -v /dev/slamr0
> [root at localhost ~]# ls /dev/slamr0 -l
> crw-rw---- 1 root root 242, 0 2007-06-14 21:11 /dev/slamr0
> [root at localhost ~]#
>
> Here is the summary from setroubleshoot browser.
>
> Summary
> SELinux is preventing sh (insmod_t) "getattr" access to device /dev/slamr0.
>
> Detailed Description
> SELinux has denied the sh (insmod_t) "getattr" access to device /dev/slamr0.
> /dev/slamr0 is mislabeled, this device has the default label of the /dev
> directory, which should not happen. All Character and/or Block Devices
> should have a label. You can attempt to change the label of the file using
> restorecon -v /dev/slamr0. If this device remains labeled device_t, then
> this is a bug in SELinux policy. Please file a
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against the selinux-policy
> package. If you look at the other similar devices labels, ls -lZ
> /dev/SIMILAR, and find a type that would work for /dev/slamr0, you can use
> chcon -t SIMILAR_TYPE /dev/slamr0, If this fixes the problem, you can make
> this permanent by executing semanage fcontext -a -t SIMILAR_TYPE /dev/slamr0
> If the restorecon changes the context, this indicates that the application
> that created the device, created it without using SELinux APIs. If you can
> figure out which application created the device, please file a
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this application.
>
> Allowing Access
> Attempt restorecon -v /dev/slamr0 or chcon -t SIMILAR_TYPE /dev/slamr0
>
> Additional Information
>
> Source Context system_u:system_r:insmod_t
> Target Context system_u:object_r:device_t
> Target Objects /dev/slamr0 [ chr_file ]
> Affected RPM Packages
> Policy RPM selinux-policy-2.6.4-12.fc7
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Permissive
> Plugin Name plugins.device
> Host Name localhost.localdomain
> Platform Linux localhost.localdomain 2.6.21-1.3226.fc7 #1
> SMP Sat Jun 9 22:23:35 EDT 2007 i686 athlon
> Alert Count 1
> First Seen Thu 14 Jun 2007 06:26:18 PM CDT
> Last Seen Thu 14 Jun 2007 06:26:18 PM CDT
> Local ID 04c18a63-7a70-462e-8937-018923ab95bf
> Line Numbers
>
> Raw Audit Messages
>
> avc: denied { getattr } for comm="sh" dev=tmpfs egid=0 euid=0 exe="/bin/bash"
> exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="slamr0" path="/dev/slamr0" pid=2265
> scontext=system_u:system_r:insmod_t:s0 sgid=0 subj=system_u:system_r:insmod_t:s0
> suid=0 tclass=chr_file tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0
>
>
> Thanks for helping,
>
> Antonio
>
>
>
>
>
>
> ____________________________________________________________________________________
> Be a better Globetrotter. Get better travel answers from someone who knows. Yahoo! Answers - Check it out.
> http://answers.yahoo.com/dir/?link=list&sid=396545469
>
Please attach the te file that you have generated. Also please update to
selinux-policy-2.6.4-14.fc7 to see if the fix in there solves your problem.
More information about the fedora-selinux-list
mailing list