Rawhide mls avcs on boot
Joe Nall
joe at nall.com
Thu Mar 6 18:36:12 UTC 2008
On Mar 6, 2008, at 12:16 PM, Stephen Smalley wrote:
>
> On Thu, 2008-03-06 at 12:09 -0600, Joe Nall wrote:
>> rawhide mls (selinux-policy-3.3.1-11) has a number of these avcs in /
>> var/log/messages on boot
>>
>> Mar 6 10:00:01 xw4100 kernel: type=1400 audit(1204819180.560:5):
>> avc: denied { unmount } for pid=1 comm="init"
>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
>> tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
>> Mar 6 10:00:01 xw4100 kernel: type=1400 audit(1204819180.560:6):
>> avc: denied { unmount } for pid=1 comm="init"
>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
>> tcontext=system_u:object_r:proc_t:s0 tclass=filesystem
>> Mar 6 10:00:01 xw4100 kernel: type=1400 audit(1204819180.561:7):
>> avc: denied { unmount } for pid=1 comm="init"
>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
>> tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem
>>
>> is adding
>>
>> allow kernel_t proc_t:filesystem unmount;
>> allow kernel_t sysfs_t:filesystem unmount;
>> allow kernel_t tmpfs_t:filesystem unmount;
>>
>> to kernel.te the correct fix for this?
>
> fs_unmount_all_fs(kernel_t)
fs_mount_all_fs(kernel_t) is slready in kernel.te. After further
experimentation, I think it is a constraint issue (s15:c0.c1023
unmounting s0).
joe
More information about the fedora-selinux-list
mailing list