plymouthd avcs in MLS

Daniel J Walsh dwalsh at redhat.com
Mon Jan 12 16:53:28 UTC 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joe Nall wrote:
> type=AVC msg=audit(1231458433.619:3): avc:  denied  { execute } for 
> pid=1 comm="init" name="plymouth" dev=rootfs ino=73
> scontext=system_u:system_r:kernel_t:s15:c0.c1023
> tcontext=system_u:object_r:root_t:s0 tclass=file
> type=AVC msg=audit(1231458433.621:4): avc:  denied  { read } for 
> pid=723 comm="init" name="plymouth" dev=rootfs ino=73
> scontext=system_u:system_r:kernel_t:s15:c0.c1023
> tcontext=system_u:object_r:root_t:s0 tclass=file
> type=AVC msg=audit(1231458433.621:4): avc:  denied  { execute_no_trans }
> for  pid=723 comm="init" path="/bin/plymouth" dev=rootfs ino=73
> scontext=system_u:system_r:kernel_t:s15:c0.c1023
> tcontext=system_u:object_r:root_t:s0 tclass=file
> type=AVC msg=audit(1231458433.623:5): avc:  denied  { getattr } for 
> pid=723 comm="plymouth" path="/etc/ld.so.cache" dev=rootfs ino=122
> scontext=system_u:system_r:kernel_t:s15:c0.c1023
> tcontext=system_u:object_r:root_t:s0 tclass=file
> type=AVC msg=audit(1231458433.625:6): avc:  denied  { search } for 
> pid=695 comm="plymouthd" name="lib" dev=dm-0 ino=555970
> scontext=system_u:system_r:kernel_t:s15:c0.c1023
> tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
> type=AVC msg=audit(1231458433.625:6): avc:  denied  { read } for 
> pid=695 comm="plymouthd" name="boot-duration" dev=dm-0 ino=564304
> scontext=system_u:system_r:kernel_t:s15:c0.c1023
> tcontext=system_u:object_r:var_lib_t:s0 tclass=file
> type=AVC msg=audit(1231458433.632:7): avc:  denied  { getattr } for 
> pid=695 comm="plymouthd" path="/var/lib/plymouth/boot-duration" dev=dm-0
> ino=564304 scontext=system_u:system_r:kernel_t:s15:c0.c1023
> tcontext=system_u:object_r:var_lib_t:s0 tclass=file
> type=AVC msg=audit(1231458434.550:20): avc:  denied  { read } for 
> pid=695 comm="plymouthd" path="/ptmx" dev=tmpfs ino=354
> scontext=system_u:system_r:kernel_t:s15:c0.c1023
> tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file
> 
> type=AVC msg=audit(1231458434.550:21): avc:  denied  { write } for 
> pid=695 comm="plymouthd" path="/tty1" dev=tmpfs ino=357
> scontext=system_u:system_r:kernel_t:s15:c0.c1023
> tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
> 
> with the last avc repeated ~3000 times a second forever in enforcing.
> 
> Should plymouthd have a dedicated type or should tty1 be SystemHigh?
> 
> joe
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I think plymouthd is started in the initrd, so  I don't think we can
have a transition.  But shouldn't the kernel be able to override MLS So
it could write to this terminal?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklrdYgACgkQrlYvE4MpobMYDACeOq906O8BalhlDJv94Lu/oe1Z
Y6QAnj6r0CshCY5G819oBj+jVp4mr/iE
=oOG1
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list