plymouthd avcs in MLS
Daniel J Walsh
dwalsh at redhat.com
Mon Jan 12 16:53:28 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Joe Nall wrote:
> type=AVC msg=audit(1231458433.619:3): avc: denied { execute } for
> pid=1 comm="init" name="plymouth" dev=rootfs ino=73
> scontext=system_u:system_r:kernel_t:s15:c0.c1023
> tcontext=system_u:object_r:root_t:s0 tclass=file
> type=AVC msg=audit(1231458433.621:4): avc: denied { read } for
> pid=723 comm="init" name="plymouth" dev=rootfs ino=73
> scontext=system_u:system_r:kernel_t:s15:c0.c1023
> tcontext=system_u:object_r:root_t:s0 tclass=file
> type=AVC msg=audit(1231458433.621:4): avc: denied { execute_no_trans }
> for pid=723 comm="init" path="/bin/plymouth" dev=rootfs ino=73
> scontext=system_u:system_r:kernel_t:s15:c0.c1023
> tcontext=system_u:object_r:root_t:s0 tclass=file
> type=AVC msg=audit(1231458433.623:5): avc: denied { getattr } for
> pid=723 comm="plymouth" path="/etc/ld.so.cache" dev=rootfs ino=122
> scontext=system_u:system_r:kernel_t:s15:c0.c1023
> tcontext=system_u:object_r:root_t:s0 tclass=file
> type=AVC msg=audit(1231458433.625:6): avc: denied { search } for
> pid=695 comm="plymouthd" name="lib" dev=dm-0 ino=555970
> scontext=system_u:system_r:kernel_t:s15:c0.c1023
> tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
> type=AVC msg=audit(1231458433.625:6): avc: denied { read } for
> pid=695 comm="plymouthd" name="boot-duration" dev=dm-0 ino=564304
> scontext=system_u:system_r:kernel_t:s15:c0.c1023
> tcontext=system_u:object_r:var_lib_t:s0 tclass=file
> type=AVC msg=audit(1231458433.632:7): avc: denied { getattr } for
> pid=695 comm="plymouthd" path="/var/lib/plymouth/boot-duration" dev=dm-0
> ino=564304 scontext=system_u:system_r:kernel_t:s15:c0.c1023
> tcontext=system_u:object_r:var_lib_t:s0 tclass=file
> type=AVC msg=audit(1231458434.550:20): avc: denied { read } for
> pid=695 comm="plymouthd" path="/ptmx" dev=tmpfs ino=354
> scontext=system_u:system_r:kernel_t:s15:c0.c1023
> tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file
>
> type=AVC msg=audit(1231458434.550:21): avc: denied { write } for
> pid=695 comm="plymouthd" path="/tty1" dev=tmpfs ino=357
> scontext=system_u:system_r:kernel_t:s15:c0.c1023
> tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
>
> with the last avc repeated ~3000 times a second forever in enforcing.
>
> Should plymouthd have a dedicated type or should tty1 be SystemHigh?
>
> joe
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I think plymouthd is started in the initrd, so I don't think we can
have a transition. But shouldn't the kernel be able to override MLS So
it could write to this terminal?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAklrdYgACgkQrlYvE4MpobMYDACeOq906O8BalhlDJv94Lu/oe1Z
Y6QAnj6r0CshCY5G819oBj+jVp4mr/iE
=oOG1
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list