plymouthd avcs in MLS

Xavier Toth txtoth at gmail.com
Fri Jan 16 14:30:11 UTC 2009


On Mon, Jan 12, 2009 at 10:53 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Joe Nall wrote:
>> type=AVC msg=audit(1231458433.619:3): avc:  denied  { execute } for
>> pid=1 comm="init" name="plymouth" dev=rootfs ino=73
>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
>> tcontext=system_u:object_r:root_t:s0 tclass=file
>> type=AVC msg=audit(1231458433.621:4): avc:  denied  { read } for
>> pid=723 comm="init" name="plymouth" dev=rootfs ino=73
>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
>> tcontext=system_u:object_r:root_t:s0 tclass=file
>> type=AVC msg=audit(1231458433.621:4): avc:  denied  { execute_no_trans }
>> for  pid=723 comm="init" path="/bin/plymouth" dev=rootfs ino=73
>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
>> tcontext=system_u:object_r:root_t:s0 tclass=file
>> type=AVC msg=audit(1231458433.623:5): avc:  denied  { getattr } for
>> pid=723 comm="plymouth" path="/etc/ld.so.cache" dev=rootfs ino=122
>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
>> tcontext=system_u:object_r:root_t:s0 tclass=file
>> type=AVC msg=audit(1231458433.625:6): avc:  denied  { search } for
>> pid=695 comm="plymouthd" name="lib" dev=dm-0 ino=555970
>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
>> tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
>> type=AVC msg=audit(1231458433.625:6): avc:  denied  { read } for
>> pid=695 comm="plymouthd" name="boot-duration" dev=dm-0 ino=564304
>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
>> tcontext=system_u:object_r:var_lib_t:s0 tclass=file
>> type=AVC msg=audit(1231458433.632:7): avc:  denied  { getattr } for
>> pid=695 comm="plymouthd" path="/var/lib/plymouth/boot-duration" dev=dm-0
>> ino=564304 scontext=system_u:system_r:kernel_t:s15:c0.c1023
>> tcontext=system_u:object_r:var_lib_t:s0 tclass=file
>> type=AVC msg=audit(1231458434.550:20): avc:  denied  { read } for
>> pid=695 comm="plymouthd" path="/ptmx" dev=tmpfs ino=354
>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
>> tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file
>>
>> type=AVC msg=audit(1231458434.550:21): avc:  denied  { write } for
>> pid=695 comm="plymouthd" path="/tty1" dev=tmpfs ino=357
>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
>> tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
>>
>> with the last avc repeated ~3000 times a second forever in enforcing.
>>
>> Should plymouthd have a dedicated type or should tty1 be SystemHigh?
>>
>> joe
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> I think plymouthd is started in the initrd, so  I don't think we can
> have a transition.  But shouldn't the kernel be able to override MLS So
> it could write to this terminal?
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAklrdYgACgkQrlYvE4MpobMYDACeOq906O8BalhlDJv94Lu/oe1Z
> Y6QAnj6r0CshCY5G819oBj+jVp4mr/iE
> =oOG1
> -----END PGP SIGNATURE-----
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>

kernel_t already has mls_files_[read/write]_all_levels however it uses
term_use_console which doesn't cover tty_device_t. The options are to
use term_use_all_terms or to "allow kernel_t tty_device_t:chr_file
rw_file_perms;". Which will it be?

Ted




More information about the fedora-selinux-list mailing list