Re: udev slowness and selinux

[Stephen Smalley <sds tycho nsa gov>]

On Fri, 2005-12-02 at 12:36 -0800, Tom London wrote:
> Additional confirmation:
> 
> update to latest policy (selinux-policy-targeted-2.0.7-2) yielded many
> avc and transition errors on boot.
> 
> Rebooted in permissive and relabeled.
> 
> rebooting in enforcing 'works', but lots of avcs:
> [root tlondon ~]# ausearch -m avc,selinux_err -ts 12/02/2005 | audit2allow -l
> allow cupsd_t unlabeled_t:dir search;
> allow dhcpc_t system_dbusd_var_run_t:dir search;
> allow hald_t agp_device_t:chr_file getattr;
> allow hald_t clock_device_t:chr_file getattr;
> allow hald_t memory_device_t:chr_file getattr;
> allow hald_t ptmx_t:chr_file getattr;
> allow hald_t random_device_t:chr_file getattr;
> allow hald_t sound_device_t:chr_file getattr;
> allow hald_t tmpfs_t:chr_file getattr;
> allow hald_t tty_device_t:chr_file getattr;
> allow hald_t unlabeled_t:dir search;
> allow hald_t urandom_device_t:chr_file getattr;
> allow hald_t zero_device_t:chr_file getattr;
> allow kernel_t lib_t:file execmod;
> allow kernel_t texrel_shlib_t:file relabelto;
> allow kernel_t user_home_dir_t:dir relabelto;
> allow kernel_t user_home_t:dir relabelto;
> allow kernel_t user_home_t:file relabelto;
> allow kernel_t user_home_t:lnk_file relabelto;
> allow kernel_t user_home_t:sock_file relabelto;
> allow ntpd_t self:capability sys_resource;
> allow privoxy_t unlabeled_t:file getattr;
> allow system_dbusd_t unlabeled_t:dir read;
> allow unlabeled_t fs_t:filesystem associate;

Strange, I don't see this either.  I don't have the latest hald though
(seems to be a dependency problem there).   I'm running
kernel-smp-2.6.14-1.1735_FC5 for what that's worth.  Only audit messages
during startup are (after audit2allow):
allow hald_t tty_device_t:chr_file ioctl;
allow updfstab_t tmpfs_t:dir getattr;

What is unlabeled on your system (unlabeled_t denials)?

-- 
Stephen Smalley
National Security Agency