avcs from install of initscripts/kernel ?
Russell Coker
russell at coker.com.au
Sun Aug 22 09:42:15 UTC 2004
On Sun, 22 Aug 2004 02:53, Tom London <selinux at comcast.net> wrote:
> Aug 21 09:43:36 fedora kernel: audit(1093106616.786:0): avc: denied {
> dac_read_search } for pid=4292 exe=/bin/bash capability=2
> scontext=root:sysadm_r:bootloader_t tcontext=root:sysadm_r:bootloader_t
> tclass=capability
No harm in adding this as capability chown is already granted.
> Aug 21 09:43:37 fedora kernel: audit(1093106617.979:0): avc: denied {
> transition } for pid=4331 exe=/bin/bash path=/sbin/dmsetup dev=hda2
> ino=2310451 scontext=root:sysadm_r:bootloader_t
> tcontext=root:system_r:lvm_t tclass=process
The constraints file has the following (I've cut bits about crond and
userhelper for clarity):
constrain process transition
( r1 == r2 or ( t1 == privrole and t2 == userdomain )
or (t1 == priv_system_role and r2 == system_r )
);
We have the following policy from global_macros.te:
role_transition sysadm_r lvm_exec_t system_r;
This causes the tcontext to have role system_r, and by the constraint we have
to have the attribute priv_system_role on the source domain (bootloader_t).
I've attached a patch to bootloader.te that fixes these things and a couple of
other minor issues.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
-------------- next part --------------
A non-text attachment was scrubbed...
Name: diff
Type: text/x-diff
Size: 1494 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20040822/f78633b3/attachment.bin>
More information about the fedora-selinux-list
mailing list