Progress! .532 boots! -- but dbus/hotplug/udev problems remain?

Tom London selinux at comcast.net
Sat Aug 28 18:29:47 UTC 2004 

Newest Rawhide updates (including udev-030-10, mkinitrd-4.1.8-1,
kernel-2.6.8-1.532, and selinux-policy-strict-1.17.5-2)
now boots in strict/enforcing.

Many AVCs, and there is a problem
with runlevel 5 (graphical login, etc.) preventing
login, (but text login works).

Here are the first, early AVCs:  (I'll dig for more later.)

Aug 28 10:23:40 fedora kernel: usbcore: registered new driver usblp
Aug 28 10:23:40 fedora kernel: drivers/usb/class/usblp.c: v0.13: USB 
Printer Device Class driver
Aug 28 10:23:40 fedora acpid: acpid startup succeeded
Aug 28 10:23:40 fedora kernel: ACPI: Power Button (FF) [PWRF]
Aug 28 10:23:40 fedora kernel: ACPI: Sleep Button (CM) [FUTS]
Aug 28 10:23:40 fedora kernel: EXT3 FS on hda2, internal journal
Aug 28 10:23:41 fedora kernel: audit(1093713783.757:0): avc:  denied  { 
search } for  pid=1264 exe=/sbin/udev name=contexts dev=hda2 ino=4509745 
scontext=system_u:system_r:udev_t 
tcontext=system_u:object_r:default_context_t tclass=dir
Aug 28 10:23:41 fedora kernel: audit(1093713783.790:0): avc:  denied  { 
execute_no_trans } for  pid=1271 exe=/sbin/udev 
path=/etc/udev/scripts/pam_console.dev dev=hda2 ino=574019 
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:etc_t 
tclass=file
Aug 28 10:23:41 fedora kernel: audit(1093713783.790:0): avc:  denied  { 
write }
for  pid=1264 exe=/sbin/udev name=fscreate dev=proc ino=82837526 
scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t 
tclass=file

There repeat many times.  When run in permissive mode, this sequence 
becomes:

Aug 28 10:32:25 fedora kernel: EXT3 FS on hda2, internal journal
Aug 28 10:32:25 fedora kernel: audit(1093714297.852:0): avc:  denied  { 
search } for  pid=1283 exe=/sbin/udev name=contexts dev=hda2 ino=4509745 
scontext=system_u:system_r:udev_t 
tcontext=system_u:object_r:default_context_t tclass=dir
Aug 28 10:32:25 fedora kernel: audit(1093714297.859:0): avc:  denied  { 
search } for  pid=1283 exe=/sbin/udev name=files dev=hda2 ino=4509746 
scontext=system_u:system_r:udev_t 
tcontext=system_u:object_r:file_context_t tclass=dir
Aug 28 10:32:25 fedora kernel: audit(1093714297.872:0): avc:  denied  { 
read } for  pid=1283 exe=/sbin/udev name=file_contexts dev=hda2 
ino=4505700 scontext=system_u:system_r:udev_t 
tcontext=system_u:object_r:file_context_t tclass=file
Aug 28 10:32:25 fedora kernel: audit(1093714297.872:0): avc:  denied  { 
getattr
} for  pid=1283 exe=/sbin/udev 
path=/etc/selinux/strict/contexts/files/file_contexts dev=hda2 
ino=4505700 scontext=system_u:system_r:udev_t 
tcontext=system_u:object_r:file_context_t tclass=file
Aug 28 10:32:25 fedora kernel: audit(1093714298.077:0): avc:  denied  { 
execute_no_trans } for  pid=1285 exe=/sbin/udev 
path=/etc/udev/scripts/pam_console.dev dev=hda2 ino=574019 
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:etc_t 
tclass=file
Aug 28 10:32:25 fedora kernel: audit(1093714298.109:0): avc:  denied  { 
search } for  pid=1285 exe=/bin/bash name=console dev=hda2 ino=4456494 
scontext=system_u:system_r:udev_t 
tcontext=system_u:object_r:pam_var_console_t tclass=dir
Aug 28 10:32:25 fedora kernel: audit(1093714298.113:0): avc:  denied  { 
write }
for  pid=1283 exe=/sbin/udev name=fscreate dev=proc ino=84082710 
scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t 
tclass=file
Aug 28 10:32:25 fedora kernel: audit(1093714298.113:0): avc:  denied  { 
setfscreate } for  pid=1283 exe=/sbin/udev 
scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t 
tclass=process
Aug 28 10:32:25 fedora kernel: audit(1093714317.126:0): avc:  denied  { 
search } for  pid=1671 exe=/sbin/udev name=files dev=hda2 ino=4509746 
scontext=system_u:system_r:udev_t 
tcontext=system_u:object_r:file_context_t tclass=dir

Audit2allow on this says:
allow  : { write };
allow udev_t default_context_t:dir { search };
allow udev_t etc_t:file { execute_no_trans };
allow udev_t file_context_t:dir { search };
allow udev_t file_context_t:file { read };
allow udev_t pam_var_console_t:dir { search };
allow udev_t udev_t:process { setfscreate };

The funny 'allow : { write };' is for the write of 'fscreate' in /proc.

After obtaining the graphical login screen, here is the offending AVC:

Aug 28 10:24:42 fedora gdm(pam_unix)[3888]: session opened for user tbl 
by (uid=0)
Aug 28 10:24:43 fedora kernel: audit(1093713883.626:0): avc:  denied  { 
create } for  pid=4042 exe=/usr/bin/dbus-daemon-1 
scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t 
tclass=netlink_selinux_socket

An error window pops up reporting an SELinux/AVC type failure. It then
returns to the login screen.

Just prior to that, there are many 'denied's from udev and hald. Here 
are a few:

Aug 28 10:24:21 fedora dbus: avc:  denied  { send_msg } for  
scontext=system_u:system_r:hald_t tcontext=system_u:system_r:updfstab_t 
tclass=dbus
Aug 28 10:24:21 fedora kernel: audit(1093713853.755:0): avc:  denied  { 
execute
} for  pid=3466 exe=/usr/sbin/hald name=hal-hotplug-map dev=hda2 
ino=606213 scontext=system_u:system_r:hald_t 
tcontext=system_u:object_r:bin_t tclass=file
Aug 28 10:24:21 fedora udev[3953]: creating device node '/dev/vcs7'
Aug 28 10:24:22 fedora dbus: avc:  denied  { send_msg } for  
scontext=system_u:system_r:hald_t tcontext=system_u:system_r:updfstab_t 
tclass=dbus
Aug 28 10:24:22 fedora kernel: audit(1093713853.817:0): avc:  denied  { 
search } for  pid=3798 exe=/sbin/udev name=contexts dev=hda2 ino=4509745 
scontext=system_u:system_r:udev_t 
tcontext=system_u:object_r:default_context_t tclass=dir
Aug 28 10:24:22 fedora dbus: avc:  denied  { send_msg } for  
scontext=system_u:system_r:hald_t tcontext=system_u:system_r:updfstab_t 
tclass=dbus
Aug 28 10:24:22 fedora kernel: audit(1093713853.819:0): avc:  denied  { 
execute_no_trans } for  pid=3846 exe=/sbin/udev 
path=/etc/udev/scripts/pam_console.dev dev=hda2 ino=574019 
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:etc_t 
tclass=file
Aug 28 10:24:22 fedora dbus: avc:  denied  { send_msg } for  
scontext=system_u:system_r:updfstab_t tcontext=system_u:system_r:hald_t 
tclass=dbus
Aug 28 10:24:22 fedora kernel: audit(1093713853.820:0): avc:  denied  { 
write }
for  pid=3798 exe=/sbin/udev name=fscreate dev=proc ino=248905750 
scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t 
tclass=file

[BTW: When I reboot, /etc/fstab has been relabeled to type tmp_t. 
Is the above causing this?]

I rebooted strict/permissive, and things appear OK, including loading
of sound modules.

However, as noted above, something is relabeling /etc/fstab to tmp_t:

Aug 28 10:33:21 fedora gdm(pam_unix)[3786]: session opened for user tbl 
by (uid=0)
Aug 28 10:33:21 fedora kernel: audit(1093714401.349:0): avc:  denied  { 
read } for  pid=3786 exe=/usr/bin/gdm-binary name=fstab dev=hda2 
ino=4654141 scontext=system_u:system_r:xdm_t 
tcontext=system_u:object_r:tmp_t tclass=file
Aug 28 10:33:21 fedora kernel: audit(1093714401.350:0): avc:  denied  { 
getattr
} for  pid=3786 exe=/usr/bin/gdm-binary path=/etc/fstab dev=hda2 
ino=4654141 scontext=system_u:system_r:xdm_t 
tcontext=system_u:object_r:tmp_t tclass=file

I believe I'm running a 'stock' Rawhide system.

tom

More information about the fedora-selinux-list mailing list