latest Rawhide... selinux-policy-strict-1.17.9-2

Tom London selinux at comcast.net
Fri Sep 3 15:43:29 UTC 2004


Newest Rawhide packages improve things a bit for strict/enforcing, but 
still no joy.

When booting strict/enforcing, the system seems to boot to single user mode,
but is unable to write to the console.  Last messages are avc denials from
/bin/dmesg, that seem to occur just before the 'Welcome to Fedora' message.
I can hear the device discovery going on, but nothing on the console.
After about 5 minutes, ALT-CTL-DEL brought the system down, with the
customary console messages. (But, error messages about most file systems
not being mounted).

Here are the early avcs...

Sep  3 07:25:35 fedora kernel: audit(1094196259.050:0): avc:  denied  { 
create } for  pid=1 exe=/sbin/init name=initctl 
scontext=system_u:system_r:init_t tcontext=system_u:object_r:unlabeled_t 
tclass=fifo_file
Sep  3 07:25:36 fedora smartd[2856]: Opened configuration file 
/etc/smartd.conf
Sep  3 07:25:36 fedora kernel: audit(1094196259.050:0): avc:  denied  { 
associate } for  pid=1 exe=/sbin/init name=initctl 
scontext=system_u:object_r:unlabeled_t tcontext=system_u:object_r:fs_t 
tclass=filesystem
Sep  3 07:25:36 fedora smartd[2856]: Configuration file /etc/smartd.conf 
parsed.
Sep  3 07:25:36 fedora kernel: audit(1094196259.050:0): avc:  denied  { 
read write } for  pid=1 exe=/sbin/init name=initctl dev=tmpfs ino=2095 
scontext=system_u:system_r:init_t tcontext=system_u:object_r:unlabeled_t 
tclass=fifo_file
Sep  3 07:25:36 fedora smartd[2856]: Device: /dev/hda, opened
Sep  3 07:25:36 fedora kernel: audit(1094196259.050:0): avc:  denied  { 
getattr } for  pid=1 exe=/sbin/init path=/dev/initctl dev=tmpfs ino=2095 
scontext=system_u:system_r:init_t tcontext=system_u:object_r:unlabeled_t 
tclass=fifo_file
Sep  3 07:25:36 fedora smartd[2856]: Device: /dev/hda, found in smartd 
database.
Sep  3 07:25:36 fedora kernel: audit(1094196259.312:0): avc:  denied  { 
read write } for  pid=344 exe=/bin/hostname name=console dev=tmpfs 
ino=864 scontext=system_u:system_r:hostname_t 
tcontext=system_u:object_r:unlabeled_t tclass=chr_file
Sep  3 07:25:36 fedora kernel: audit(1094196259.382:0): avc:  denied  { 
search } for  pid=346 exe=/bin/bash dev=tmpfs ino=863 
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:unlabeled_t 
tclass=dir
Sep  3 07:25:36 fedora kernel: audit(1094196259.382:0): avc:  denied  { 
read write } for  pid=346 exe=/bin/bash name=tty dev=tmpfs ino=1227 
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:unlabeled_t 
tclass=chr_file
Sep  3 07:25:37 fedora smartd[2856]: Device: /dev/hda, is SMART capable. 
Adding to "monitor" list.
Sep  3 07:25:37 fedora kernel: audit(1094196260.276:0): avc:  denied  { 
read write } for  pid=490 exe=/bin/mount name=console dev=tmpfs ino=864 
scontext=system_u:system_r:mount_t 
tcontext=system_u:object_r:unlabeled_t tclass=chr_file
Sep  3 07:25:37 fedora smartd[2856]: Monitoring 1 ATA and 0 SCSI devices
Sep  3 07:25:37 fedora kernel: audit(1094196260.277:0): avc:  denied  { 
search } for  pid=490 exe=/bin/mount dev=tmpfs ino=863 
scontext=system_u:system_r:mount_t 
tcontext=system_u:object_r:unlabeled_t tclass=dir
Sep  3 07:25:37 fedora kernel: SELinux: initialized (dev usbfs, type 
usbfs), uses genfs_contexts
Sep  3 07:25:38 fedora smartd[2858]: smartd has fork()ed into background 
mode. New PID=2858.
Sep  3 07:25:38 fedora kernel: audit(1094196260.368:0): avc:  denied  { 
read write } for  pid=514 exe=/sbin/consoletype name=console dev=tmpfs 
ino=864 scontext=system_u:system_r:consoletype_t 
tcontext=system_u:object_r:unlabeled_t tclass=chr_file
Sep  3 07:25:38 fedora smartd: smartd startup succeeded
Sep  3 07:25:38 fedora kernel: audit(1094196260.368:0): avc:  denied  { 
getattr } for  pid=514 exe=/sbin/consoletype path=/dev/console dev=tmpfs 
ino=864 scontext=system_u:system_r:consoletype_t 
tcontext=system_u:object_r:unlabeled_t tclass=chr_file
Sep  3 07:25:38 fedora kernel: audit(1094196260.368:0): avc:  denied  { 
ioctl } for  pid=514 exe=/sbin/consoletype path=/dev/console dev=tmpfs 
ino=864 scontext=system_u:system_r:consoletype_t 
tcontext=system_u:object_r:unlabeled_t tclass=chr_file
Sep  3 07:25:38 fedora kernel: audit(1094196262.158:0): avc:  denied  { 
read write } for  pid=724 exe=/sbin/minilogd name=console dev=tmpfs 
ino=864 scontext=system_u:system_r:syslogd_t 
tcontext=system_u:object_r:unlabeled_t tclass=chr_file
Sep  3 07:25:38 fedora kernel: audit(1094196262.158:0): avc:  denied  { 
use } for  pid=724 exe=/sbin/minilogd path=/init dev=rootfs ino=17 
scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:kernel_t 
tclass=fd
Sep  3 07:25:38 fedora kernel: audit(1094196262.158:0): avc:  denied  { 
read } for  pid=724 exe=/sbin/minilogd path=/init dev=rootfs ino=17 
scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:root_t 
tclass=file
Sep  3 07:25:38 fedora kernel: audit(1094196262.159:0): avc:  denied  { 
search } for  pid=724 exe=/sbin/minilogd dev=tmpfs ino=863 
scontext=system_u:system_r:syslogd_t 
tcontext=system_u:object_r:unlabeled_t tclass=dir
Sep  3 07:25:38 fedora kernel: audit(1094196262.159:0): avc:  denied  { 
write } for  pid=724 exe=/sbin/minilogd dev=tmpfs ino=863 
scontext=system_u:system_r:syslogd_t 
tcontext=system_u:object_r:unlabeled_t tclass=dir
Sep  3 07:25:38 fedora kernel: audit(1094196262.159:0): avc:  denied  { 
add_name } for  pid=724 exe=/sbin/minilogd name=log 
scontext=system_u:system_r:syslogd_t 
tcontext=system_u:object_r:unlabeled_t tclass=dir
Sep  3 07:25:38 fedora kernel: audit(1094196262.159:0): avc:  denied  { 
create } for  pid=724 exe=/sbin/minilogd name=log 
scontext=system_u:system_r:syslogd_t 
tcontext=system_u:object_r:unlabeled_t tclass=sock_file
Sep  3 07:25:38 fedora kernel: audit(1094196262.160:0): avc:  denied  { 
getattr } for  pid=727 exe=/sbin/minilogd path=/dev/log dev=tmpfs 
ino=2641 scontext=system_u:system_r:syslogd_t 
tcontext=system_u:object_r:unlabeled_t tclass=sock_file
Sep  3 07:25:38 fedora kernel: audit(1094196262.217:0): avc:  denied  { 
read write } for  pid=730 exe=/bin/dmesg name=console dev=tmpfs ino=864 
scontext=system_u:system_r:dmesg_t 
tcontext=system_u:object_r:unlabeled_t tclass=chr_file
Sep  3 07:25:38 fedora acpid: acpid startup succeeded
Sep  3 07:25:38 fedora kernel: audit(1094196262.285:0): avc:  denied  { 
read write } for  pid=735 exe=/sbin/restorecon name=console dev=tmpfs 
ino=864 scontext=system_u:system_r:restorecon_t 
tcontext=system_u:object_r:unlabeled_t tclass=chr_file
Sep  3 07:25:38 fedora kernel: audit(1094196266.948:0): avc:  denied  { 
create } for  pid=746 exe=/sbin/udev name=input 
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:device_t 
tclass=dir

tom



More information about the fedora-selinux-list mailing list