On Saturday 04 December 2004 03:34, Tom London <selinux@xxxxxxxxx> wrote:
> Running strict/enforcing, latest rawhide
> (selinux-policy-strict-1.19.10-1)
>
> Booting produces following avc:
It seems that you never got a reply to this one.
> Dec 3 08:23:45 fedora kernel: audit(1102090997.316:0): avc: denied
> { create } for pid=1348 exe=/sbin/nash name=md0
> scontext=system_u:system_r:initrc_t
> tcontext=system_u:object_r:device_t tclass=blk_file Dec 3 08:23:45
> fedora kernel: device-mapper: 4.1.0-ioctl (2003-12-10) initialised:
> dm@xxxxxxxxxxxxxx
This is something that still needs a good solution. We don't want initrc_t to
be able to do such things in the strict policy, so udev seems to be the best
way of doing it. Maybe getting it added to /sbin/start_udev would be the
best solution? start_udev already creates a bunch of other device nodes that
are too inconvenient to do in other ways.
Of course due to the usual shell script issues udev_t isn't safe from
initrc_t. But it's a start at isolating it, we can improve later.
> Dec 3 08:23:45 fedora kernel: audit(1102090997.383:0): avc: denied
> { create } for pid=1354 exe=/sbin/nash name=mapper
> scontext=system_u:system_r:initrc_t
> tcontext=system_u:object_r:device_t tclass=dir
That one should have been fixed quite some time ago, before your message was
posted. Either you hadn't updated to all the latest packages or there is a
corner case we missed. In either case let me know if it still happens with
the latest rawhide.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
