On Tue, 28 Dec 2004 01:00:15 +1100, Russell Coker <russell@xxxxxxxxxxxx> wrote:
> On Saturday 04 December 2004 03:34, Tom London <selinux@xxxxxxxxx> wrote:
> > Booting produces following avc:
>
> It seems that you never got a reply to this one.
>
> > Dec 3 08:23:45 fedora kernel: audit(1102090997.316:0): avc: denied
> > { create } for pid=1348 exe=/sbin/nash name=md0
> > scontext=system_u:system_r:initrc_t
> > tcontext=system_u:object_r:device_t tclass=blk_file Dec 3 08:23:45
> > fedora kernel: device-mapper: 4.1.0-ioctl (2003-12-10) initialised:
> > dm@xxxxxxxxxxxxxx
>
> This is something that still needs a good solution. We don't want initrc_t to
> be able to do such things in the strict policy, so udev seems to be the best
> way of doing it. Maybe getting it added to /sbin/start_udev would be the
> best solution? start_udev already creates a bunch of other device nodes that
> are too inconvenient to do in other ways.
>
> Of course due to the usual shell script issues udev_t isn't safe from
> initrc_t. But it's a start at isolating it, we can improve later.
>
> > Dec 3 08:23:45 fedora kernel: audit(1102090997.383:0): avc: denied
> > { create } for pid=1354 exe=/sbin/nash name=mapper
> > scontext=system_u:system_r:initrc_t
> > tcontext=system_u:object_r:device_t tclass=dir
>
> That one should have been fixed quite some time ago, before your message was
> posted. Either you hadn't updated to all the latest packages or there is a
> corner case we missed. In either case let me know if it still happens with
> the latest rawhide.
>
> --
Russell,
This one also has been fixed. Don't remember exactly when....
tom
--
Tom London
