On Wed, 21 Jul 2004 02:35, Tom London <selinux@xxxxxxxxxxx> wrote:
> Yikes.... sorry, but this doesn't look right....
> now produces hordes of 'restorecon' avcs....
>
> Jul 20 09:23:46 fedora kernel: audit(1090340592.421:0): avc: denied {
> read write } for pid=991 exe=/sbin/restorecon path=/dev/.udev.tdb
> dev=hda2 ino=2698913 scontext=system_u:system_r:restorecon_t
> tcontext=system_u:object_r:udev_tbl_t tclass=file
udev calls restorecon to set the correct type of a device node it has just
created.
restorecon has no business in opening /dev/.udev.tdb and I really doubt that
it is doing so. I expect that udev is opening /dev/.udev.tdb, not using
fcntl(fd, F_SETFD, FD_CLOEXEC) to set the fd to close on execute, and not
calling close(fd) before the exec.
Please file a bugzilla report about this. To assist in tracking it down
rename /sbin/restorecon to /sbin/restorecon.orig and put the following shell
script in place as /sbin/restorecon:
#!/bin/sh
echo -n params: >> /root/file
for n in $*; do echo -n "$n "; done >> /root/file
echo "" >> /root/file
ls -l /proc/self/fd >> /root/file
exec /sbin/restorecon.orig $*
Run the machine in permissive mode while doing this and don't bother about the
AVC messages about not being permitted to write to /root/file.
> Jul 20 09:23:47 fedora kernel: audit(1090340600.740:0): avc: denied {
> unlink } for pid=1297 exe=/sbin/udev name=microcode dev=hda2
> ino=2689375 scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:device_t tclass=lnk_file
allow udev_t device_t:lnk_file create_file_perms;
Add the above policy to allow this.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
