Re: latest Rawhide... selinux-policy-strict-1.17.9-2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, 2004-09-03 at 11:43, Tom London wrote:
> Newest Rawhide packages improve things a bit for strict/enforcing, but 
> still no joy.
> 
> When booting strict/enforcing, the system seems to boot to single user mode,
> but is unable to write to the console.  Last messages are avc denials from
> /bin/dmesg, that seem to occur just before the 'Welcome to Fedora' message.
> I can hear the device discovery going on, but nothing on the console.
> After about 5 minutes, ALT-CTL-DEL brought the system down, with the
> customary console messages. (But, error messages about most file systems
> not being mounted).
> 
> Here are the early avcs...
> 
> Sep  3 07:25:35 fedora kernel: audit(1094196259.050:0): avc:  denied  { 
> create } for  pid=1 exe=/sbin/init name=initctl 
> scontext=system_u:system_r:init_t tcontext=system_u:object_r:unlabeled_t 
> tclass=fifo_file
> Sep  3 07:25:36 fedora smartd[2856]: Opened configuration file 
> /etc/smartd.conf
> Sep  3 07:25:36 fedora kernel: audit(1094196259.050:0): avc:  denied  { 
> associate } for  pid=1 exe=/sbin/init name=initctl 
> scontext=system_u:object_r:unlabeled_t tcontext=system_u:object_r:fs_t 
> tclass=filesystem

No point in even trying to work from those audit messages, as the tmpfs
entry in fs_use in the rawhide policy is wrong and will break all users
of anonymous shared mappings and System V shared memory regardless of
whether it ever works for tmpfs /dev.

And life is still rather unpleasant even if fs_use is reverted to the
upstream policy.  Using fscontext=system_u:object_r:device_t on the
tmpfs /dev mount would help significantly, but the claim is that it is
mounted before the initial policy load.  End result is that tmpfs_t ends
up doing double duty as a type on shmem and /dev, which has a huge
impact on existing policy.

Strongly advise changing initialization to umount the initial tmpfs /dev
prior to initrd exit and re-mount it _after_ the initial policy load
using fscontext=.  Or load a minimal policy from the initrd in your
/linuxrc prior to original tmpfs mount.

-- 
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux