selinux-policy-targeted-1.23.12-4: /proc {search} failures ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Running targeted/enforcing, latest rawhide.

Rebooting after today's updates (including .1261 and
selinux-policy-targeted-1.23.12-4), graphical logins fail.

Looks like search access to /proc/PROCESS-ID directories are failing.
(Also show an early hotplug attempt at writing to sysfs_t).

I worked around this by doing an 'ALT-CTL-F2', and logging in on the
text console, and doing a 'setenforce 0'. Reverting to graphical via
'ALT-CTL-F7' now  allows login.

/var/log messages show a very large number of avcs, including many
that look like:
Apr 23 13:04:18 localhost dhclient: DHCPREQUEST on eth0 to
255.255.255.255 port 67
Apr 23 13:04:18 localhost dhclient: DHCPACK from 10.10.192.1
Apr 23 13:04:18 localhost kernel: audit(1114286658.747:0): avc: 
denied  { write } for  name=vcs7 dev=sysfs ino=6997
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:sysfs_t tclass=dir
Apr 23 13:04:18 localhost kernel: audit(1114286658.747:0): avc: 
denied  { write } for  name=vcsa7 dev=sysfs ino=7003
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:sysfs_t tclass=dir
Apr 23 13:04:19 localhost NET[2301]: /sbin/dhclient-script : updated
/etc/resolv.conf

and
Apr 23 13:05:15 localhost kernel: audit(1114286715.636:0): avc: 
denied  { search } for  name=2 dev=proc ino=131074
scontext=system_u:system_r:init_t tcontext=system_u:system_r:kernel_t
tclass=dir
Apr 23 13:05:15 localhost kernel: audit(1114286715.636:0): avc: 
denied  { search } for  name=3 dev=proc ino=196610
scontext=system_u:system_r:init_t tcontext=system_u:system_r:kernel_t
tclass=dir
Apr 23 13:05:15 localhost kernel: audit(1114286715.636:0): avc: 
denied  { search } for  name=4 dev=proc ino=262146
scontext=system_u:system_r:init_t tcontext=system_u:system_r:kernel_t
tclass=dir
<<<<SNIP  many, many >>>>
Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: 
denied  { search } for  name=2103 dev=proc ino=137822210
scontext=system_u:system_r:init_t tcontext=system_u:system_r:initrc_t
tclass=dir
Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: 
denied  { search } for  name=2111 dev=proc ino=138346498
scontext=system_u:system_r:init_t tcontext=system_u:system_r:initrc_t
tclass=dir
Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: 
denied  { search } for  name=2303 dev=proc ino=150929410
scontext=system_u:system_r:init_t tcontext=system_u:system_r:dhcpc_t
tclass=dir
Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: 
denied  { search } for  name=2476 dev=proc ino=162267138
scontext=system_u:system_r:init_t tcontext=system_u:system_r:initrc_t
tclass=dir
Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: 
denied  { search } for  name=2530 dev=proc ino=165806082
scontext=system_u:system_r:init_t tcontext=system_u:system_r:portmap_t
tclass=dir
Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: 
denied  { search } for  name=2548 dev=proc ino=166985730
scontext=system_u:system_r:init_t tcontext=system_u:system_r:rpcd_t
tclass=dir
Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: 
denied  { search } for  name=2575 dev=proc ino=168755202
scontext=system_u:system_r:init_t tcontext=system_u:system_r:rpcd_t
tclass=dir
<<<<SNIP many, many.... >>>>

etc. etc.

Is this a policy change, or did something else change? Or, did I just
botch it again?

thanks,
   tom

-- 
Tom London

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux