Tom London wrote:
During update of today's rawhide, I get this in /var/log messages (and
a nice icon in the tray):
Sep 1 08:18:44 localhost Updated: kexec-tools.i386 1.101-51.fc6
Sep 1 08:19:14 localhost /usr/sbin/setroubleshootd: SELinux is
preventing /usr/sbin/lvm (lvm_t) "getattr" to /dev/nvram
(unlabeled_t). See audit.log for complete SELinux messages. id =
1fbf1f44-8ff6-4eb2-96dd-cdfe9ea35829
Sep 1 08:19:22 localhost Installed: kernel.i686 2.6.17-1.2608.fc6
Here's the associated AVC:
type=AVC msg=audit(1157123951.753:51): avc: denied { getattr } for
pid=7465 comm="lvs" name="nvram" dev=tmpfs ino=3418
scontext=user_u:system_r:lvm_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1157123951.753:51): arch=40000003 syscall=195
success=no exit=-13 a0=8611ef8 a1=bfc3281c a2=c4fff4 a3=8611ef8
items=0 ppid=7464 pid=7465 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) comm="lvs" exe="/usr/sbin/lvm"
subj=user_u:system_r:lvm_t:s0 key=(null)
type=AVC_PATH msg=audit(1157123951.753:51): path="/dev/nvram"
On reboot, /dev/nvram seems to be labeled properly.
[tbl@localhost ~]$ ls -lZ /dev/nvram
crw-rw---- root root system_u:object_r:nvram_device_t /dev/nvram
[tbl@localhost ~]$
Anyway, setroubleshoot is neat.....
tom
We changed the context of /dev/nvram from bios_device_t to
nvram_device_t which caused it to become
unlabeled_t when bios_device_t disappeared. One of the costs of running
rawhide.
Anyways we have some nice updates to the tool coming tonight. The GUI
now has printing, popup message seems to work properly. I am really
excited about this tool.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
