mknod denials, avcs from dmesg please help

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Dear Selinux experts,

   I have successfully loaded Fedora 7 on a machine that refused to boot it with a kernel panic.  I am on track with it but selinux is getting in my way.

I have done 



[root@localhost ~]# restorecon -v /

[root@localhost ~]# touch /.autorelabel; reboot

three times and still these avcs refuse to go away.  

Summary
    SELinux is preventing access to files with the default label, default_t.

Detailed Description
    SELinux permission checks on files labeled default_t are being denied.
    These files/directories have the default label on them.  This can indicate a
    labeling problem, especially if the files being referred to  are not top
    level directories. Any files/directories under standard system directories,
    /usr, /var. /dev, /tmp, ..., should not be labeled with the default label.
    The default label is for files/directories which do not have a label on a
    parent directory. So if you create a new directory in / you might
    legitimately get this label.

Allowing Access
    If you want a confined domain to use these files you will probably need to
    relabel the file/directory with chcon. In some cases it is just easier to
    relabel the system, to relabel execute: "touch /.autorelabel; reboot"

Additional Information        

Source Context                system_u:system_r:consolekit_t
Target Context                system_u:object_r:default_t
Target Objects                root [ dir ]
Affected RPM Packages         ConsoleKit-x11-0.2.1-2.fc7
                              [application]filesystem-2.4.6-1.fc7 [target]
Policy RPM                    selinux-policy-2.6.4-8.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.default
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.21-1.3194.fc7 #1
                              SMP Wed May 23 22:35:01 EDT 2007 i686 athlon
Alert Count                   1
First Seen                    Sun 03 Jun 2007 11:10:16 PM CDT
Last Seen                     Sun 03 Jun 2007 11:10:16 PM CDT
Local ID                      2ea0300c-de6c-4cb1-a4a7-edbca6d8fcf1
Line Numbers                  

Raw Audit Messages            

avc: denied { search } for comm="ck-get-x11-serv" dev=dm-0 egid=0 euid=0
exe="/usr/libexec/ck-get-x11-server-pid" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
name="root" pid=2512 scontext=system_u:system_r:consolekit_t:s0 sgid=0
subj=system_u:system_r:consolekit_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:default_t:s0 tty=(none) uid=0

Summary
    SELinux is preventing /bin/mknod (insmod_t) "write" to / (device_t).

Detailed Description
    SELinux denied access requested by /bin/mknod. It is not expected that this
    access is required by /bin/mknod and this access may signal an intrusion
    attempt. It is also possible that the specific version or configuration of
    the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for /, restorecon -v / If this does
    not work, there is currently no automatic way to allow this access. Instead,
    you can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:insmod_t
Target Context                system_u:object_r:device_t
Target Objects                / [ dir ]
Affected RPM Packages         coreutils-6.9-2.fc7
                              [application]filesystem-2.4.6-1.fc7 [target]
Policy RPM                    selinux-policy-2.6.4-8.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.21-1.3194.fc7 #1
                              SMP Wed May 23 22:35:01 EDT 2007 i686 athlon
Alert Count                   1
First Seen                    Sun 03 Jun 2007 11:52:01 PM CDT
Last Seen                     Sun 03 Jun 2007 11:52:01 PM CDT
Local ID                      2f4ccd0d-5eab-4194-9ce2-9b424aed8163
Line Numbers                  

Raw Audit Messages            

avc: denied { write } for comm="mknod" dev=tmpfs egid=0 euid=0 exe="/bin/mknod"
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=2893
scontext=system_u:system_r:insmod_t:s0 sgid=0 subj=system_u:system_r:insmod_t:s0
suid=0 tclass=dir tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0


Here are them again from dmesg.

audit(1180944508.786:4): avc:  denied  { write } for  pid=655 comm="mknod" name="/" dev=tmpfs ino=752 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir

and

SELinux: initialized (dev sda1, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
audit(1180944512.785:5): enforcing=0 old_enforcing=1 auid=4294967295
audit(1180944712.754:6): avc:  denied  { getattr } for  pid=996 comm="setfiles" name="mdstat" dev=proc ino=-268435296 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_mdstat_t:s0 tclass=file
audit(1180944712.754:7): avc:  denied  { getattr } for  pid=996 comm="setfiles" name="irq" dev=proc ino=-268435418 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir
audit(1180944712.754:8): avc:  denied  { read } for  pid=996 comm="setfiles" name="irq" dev=proc ino=-268435418 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir
audit(1180944712.754:9): avc:  denied  { search } for  pid=996 comm="setfiles" name="irq" dev=proc ino=-268435418 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir
audit(1180944712.754:10): avc:  denied  { getattr } for  pid=996 comm="setfiles" name="smp_affinity" dev=proc ino=-268435372 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=file
audit(1180944712.754:11): avc:  denied  { read } for  pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file
audit(1180944712.754:12): avc:  denied  { search } for  pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
audit(1180944712.754:13): avc:  denied  { read } for  pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file
audit(1180944712.754:14): avc:  denied  { search } for  pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=dir
audit(1180944712.754:15): avc:  denied  { read } for  pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
audit(1180944712.754:16): avc:  denied  { search } for  pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
audit(1180944712.754:17): avc:  denied  { read } for  pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
audit(1180944712.754:18): avc:  denied  { read } for  pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_net_unix_t:s0 tclass=file
audit(1180944712.754:19): avc:  denied  { search } for  pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_net_unix_t:s0 tclass=dir
audit(1180944712.754:20): avc:  denied  { read } for  pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file
audit(1180944712.754:21): avc:  denied  { read } for  pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=file
audit(1180944712.754:22): avc:  denied  { read } for  pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_dev_t:s0 tclass=file
audit(1180944712.754:23): avc:  denied  { search } for  pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_dev_t:s0 tclass=dir
audit(1180944712.754:24): avc:  denied  { getattr } for  pid=996 comm="setfiles" name="net" dev=proc ino=-268435431 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=dir
audit(1180944712.754:25): avc:  denied  { read } for  pid=996 comm="setfiles" name="net" dev=proc ino=-268435431 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=dir
audit(1180944712.754:26): avc:  denied  { search } for  pid=996 comm="setfiles" name="net" dev=proc ino=-268435431 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=dir
audit(1180944712.754:27): avc:  denied  { getattr } for  pid=996 comm="setfiles" name="packet" dev=proc ino=-268435293 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
audit(1180944712.754:28): avc:  denied  { getattr } for  pid=996 comm="setfiles" name="kcore" dev=proc ino=-268435434 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file
audit(1180944712.754:29): avc:  denied  { getattr } for  pid=996 comm="setfiles" name="kmsg" dev=proc ino=-268435447 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_kmsg_t:s0 tclass=file
audit(1180944712.754:30): avc:  denied  { getattr } for  pid=996 comm="setfiles" name="1" dev=proc ino=1288 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir
audit(1180944712.754:31): avc:  denied  { read } for  pid=996 comm="setfiles" name="1" dev=proc ino=1288 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir
audit(1180944712.754:32): avc:  denied  { search } for  pid=996 comm="setfiles" name="1" dev=proc ino=1288 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir
audit(1180944712.754:33): avc:  denied  { getattr } for  pid=996 comm="setfiles" name="10" dev=proc ino=7925 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=lnk_file
audit(1180944712.754:34): avc:  denied  { getattr } for  pid=996 comm="setfiles" name="environ" dev=proc ino=7905 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file
audit(1180944712.754:35): avc:  denied  { getattr } for  pid=996 comm="setfiles" name="2" dev=proc ino=1289 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir
audit(1180944712.754:36): avc:  denied  { read } for  pid=996 comm="setfiles" name="2" dev=proc ino=1289 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir
audit(1180944712.754:37): avc:  denied  { search } for  pid=996 comm="setfiles" name="2" dev=proc ino=1289 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir
audit(1180944712.754:38): avc:  denied  { getattr } for  pid=996 comm="setfiles" name="environ" dev=proc ino=7962 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=file
audit(1180944712.754:39): avc:  denied  { getattr } for  pid=996 comm="setfiles" name="cwd" dev=proc ino=7970 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=lnk_file
audit(1180944716.754:40): avc:  denied  { getattr } for  pid=996 comm="setfiles" name="292" dev=proc ino=1195 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dir
audit(1180944716.754:41): avc:  denied  { read } for  pid=996 comm="setfiles" name="292" dev=proc ino=1195 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dir
audit(1180944716.754:42): avc:  denied  { search } for  pid=996 comm="setfiles" name="292" dev=proc ino=1195 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dir
audit(1180944716.754:43): avc:  denied  { getattr } for  pid=996 comm="setfiles" name="0" dev=proc ino=9478 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=lnk_file
audit(1180944716.754:44): avc:  denied  { getattr } for  pid=996 comm="setfiles" name="environ" dev=proc ino=9458 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=file
audit(1180944716.754:45): avc:  denied  { getattr } for  pid=996 comm="setfiles" name="360" dev=proc ino=1549 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=dir
audit(1180944716.754:46): avc:  denied  { read } for  pid=996 comm="setfiles" name="360" dev=proc ino=1549 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=dir
audit(1180944716.754:47): avc:  denied  { search } for  pid=996 comm="setfiles" name="360" dev=proc ino=1549 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=dir
audit(1180944716.754:48): avc:  denied  { getattr } for  pid=996 comm="setfiles" name="0" dev=proc ino=9597 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=lnk_file
audit(1180944716.754:49): avc:  denied  { getattr } for  pid=996 comm="setfiles" name="environ" dev=proc ino=9577 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=file
audit(1180944820.238:50): avc:  denied  { create } for  pid=995 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=netlink_audit_socket
audit(1180944820.238:51): avc:  denied  { write } for  pid=995 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=netlink_audit_socket
audit(1180944820.238:52): avc:  denied  { nlmsg_relay } for  pid=995 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=netlink_audit_socket
audit(1180944820.238:53): avc:  denied  { audit_write } for  pid=995 comm="setfiles" capability=29 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=capability
audit(1180944820.238:54): avc:  denied  { read } for  pid=995 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=netlink_audit_socket
audit(1180944820.238:55): enforcing=1 old_enforcing=0 auid=4294967295


Suggestions/advice as to how to fix this are greatly appreciated.  

[olivares@localhost ~]$ uname -a
Linux localhost.localdomain 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 athlon i386 GNU/Linux
[olivares@localhost ~]$ cat /etc/fedora-release 
Fedora release 7 (Moonshine)
[olivares@localhost ~]$

Regards,

Antonio 




 
____________________________________________________________________________________
We won't tell. Get more on shows you hate to love 
(and love to hate): Yahoo! TV's Guilty Pleasures list.
http://tv.yahoo.com/collections/265 

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux