Re: mknod denials, avcs from dmesg please help

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




----- Original Message ----
From: Daniel J Walsh <dwalsh@xxxxxxxxxx>
To: Antonio Olivares <olivares14031@xxxxxxxxx>
Cc: fedora-selinux-list@xxxxxxxxxx
Sent: Monday, June 4, 2007 3:52:18 PM
Subject: Re: mknod denials, avcs from dmesg please help

Antonio Olivares wrote:
> ----- Original Message ----
> From: Daniel J Walsh <dwalsh@xxxxxxxxxx>
> To: Antonio Olivares <olivares14031@xxxxxxxxx>
> Cc: fedora-selinux-list@xxxxxxxxxx
> Sent: Monday, June 4, 2007 1:55:57 PM
> Subject: Re: mknod denials, avcs from dmesg please help
>
> Ok the avc
>
> audit(1180944508.786:4): avc:  denied  { write } for  pid=655 comm="mknod" name="/" dev=tmpfs ino=752 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir
>
> Looks like the interesting one.  The rest were caused by you doing a restorecon -R -v /, or the original mislabeling of /root.
>
> What node is insmod trying to create in /dev?  Do  you have any idea what is going on here?
>
> This is very strange that you would get this avc since insmod_t is supposed to be unconfined in FC-7
>
> Also
>
>
> Thank you for responding.  Indeed it is the mknod entry that is causing trouble.  I use smartlink modem and thus I have added to /etc/modprobe.conf
>
> alias char-major-243 slusb
> alias char-major-242 slamr
> install slamr modprobe --ignore-install ungrab-winmodem ; modprobe --ignore-install slamr; test -e /dev/slamr0 || (/bin/mknod -m 660 /dev/slamr0 c 242 0 2>/dev/null && chgrp dialout /dev/slamr0)
>
> so that I do not have to type as root user (su -)  modprobe ungrab-winmodem, modprobe slamr, slmodemd -c USA /dev/slamr0 everytime I start up the computer.  This is for automation.  As a result of this denied avc, automation of loading slamr module fails.  
>
> This is the only one now causing trouble
>
> audit(1180952201.602:4): avc:  denied  { write } for  pid=675 comm="mknod" name="/" dev=tmpfs ino=752 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir
>
> How should I tackle this one, without disabling selinux, or setting it to permissive?
>
> Thanks,
>
> Antonio 
>
>
>   
# grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod
# semodule -i myinsmod.pp

will customize your policy to allow mknod to work.
>
>
>  
> ____________________________________________________________________________________
> Be a PS3 game guru.
> Get your game face on with the latest PS3 news and previews at Yahoo! Games.
> http://videogames.yahoo.com/platform?platform=120121
>   

Thanks for the help, but 

[root@localhost ~]# grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod
compilation failed:
sh: /usr/bin/checkmodule: No such file or directory
[root@localhost ~]# semodule -i myinsmod.pp
semodule:  Could not read file 'myinsmod.pp':
[root@localhost ~]# 

which packages should I have to install in order for this to work?

Regards,

Antonio 





 
____________________________________________________________________________________
The fish are biting. 
Get more visitors on your site using Yahoo! Search Marketing.
http://searchmarketing.yahoo.com/arp/sponsoredsearch_v2.php

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux