----- Original Message ----
From: Daniel J Walsh <dwalsh@xxxxxxxxxx>
To: Antonio Olivares <olivares14031@xxxxxxxxx>
Cc: fedora-selinux-list@xxxxxxxxxx
Sent: Thursday, June 14, 2007 9:02:35 AM
Subject: Re: mknod problem still present denied avc's
Antonio Olivares wrote:
> dmesg returns
>
> audit(1181681041.681:4): avc: denied { add_name } for pid=739 comm="mknod" name="slamr0" scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir
>
> After I did this again
>
> [olivares@localhost ~]$ su -
> Password:
> [root@localhost ~]# grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod
> ******************** IMPORTANT ***********************
> To make this policy package active, execute:
>
> semodule -i myinsmod.pp
>
> [root@localhost ~]# semodule -i myinsmod.pp
> [root@localhost ~]#
>
> Selinux troubleshooter returned this:
>
> avc: denied { write } for comm="mknod" dev=tmpfs egid=0 euid=0 exe="/bin/mknod" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=2766 scontext=user_u:system_r:insmod_t:s0 sgid=0 subj=user_u:system_r:insmod_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:device_t:s0 tty=pts0 uid=0
>
>
Yes you allowed add_name to the directory now it is complaing about the
write. It is best to put the machine in permissive mode, Run the app to
completion, then generate the policy and
retest in enforcing mode.
setenforce 0
run test
grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod
semodule -i myinsmod.pp
setenforce 1
run test
> Policy RPM: selinux-policy-2.6.4-8.fc7
>
> Affected RPM Packages: coreutils-6.9-2.fc7 [application]Policy RPM: selinux-policy-2.6.4-12.fc7
>
>
> How can I effectively fix this?
>
> This is my /etc/modprobe.conf
>
> [root@localhost Download]# cat /etc/modprobe.conf
> alias eth0 8139too
> alias scsi_hostadapter sata_via
> alias scsi_hostadapter1 pata_via
> alias snd-card-0 snd-via82xx
> options snd-card-0 index=0
> options snd-via82xx index=0
> install slamr modprobe --ignore-install ungrab-winmodem ; modprobe --ignore-install slamr; test -e /dev/slamr0 || (/bin/mknod -m 660 /dev/slamr0 c 242 0 2>/dev/null && chgrp dialout /dev/slamr0)
> [root@localhost Download]#
>
> Thanks,
>
> Antonio
>
>
>
>
> ____________________________________________________________________________________
> Yahoo! oneSearch: Finally, mobile search
> that gives answers, not web links.
> http://mobile.yahoo.com/mobileweb/onesearch?refer=1ONXIC
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
Did as you instructed. Set Selinux to permissive mode, recreated the dev/slamr0 using mknod and upon rebooting with selinux enabled it works!!
[root@localhost ~]# grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i myinsmod.pp
[root@localhost ~]# semodule -i myinsmod.pp
[root@localhost ~]# setenforce 1
but the message still appears
audit(1181873499.608:3): avc: denied { create } for pid=751 comm="mknod" name="slamr0" scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
I have checked with the troubleshooter and it recommends me to do
restorecon -v /dev/slamr0
[root@localhost ~]# restorecon -v /dev/slamr0
[root@localhost ~]# ls /dev/slamr0 -l
crw-rw---- 1 root root 242, 0 2007-06-14 21:11 /dev/slamr0
[root@localhost ~]#
Here is the summary from setroubleshoot browser.
Summary
SELinux is preventing sh (insmod_t) "getattr" access to device /dev/slamr0.
Detailed Description
SELinux has denied the sh (insmod_t) "getattr" access to device /dev/slamr0.
/dev/slamr0 is mislabeled, this device has the default label of the /dev
directory, which should not happen. All Character and/or Block Devices
should have a label. You can attempt to change the label of the file using
restorecon -v /dev/slamr0. If this device remains labeled device_t, then
this is a bug in SELinux policy. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against the selinux-policy
package. If you look at the other similar devices labels, ls -lZ
/dev/SIMILAR, and find a type that would work for /dev/slamr0, you can use
chcon -t SIMILAR_TYPE /dev/slamr0, If this fixes the problem, you can make
this permanent by executing semanage fcontext -a -t SIMILAR_TYPE /dev/slamr0
If the restorecon changes the context, this indicates that the application
that created the device, created it without using SELinux APIs. If you can
figure out which application created the device, please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this application.
Allowing Access
Attempt restorecon -v /dev/slamr0 or chcon -t SIMILAR_TYPE /dev/slamr0
Additional Information
Source Context system_u:system_r:insmod_t
Target Context system_u:object_r:device_t
Target Objects /dev/slamr0 [ chr_file ]
Affected RPM Packages
Policy RPM selinux-policy-2.6.4-12.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.device
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.21-1.3226.fc7 #1
SMP Sat Jun 9 22:23:35 EDT 2007 i686 athlon
Alert Count 1
First Seen Thu 14 Jun 2007 06:26:18 PM CDT
Last Seen Thu 14 Jun 2007 06:26:18 PM CDT
Local ID 04c18a63-7a70-462e-8937-018923ab95bf
Line Numbers
Raw Audit Messages
avc: denied { getattr } for comm="sh" dev=tmpfs egid=0 euid=0 exe="/bin/bash"
exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="slamr0" path="/dev/slamr0" pid=2265
scontext=system_u:system_r:insmod_t:s0 sgid=0 subj=system_u:system_r:insmod_t:s0
suid=0 tclass=chr_file tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0
Thanks for helping,
Antonio
____________________________________________________________________________________
Be a better Globetrotter. Get better travel answers from someone who knows. Yahoo! Answers - Check it out.
http://answers.yahoo.com/dir/?link=list&sid=396545469
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
