-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom London wrote: > Running latest Rawhide, targeted/enforcing. > > Plugging in an 'old USB CD drive', I got the following audit message: > > [root@localhost ~]# sealert -l fb77e7e0-3515-4866-9a8f-e1db99f9b4b8 > > Summary: > > SELinux is preventing ln(/bin/ln) (udev_t) "create" to <Unknown> (etc_t). > > Detailed Description: > > SELinux denied access requested by ln(/bin/ln). It is not expected that this > access is required by ln(/bin/ln) and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration of the > application is causing it to require additional access. > > Allowing Access: > > Sometimes labeling problems can cause SELinux denials. You could try to restore > the default system file context for <Unknown>, restorecon -v <Unknown> If this > does not work, there is currently no automatic way to allow this access. > Instead, you can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:udev_t:SystemLow-SystemHigh > Target Context system_u:object_r:etc_t > Target Objects None [ lnk_file ] > Source ln(/bin/ln) > Port <Unknown> > Host localhost.localdomain > Source RPM Packages > Target RPM Packages > Policy RPM selinux-policy-3.2.5-8.fc9 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall_file > Host Name localhost.localdomain > Platform Linux localhost.localdomain > 2.6.24-0.136.rc6.git12.fc9 #1 SMP Sat Jan 5 > 12:46:45 EST 2008 i686 i686 > Alert Count 2 > First Seen Sun Jan 6 10:30:15 2008 > Last Seen Sun Jan 6 10:30:15 2008 > Local ID fb77e7e0-3515-4866-9a8f-e1db99f9b4b8 > Line Numbers > > Raw Audit Messages > > host=localhost.localdomain type=AVC msg=audit(1199644215.878:31): avc: > denied { create } for pid=6933 comm="ln" name=".is-writeable" > scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file > > host=localhost.localdomain type=SYSCALL msg=audit(1199644215.878:31): > arch=40000003 syscall=83 success=no exit=-13 a0=bff3ddc3 a1=bff3ddcd > a2=804f77c a3=0 items=0 ppid=6931 pid=6933 auid=4294967295 uid=0 gid=0 > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="ln" > exe="/bin/ln" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) > > > Here are the messages from /var/log/messages: > > Jan 6 10:30:05 localhost kernel: usb 2-2: new full speed USB device > using uhci_hcd and address 4 > Jan 6 10:30:06 localhost kernel: usb 2-2: configuration #1 chosen from 1 choice > Jan 6 10:30:06 localhost kernel: scsi8 : SCSI emulation for USB Mass > Storage devices > Jan 6 10:30:06 localhost kernel: usb-storage: device found at 4 > Jan 6 10:30:06 localhost kernel: usb-storage: waiting for device to > settle before scanning > Jan 6 10:30:11 localhost kernel: usb-storage: device scan complete > Jan 6 10:30:11 localhost kernel: scsi 8:0:0:0: CD-ROM IBM > USB CD-ROM 20A4 PQ: 0 ANSI: 0 CCS > Jan 6 10:30:11 localhost kernel: sr1: scsi3-mmc drive: 10x/10x cd/rw > xa/form2 cdda pop-up > Jan 6 10:30:11 localhost kernel: sr 8:0:0:0: Attached scsi CD-ROM sr1 > Jan 6 10:30:11 localhost kernel: sr 8:0:0:0: Attached scsi generic sg2 type 5 > Jan 6 10:30:18 localhost setroubleshoot: #012 SELinux is > preventing ln(/bin/ln) (udev_t) "create" to <Unknown> > (etc_t).#012 For complete SELinux messages. run sealert -l > fb77e7e0-3515-4866-9a8f-e1db99f9b4b8 > > > Putting system in permissive mode, I get these: > > type=AVC msg=audit(1199645179.126:34): avc: denied { create } for > pid=7782 comm="ln" name=".is-writeable" > scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file > type=SYSCALL msg=audit(1199645179.126:34): arch=40000003 syscall=83 > success=yes exit=0 a0=bfb56db6 a1=bfb56dc0 a2=804f77c a3=0 items=0 > ppid=7780 pid=7782 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) comm="ln" exe="/bin/ln" > subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1199645179.245:35): avc: denied { unlink } for > pid=7783 comm="rm" name=".is-writeable" dev=dm-0 ino=11076747 > scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file > type=SYSCALL msg=audit(1199645179.245:35): arch=40000003 syscall=301 > success=yes exit=0 a0=ffffff9c a1=bfa17dc0 a2=0 a3=bfa17dc0 items=0 > ppid=7780 pid=7783 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) comm="rm" exe="/bin/rm" > subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1199645179.255:36): avc: denied { append } for > pid=7780 comm="write_cd_rules" name="70-persistent-cd.rules" dev=dm-0 > ino=11076866 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:etc_t:s0 tclass=file > type=SYSCALL msg=audit(1199645179.255:36): arch=40000003 syscall=5 > success=yes exit=3 a0=8a98400 a1=8441 a2=1b6 a3=8441 items=0 ppid=7761 > pid=7780 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 tty=(none) comm="write_cd_rules" exe="/bin/bash" > subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) > > udev issue? > > tom Yes report it as a bug there. I have a fealing it should be something done in the post install script and not by udev. udev writing its own config files is probably a bad idea. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkeCWc0ACgkQrlYvE4MpobMJQwCgicGwHVWLjo3mFaVNx7ExilO1 jDsAoNlzbXVlmqkGeea7KaI8HmEJwqlg =tBkg -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
