On Jan 7, 2008 8:56 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Tom London wrote: > > Running latest Rawhide, targeted/enforcing. > > > > Plugging in an 'old USB CD drive', I got the following audit message: > > > > [root@localhost ~]# sealert -l fb77e7e0-3515-4866-9a8f-e1db99f9b4b8 > > > > Summary: > > > > SELinux is preventing ln(/bin/ln) (udev_t) "create" to <Unknown> (etc_t). > > > > Detailed Description: > > > > SELinux denied access requested by ln(/bin/ln). It is not expected that this > > access is required by ln(/bin/ln) and this access may signal an intrusion > > attempt. It is also possible that the specific version or configuration of the > > application is causing it to require additional access. > > > > Allowing Access: > > > > Sometimes labeling problems can cause SELinux denials. You could try to restore > > the default system file context for <Unknown>, restorecon -v <Unknown> If this > > does not work, there is currently no automatic way to allow this access. > > Instead, you can generate a local policy module to allow this access - see FAQ > > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > > SELinux protection altogether. Disabling SELinux protection is not recommended. > > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > > against this package. > > > > Additional Information: > > > > Source Context system_u:system_r:udev_t:SystemLow-SystemHigh > > Target Context system_u:object_r:etc_t > > Target Objects None [ lnk_file ] > > Source ln(/bin/ln) > > Port <Unknown> > > Host localhost.localdomain > > Source RPM Packages > > Target RPM Packages > > Policy RPM selinux-policy-3.2.5-8.fc9 > > Selinux Enabled True > > Policy Type targeted > > MLS Enabled True > > Enforcing Mode Enforcing > > Plugin Name catchall_file > > Host Name localhost.localdomain > > Platform Linux localhost.localdomain > > 2.6.24-0.136.rc6.git12.fc9 #1 SMP Sat Jan 5 > > 12:46:45 EST 2008 i686 i686 > > Alert Count 2 > > First Seen Sun Jan 6 10:30:15 2008 > > Last Seen Sun Jan 6 10:30:15 2008 > > Local ID fb77e7e0-3515-4866-9a8f-e1db99f9b4b8 > > Line Numbers > > > > Raw Audit Messages > > > > host=localhost.localdomain type=AVC msg=audit(1199644215.878:31): avc: > > denied { create } for pid=6933 comm="ln" name=".is-writeable" > > scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 > > tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file > > > > host=localhost.localdomain type=SYSCALL msg=audit(1199644215.878:31): > > arch=40000003 syscall=83 success=no exit=-13 a0=bff3ddc3 a1=bff3ddcd > > a2=804f77c a3=0 items=0 ppid=6931 pid=6933 auid=4294967295 uid=0 gid=0 > > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="ln" > > exe="/bin/ln" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) > > > > > > Here are the messages from /var/log/messages: > > > > Jan 6 10:30:05 localhost kernel: usb 2-2: new full speed USB device > > using uhci_hcd and address 4 > > Jan 6 10:30:06 localhost kernel: usb 2-2: configuration #1 chosen from 1 choice > > Jan 6 10:30:06 localhost kernel: scsi8 : SCSI emulation for USB Mass > > Storage devices > > Jan 6 10:30:06 localhost kernel: usb-storage: device found at 4 > > Jan 6 10:30:06 localhost kernel: usb-storage: waiting for device to > > settle before scanning > > Jan 6 10:30:11 localhost kernel: usb-storage: device scan complete > > Jan 6 10:30:11 localhost kernel: scsi 8:0:0:0: CD-ROM IBM > > USB CD-ROM 20A4 PQ: 0 ANSI: 0 CCS > > Jan 6 10:30:11 localhost kernel: sr1: scsi3-mmc drive: 10x/10x cd/rw > > xa/form2 cdda pop-up > > Jan 6 10:30:11 localhost kernel: sr 8:0:0:0: Attached scsi CD-ROM sr1 > > Jan 6 10:30:11 localhost kernel: sr 8:0:0:0: Attached scsi generic sg2 type 5 > > Jan 6 10:30:18 localhost setroubleshoot: #012 SELinux is > > preventing ln(/bin/ln) (udev_t) "create" to <Unknown> > > (etc_t).#012 For complete SELinux messages. run sealert -l > > fb77e7e0-3515-4866-9a8f-e1db99f9b4b8 > > > > > > Putting system in permissive mode, I get these: > > > > type=AVC msg=audit(1199645179.126:34): avc: denied { create } for > > pid=7782 comm="ln" name=".is-writeable" > > scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 > > tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file > > type=SYSCALL msg=audit(1199645179.126:34): arch=40000003 syscall=83 > > success=yes exit=0 a0=bfb56db6 a1=bfb56dc0 a2=804f77c a3=0 items=0 > > ppid=7780 pid=7782 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > > egid=0 sgid=0 fsgid=0 tty=(none) comm="ln" exe="/bin/ln" > > subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) > > type=AVC msg=audit(1199645179.245:35): avc: denied { unlink } for > > pid=7783 comm="rm" name=".is-writeable" dev=dm-0 ino=11076747 > > scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 > > tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file > > type=SYSCALL msg=audit(1199645179.245:35): arch=40000003 syscall=301 > > success=yes exit=0 a0=ffffff9c a1=bfa17dc0 a2=0 a3=bfa17dc0 items=0 > > ppid=7780 pid=7783 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > > egid=0 sgid=0 fsgid=0 tty=(none) comm="rm" exe="/bin/rm" > > subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) > > type=AVC msg=audit(1199645179.255:36): avc: denied { append } for > > pid=7780 comm="write_cd_rules" name="70-persistent-cd.rules" dev=dm-0 > > ino=11076866 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 > > tcontext=system_u:object_r:etc_t:s0 tclass=file > > type=SYSCALL msg=audit(1199645179.255:36): arch=40000003 syscall=5 > > success=yes exit=3 a0=8a98400 a1=8441 a2=1b6 a3=8441 items=0 ppid=7761 > > pid=7780 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > sgid=0 fsgid=0 tty=(none) comm="write_cd_rules" exe="/bin/bash" > > subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) > > > > udev issue? > > > > tom > Yes report it as a bug there. I have a fealing it should be something > done in the post install script and not by udev. udev writing its own > config files is probably a bad idea. BZ: https://bugzilla.redhat.com/show_bug.cgi?id=427808 -- Tom London -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
