On Tue, May 25, 2010 at 11:47 AM, Karl-Michael Schneider
<karlmicha@xxxxxxxxx> wrote:
> On Mon, May 24, 2010 at 12:28 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
>> On Mon, 2010-05-24 at 15:07 -0400, Stephen Smalley wrote:
>>> On Mon, 2010-05-24 at 11:54 -0700, Karl-Michael Schneider wrote:
>>> > I have fc12 installed on a Lenovo R61 laptop with two kernels:
>>> >
>>> > kernel-2.6.31.12-174.2.22.fc12.i686
>>> > kernel-2.6.32.12-115.fc12.i686
>>> >
>>> > The 2.6.31 kernel has no problem. But when I try to boot the 2.6.32
>>> > kernel it fails because SELinux is blocking access to device nodes. I
>>> > can only boot the 2.6.32 kernel in single user mode. The reason is
>>> > that /dev and all files in it have no type:
>>> >
>>> > $ ls -lZ /dev
>>> > crw-------. root root system_u:object_r:unlabeled_t:s0 agpgart
>>> <snip>
>>> > The filesystem is ext3 on LVM:
>>> >
>>> > $ cat /etc/fstab
>>> > /dev/VolGroup00/LogVol00 / ext3 defaults 1 1
>>> > ...
>>> >
>>> > The filesystem was created when I installed FC9. Later I upgraded to
>>> > FC12. But the problem only appeared when the kernel was updated from
>>> > 2.6.31 to 2.6.32. All 2.6.32 kernels so far had the same problem.
>>> >
>>> > I have already relabeled the filesystem, but it didn't help. I tried
>>> > restorecon -R -v /dev after booting the 2.6.32 kernel but it didn't do
>>> > anything.
>>>
>>> Sounds like the devtmpfs mount with a policy that doesn't know about it.
>>> dmesg | grep SELinux
>>> grep /dev /proc/mounts
>>
>> I suspect your policy update didn't go cleanly and aborted during %post,
>> especially if you tried going all the way from F9 to F12. I'd suggest
>> doing:
>> mv /etc/selinux/targeted /etc/selinux/targeted.orig
>> yum reinstall selinux-policy-targeted
>
> Thanks. This resolved the /dev labeling problem.
>
> Now I got security exceptions for a number of applications. I remember
> I got the same exceptions after I upgraded to FC12. So I booted with
> enforcing=0 and built a local policy module from audit.log as
> described in the audit2allow man page. I post it here:
>
> module local 1.0;
>
> require {
> type unconfined_t;
> type system_dbusd_var_run_t;
> type sound_device_t;
> type usr_t;
> type xdm_var_lib_t;
> type dri_device_t;
> type NetworkManager_t;
> type user_home_t;
> type var_spool_t;
> type initrc_t;
> type system_dbusd_t;
> type var_lock_t;
> type xdm_dbusd_t;
> type session_dbusd_tmp_t;
> type unlabeled_t;
> type removable_device_t;
> type consolekit_t;
> type var_lib_t;
> type gnomeclock_t;
> type gconfd_exec_t;
> type var_t;
> type xdm_t;
> class process sigchld;
> class unix_stream_socket connectto;
> class dbus send_msg;
> class chr_file { getattr setattr };
> class file { rename execute setattr read execmod getattr
> execute_no_trans write ioctl unlink open create append };
> class sock_file { write create unlink };
> class blk_file { getattr setattr };
> class dir { write search setattr read remove_name add_name };
> }
>
> #============= NetworkManager_t ==============
> allow NetworkManager_t unlabeled_t:file { ioctl execute read open
> getattr execute_no_trans };
> allow NetworkManager_t var_lib_t:file { read create open getattr };
> allow NetworkManager_t var_lock_t:dir search;
>
> #============= consolekit_t ==============
> allow consolekit_t dri_device_t:chr_file { getattr setattr };
> allow consolekit_t removable_device_t:blk_file { getattr setattr };
> allow consolekit_t sound_device_t:chr_file { getattr setattr };
>
> #============= gnomeclock_t ==============
> allow gnomeclock_t initrc_t:dbus send_msg;
>
> #============= unconfined_t ==============
> #!!!! This avc can be allowed using the boolean 'allow_execmod'
>
> allow unconfined_t usr_t:file execmod;
>
> #============= unlabeled_t ==============
> allow unlabeled_t unconfined_t:process sigchld;
>
> #============= xdm_dbusd_t ==============
> allow xdm_dbusd_t gconfd_exec_t:file { read execute open execute_no_trans };
> allow xdm_dbusd_t self:unix_stream_socket connectto;
> allow xdm_dbusd_t session_dbusd_tmp_t:sock_file { write create unlink };
> allow xdm_dbusd_t system_dbusd_t:dbus send_msg;
> allow xdm_dbusd_t system_dbusd_t:unix_stream_socket connectto;
> allow xdm_dbusd_t system_dbusd_var_run_t:dir search;
> allow xdm_dbusd_t system_dbusd_var_run_t:sock_file write;
> allow xdm_dbusd_t xdm_t:unix_stream_socket connectto;
> #!!!! The source type 'xdm_dbusd_t' can write to a 'dir' of the following types:
> # session_dbusd_tmp_t, tmp_t
>
> allow xdm_dbusd_t xdm_var_lib_t:dir { read write add_name remove_name };
> #!!!! The source type 'xdm_dbusd_t' can write to a 'file' of the following type:
> # session_dbusd_tmp_t
>
> allow xdm_dbusd_t xdm_var_lib_t:file { rename read create write
> getattr unlink open append };
>
> #============= xdm_t ==============
> allow xdm_t initrc_t:dbus send_msg;
> #!!!! This avc can be allowed using the boolean 'allow_polyinstantiation'
>
> allow xdm_t session_dbusd_tmp_t:dir setattr;
> #!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
> # xserver_log_t, var_log_t, xdm_log_t, pam_var_run_t, xdm_var_lib_t,
> xdm_var_run_t, xdm_home_t, pam_var_console_t, pcscd_var_run_t,
> xkb_var_lib_t, xdm_rw_etc_t, var_lock_t, root_t, tmp_t, var_t,
> user_fonts_t, user_tmpfs_t, xdm_spool_t, fonts_cache_t,
> user_home_dir_t, locale_t, var_auth_t, tmpfs_t, var_spool_t,
> user_tmp_t, auth_cache_t, var_lib_t, var_run_t, xdm_tmpfs_t,
> xdm_tmp_t, root_t, nfs_t
>
> allow xdm_t session_dbusd_tmp_t:dir { write remove_name add_name };
> allow xdm_t session_dbusd_tmp_t:sock_file { write create unlink };
> #!!!! This avc can be allowed using the boolean 'allow_polyinstantiation'
>
> allow xdm_t user_home_t:file { write rename };
> allow xdm_t var_spool_t:file unlink;
> allow xdm_t var_t:dir setattr;
> allow xdm_t var_t:file { write rename create unlink setattr };
>
Adding the local policy module did not fix all the problems. I had to
relabel the filesystem, and that fixed it (no need for a local policy
module anymore).
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
