Re: [PATCH 1/1] refpolicy: Do not want to transition to sysadm_t when upstart runs a shell

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, 2008-03-07 at 07:42 -0600, Joe Nall wrote:
> On Mar 6, 2008, at 3:11 PM, James Carter wrote:
> 
> > Upstart spawns a shell during boot and, without this patch, it will
> > transition to the sysadm_t domain, but remain in the system_r role.
> 
> Is that the cause of these mls avcs I'm seeing in /var/log/messages  
> from selinux-policy-mls-3.3.1-12.fc9?

Yes, for the first two.

> [root@rawhide ~]# grep sysadm_t /var/log/messages
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884961.873:3):  
> avc:  denied  { read write } for  pid=502 comm="sh" path="/dev/ 
> console" dev=tmpfs ino=230 scontext=system_u:system_r:sysadm_t:s0- 
> s15:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s15:c0.c1023  
> tclass=chr_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884961.937:4):  
> avc:  denied  { ioctl } for  pid=502 comm="sh" path="/dev/console"  
> dev=tmpfs ino=230 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
> tcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 tclass=chr_file

I can't say that I saw the rest of these, but I was using refpolicy, not
the fedora mls policy.

> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884963.239:5):  
> avc:  denied  { signal } for  pid=502 comm="rc.sysinit"  
> scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
> tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=process
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884963.511:6):  
> avc:  denied  { setattr } for  pid=542 comm="MAKEDEV" name="tty1-"  
> dev=tmpfs ino=1803 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
> tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884963.557:7):  
> avc:  denied  { create } for  pid=542 comm="MAKEDEV" name="loop0-"  
> scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
> tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023  
> tclass=blk_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884963.557:8):  
> avc:  denied  { setattr } for  pid=542 comm="MAKEDEV" name="loop0-"  
> dev=tmpfs ino=1822 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
> tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023  
> tclass=blk_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884963.557:9):  
> avc:  denied  { rename } for  pid=542 comm="MAKEDEV" name="loop0-"  
> dev=tmpfs ino=1822 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
> tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023  
> tclass=blk_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884963.658:10):  
> avc:  denied  { setattr } for  pid=542 comm="MAKEDEV" name="parport0-"  
> dev=tmpfs ino=1847 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
> tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884963.680:11):  
> avc:  denied  { setattr } for  pid=542 comm="MAKEDEV" name="tun-"  
> dev=tmpfs ino=1862 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
> tcontext=system_u:object_r:tun_tap_device_t:s0 tclass=chr_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884967.023:30):  
> avc:  denied  { unlink } for  pid=785 comm="udevd" name=".tmp-8-0"  
> dev=tmpfs ino=2965 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
> tcontext=system_u:object_r:device_t:s0 tclass=blk_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884971.907:52):  
> avc:  denied  { write } for  pid=1395 comm="rc.sysinit" name="urandom"  
> dev=tmpfs ino=3788 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
> tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
> Mar  7 04:16:21 rawhide kernel: type=1400 audit(1204884980.089:55):  
> avc:  denied  { listen } for  pid=2051 comm="rpcbind" lport=955  
> scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023  
> tcontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 tclass=udp_socket
> 
> joe
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
> the words "unsubscribe selinux" without quotes as the message.
-- 
James Carter <jwcart2@xxxxxxxxxxxxx>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux