Re: [PATCH 1/1] refpolicy: Do not want to transition to sysadm_t when upstart runs a shell

Joe Nall <joe@xxxxxxxx> · Fri, 7 Mar 2008 10:02:27 -0600

On Mar 7, 2008, at 9:49 AM, Joe Nall wrote:

On Mar 7, 2008, at 7:52 AM, Daniel J Walsh wrote:

Looks like it.  I think leaving making it initrc_t would fix most of
your avc messages.

It certainly changed them. Here is the of the changing init_t to  
initrc_t

and the result of deleting the transition entirely (Jame's patch)

#============= init_t ==============
allow init_t self:unix_dgram_socket sendto;
allow init_t shell_exec_t:file { read execute execute_no_trans };

#============= initrc_t ==============
allow initrc_t etc_t:file write;
allow initrc_t lvm_control_t:chr_file write;
allow initrc_t var_run_t:sock_file create;

#============= insmod_t ==============
allow insmod_t kernel_t:process setsched;

#============= setrans_t ==============
allow setrans_t initrc_t:fd use;

Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926624.921:3):  
avc:  denied  { execute } for  pid=502 comm="init" name="bash"  
dev=sda2 ino=24084497 scontext=system_u:system_r:init_t:s0- 
s15:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926624.921:4):  
avc:  denied  { read } for  pid=502 comm="init" name="bash" dev=sda2  
ino=24084497 scontext=system_u:system_r:init_t:s0-s15:c0.c1023  
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926624.922:5):  
avc:  denied  { execute_no_trans } for  pid=502 comm="init" path="/bin/ 
bash" dev=sda2 ino=24084497 scontext=system_u:system_r:init_t:s0- 
s15:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926628.114:6):  
avc:  denied  { setsched } for  pid=612 comm="modprobe"  
scontext=system_u:system_r:insmod_t:s0-s15:c0.c1023  
tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=process
Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926633.712:7):  
avc:  denied  { write } for  pid=1310 comm="multipath.stati"  
name="control" dev=tmpfs ino=5407  
scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023  
tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926635.761:8):  
avc:  denied  { execute } for  pid=1448 comm="init" name="bash"  
dev=sda2 ino=24084497 scontext=system_u:system_r:init_t:s0- 
s15:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926635.761:9):  
avc:  denied  { read } for  pid=1448 comm="init" name="bash" dev=sda2  
ino=24084497 scontext=system_u:system_r:init_t:s0-s15:c0.c1023  
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926635.761:10):  
avc:  denied  { execute_no_trans } for  pid=1448 comm="init" path="/ 
bin/bash" dev=sda2 ino=24084497 scontext=system_u:system_r:init_t:s0- 
s15:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926635.837:11):  
avc:  denied  { sendto } for  pid=1448 comm="telinit"  
path=002F636F6D2F7562756E74752F75707374617274  
scontext=system_u:system_r:init_t:s0-s15:c0.c1023  
tcontext=system_u:system_r:init_t:s0-s15:c0.c1023  
tclass=unix_dgram_socket
Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926636.048:12):  
avc:  denied  { setsched } for  pid=1477 comm="modprobe"  
scontext=system_u:system_r:insmod_t:s0-s15:c0.c1023  
tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=process
Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926638.005:13):  
avc:  denied  { write } for  pid=1732 comm="ifup-eth" name="dhclient- 
eth0.conf" dev=sda2 ino=20055551  
scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023  
tcontext=system_u:object_r:etc_t:s0 tclass=file
Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926644.913:15):  
avc:  denied  { use } for  pid=2031 comm="mcstransd" path="/lib/ 
ld-2.7.90.so" dev=sda2 ino=12125240  
scontext=system_u:system_r:setrans_t:s15:c0.c1023  
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=fd
Mar  7 15:50:46 rawhide kernel: type=1400 audit(1204926645.074:16):  
avc:  denied  { create } for  pid=2041 comm="rpcbind"  
name="rpcbind.sock" scontext=system_u:system_r:initrc_t:s0- 
s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file

joe

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.