Bug 432355 - SElinux prevents fbset before rc.sysinit
SElinux prevents fbset before rc.sysinit
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: fbset (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Zdenek Prikryl
Fedora Extras Quality Assurance
: SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-11 10:20 EST by Stepan Kasal
Modified: 2008-02-13 08:15 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-12 13:02:39 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
dmesg from my boot (20.60 KB, text/plain)
2008-02-11 10:20 EST, Stepan Kasal
no flags Details

  None (edit)
Description Stepan Kasal 2008-02-11 10:20:43 EST
My system sets up the frame buffer before rc.sysinit, see below.
(It is very important to set it up very early, before the additional; virtual
consoled are touched/created.)
During this, SELinux complains, see the attached /var/log/dmesg.

$ sed -n 20,22p /etc/inittab 
# System initialization.
s1::sysinit:/etc/rc.d/rc.fbcon
si::sysinit:/etc/rc.d/rc.sysinit
$ cat /etc/rc.d/rc.fbcon
#!/bin/bash
#
# /etc/rc.d/rc.fbcon - set up framebuffer before rc.sysinit
#
modprobe matroxfb_crtc2
mknod /dev/fb0 c 29 0
fbset 1152x864-80 -depth 16
$
Comment 1 Stepan Kasal 2008-02-11 10:20:43 EST
Created attachment 294568 [details]
dmesg from my boot
Comment 2 Stepan Kasal 2008-02-11 11:15:55 EST
Forgot to mention the versions:

fbset-2.1-24.fc7.i386
selinux-policy-targeted-3.2.7-1.fc9.noarch
Comment 3 Daniel Walsh 2008-02-11 16:57:17 EST
If you chcon -t initrc_exec_t /etc/rc.d/rc.fbcon

Does it fix the problem?
Comment 4 Stepan Kasal 2008-02-12 11:53:42 EST
> If you chcon -t initrc_exec_t /etc/rc.d/rc.fbcon
> Does it fix the problem?

It helps, thanks.  But there still is a problem, see the two denials below:

audit(1202834224.380:3): avc:  denied  { read write } for  pid=463
comm="modprobe" name="console" dev=tmpfs ino=230
scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:tmpfs_t:s0
tclass=chr_file
audit(1202834224.384:4): avc:  denied  { getattr } for  pid=463 comm="modprobe"
path="/dev/console" dev=tmpfs ino=230 scontext=system_u:system_r:insmod_t:s0
tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file
Comment 5 Daniel Walsh 2008-02-12 13:02:39 EST
Fixed in selinux-policy-3.2.7-4.fc9
Comment 6 Stepan Kasal 2008-02-13 08:15:11 EST
> Fixed in selinux-policy-3.2.7-4.fc9

I confirm that this fixes the problem; thanks a lot.

Note You need to log in before you can comment on or make changes to this bug.