Bug 598475 - (dracutrestorecon) AVCs generated during boot: Does dracut need to 'restorecon' /dev early?
AVCs generated during boot: Does dracut need to 'restorecon' /dev early?
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: dracut (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Harald Hoyer
Fedora Extras Quality Assurance
:
: 597616 597624 598484 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-01 09:14 EDT by Tom London
Modified: 2010-06-25 08:42 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-06-25 08:42:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Here is a patch to run restorecon in the dracut/selinux script. (645 bytes, text/plain)
2010-06-01 09:35 EDT, Daniel Walsh
no flags Details
Modfied selinux-loadpolicy.sh (1.79 KB, text/plain)
2010-06-02 08:20 EDT, Dominick Grift
no flags Details

  None (edit)
Description Tom London 2010-06-01 09:14:47 EDT
Description of problem:
I notice AVCs generated during every boot:

[root@tlondon ~]# boot2allow


#============= consoletype_t ==============
allow consoletype_t device_t:chr_file { read write ioctl getattr };

#============= hostname_t ==============
allow hostname_t device_t:chr_file { read write };

#============= mount_t ==============
allow mount_t device_t:chr_file open;

#============= readahead_t ==============
allow readahead_t device_t:chr_file { read write };

#============= setfiles_t ==============
allow setfiles_t device_t:chr_file { read write };
[root@tlondon ~]#

Here are the raw AVCs from /var/log/messages:

[tbl@tlondon ~]$ dmesg | grep avc
type=1400 audit(1275237332.739:3): avc:  denied  { read write } for
pid=417 comm="hostname" path="/dev/console" dev=devtmpfs ino=5557
scontext=system_u:system_r:hostname_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=1400 audit(1275237332.811:5): avc:  denied  { read write } for
pid=421 comm="consoletype" path="/dev/null" dev=devtmpfs ino=4055
scontext=system_u:system_r:consoletype_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=1400 audit(1275237332.816:6): avc:  denied  { getattr } for
pid=421 comm="consoletype" path="/dev/null" dev=devtmpfs ino=4055
scontext=system_u:system_r:consoletype_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=1400 audit(1275237332.816:7): avc:  denied  { ioctl } for
pid=421 comm="consoletype" path="/dev/null" dev=devtmpfs ino=4055
scontext=system_u:system_r:consoletype_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=1400 audit(1275237333.034:8): avc:  denied  { open } for  pid=422
comm="mount" name="null" dev=devtmpfs ino=4055
scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=1400 audit(1275237333.278:9): avc:  denied  { read write } for
pid=416 comm="readahead" path="/dev/console" dev=devtmpfs ino=5557
scontext=system_u:system_r:readahead_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=1400 audit(1275237333.325:10): avc:  denied  { read write } for
pid=429 comm="restorecon" path="/dev/console" dev=devtmpfs ino=5557
scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=1400 audit(1275237335.927:11): avc:  denied  { mmap_zero } for
pid=491 comm="vbetool"
scontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023
tcontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tclass=memprotect
[tbl@tlondon ~]$

Here's a bit of context:

May 30 09:35:42 tlondon kernel: EXT4-fs (dm-0): mounted filesystem
with ordered data mode
May 30 09:35:42 tlondon kernel: dracut: Mounted root filesystem
/dev/mapper/vg_tlondon-lv_root
May 30 09:35:42 tlondon kernel: dracut: Loading SELinux policy
May 30 09:35:42 tlondon kernel: type=1403 audit(1275237332.031:2):
policy loaded auid=4294967295 ses=4294967295
May 30 09:35:42 tlondon kernel: dracut: Switching root
May 30 09:35:42 tlondon kernel: type=1400 audit(1275237332.739:3):
avc:  denied  { read write } for  pid=417 comm="hostname"
path="/dev/console" dev=devtmpfs ino=5557
scontext=system_u:system_r:hostname_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
May 30 09:35:42 tlondon kernel: audit: audit_lost=1 audit_rate_limit=0
audit_backlog_limit=64
May 30 09:35:42 tlondon kernel: type=1400 audit(1275237332.811:5):
avc:  denied  { read write } for  pid=421 comm="consoletype"
path="/dev/null" dev=devtmpfs ino=4055
scontext=system_u:system_r:consoletype_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
May 30 09:35:42 tlondon kernel: audit: printk limit exceeded
May 30 09:35:42 tlondon kernel:
May 30 09:35:42 tlondon kernel: type=1400 audit(1275237332.816:6):
avc:  denied  { getattr } for  pid=421 comm="consoletype"
path="/dev/null" dev=devtmpfs ino=4055
scontext=system_u:system_r:consoletype_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
May 30 09:35:42 tlondon kernel: type=1400 audit(1275237332.816:7):
avc:  denied  { ioctl } for  pid=421 comm="consoletype"
path="/dev/null" dev=devtmpfs ino=4055
scontext=system_u:system_r:consoletype_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
May 30 09:35:42 tlondon kernel: type=1400 audit(1275237333.034:8):
avc:  denied  { open } for  pid=422 comm="mount" name="null"
dev=devtmpfs ino=4055 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
May 30 09:35:42 tlondon kernel: readahead: starting
May 30 09:35:42 tlondon kernel: type=1400 audit(1275237333.278:9):
avc:  denied  { read write } for  pid=416 comm="readahead"
path="/dev/console" dev=devtmpfs ino=5557
scontext=system_u:system_r:readahead_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
May 30 09:35:42 tlondon kernel: type=1400 audit(1275237333.325:10):
avc:  denied  { read write } for  pid=429 comm="restorecon"
path="/dev/console" dev=devtmpfs ino=5557
scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
May 30 09:35:42 tlondon kernel: udev: starting version 156
May 30 09:35:42 tlondon kernel: microcode: CPU0 sig=0x10676, pf=0x80,
revision=0x60c
May 30 09:35:42 tlondon kernel: microcode: CPU1 sig=0x10676, pf=0x80,
revision=0x60c
May 30 09:35:42 tlondon kernel: microcode: Microcode Update Driver:
v2.00 <tigran@aivazian.fsnet.co.uk>, Peter Oruba

I got these booting with 'enforcing=0'.

Comment from Dan Walsh:
I think dracut should be doing a restorecon -R -v /dev right after it
loads policy to fix all the device labels created during boot.

Version-Release number of selected component (if applicable):
dracut-005-2.fc14.noarch

How reproducible:
Every boot

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Frank Murphy 2010-06-01 09:32:36 EDT
*** Bug 598484 has been marked as a duplicate of this bug. ***
Comment 2 Daniel Walsh 2010-06-01 09:35:29 EDT
Created attachment 418640 [details]
Here is a patch to run restorecon in the dracut/selinux script.

This patch will fix the labels on any devices that were created during boot before SELinux policy was loaded.
Comment 3 Daniel Walsh 2010-06-01 09:38:18 EDT
*** Bug 597616 has been marked as a duplicate of this bug. ***
Comment 4 Daniel Walsh 2010-06-01 09:41:04 EDT
*** Bug 597624 has been marked as a duplicate of this bug. ***
Comment 5 Dominick Grift 2010-06-01 09:43:27 EDT
That patch wont work because /dev is not mounted at that point. Eitherway, i have discussed this issue with hhoyer in #dracut and he assured me that a fix would be pushed to the repositories soon.
Comment 6 Dominick Grift 2010-06-01 09:51:09 EDT
for reference:

commit 769cf2477076a0ec0ab40de329eddc6d33435dde
Author: Dominick Grift <domg472 at gmail.com> 2010-05-14 18:26:02
Committer: Dominick Grift <domg472 at gmail.com> 2010-05-14 18:26:02
Parent: 05997000a2389e510dd924bcf37b61c93b09f83a (Remove unused comments.)
Child:  f68796e9a8fd8c5234faf06484c99f2028c7b652 (Version 3.7.19-16.3)

Added this:
                mount --bind /dev "$NEWROOT/dev"
                chroot "$NEWROOT" /sbin/restorecon -R /dev
to:
/usr/share/dracut/modules.d/99base/selinux-loadpolicy.sh
so that devtmpfs gets restored right after dracut loads policy.
So now we should be able to remove:
dev_rw_generic_chr_files for both init_t and initrc_t i guess.
instead add dev_read_urand(init_t)

Signed-off-by: Dominick Grift <domg472 at gmail.com>
------------------------ policy/modules/system/init.te ------------------------
index 8018498..2a784c1 100644
@@ -139,7 +139,8 @@
 corecmd_exec_bin(init_t)
 
 dev_read_sysfs(init_t)
-dev_rw_generic_chr_files(init_t)
+dev_read_urand(init_t)
+# dev_rw_generic_chr_files(init_t)
 
 domain_getpgid_all_domains(init_t)
 domain_kill_all_domains(init_t)
@@ -346,7 +347,7 @@
 dev_getattr_all_chr_files(initrc_t)
 dev_rw_xserver_misc(initrc_t)
 # Else readahead wont start
-dev_rw_generic_chr_files(initrc_t)
+# dev_rw_generic_chr_files(initrc_t)
 
 corecmd_exec_all_executables(initrc_t)
Comment 7 Frank Murphy 2010-06-02 06:26:07 EDT
(In reply to comment #2)
> Created an attachment (id=418640) [details]
> Here is a patch to run restorecon in the dracut/selinux script.
> 
> This patch will fix the labels on any devices that were created during boot
> before SELinux policy was loaded.    

Tried Dan, but no luck.
even after changing ~/dracut-005/* to ~/dracut/*
Comment 8 Frank Murphy 2010-06-02 06:30:49 EDT
(In reply to comment #6)
> for reference:
> 

> 
> Added this:
>                 mount --bind /dev "$NEWROOT/dev"
>                 chroot "$NEWROOT" /sbin/restorecon -R /dev
> to:
> /usr/share/dracut/modules.d/99base/selinux-loadpolicy.sh

Where exactly in files, would it go?
Java been, what I *Have* to learn in college :(
Comment 9 Dominick Grift 2010-06-02 08:20:22 EDT
Created attachment 419011 [details]
Modfied selinux-loadpolicy.sh

This is my modified dracut load policy script that is confirmed to work.
Comment 10 Dominick Grift 2010-06-02 08:28:00 EDT
Also be aware that you need to generate an updated initrd.
Comment 11 Frank Murphy 2010-06-02 08:47:03 EDT
Confirmed works here.
Comment 12 Gene Snider 2010-06-02 18:22:18 EDT
What is the easiest way to generate an updated initrd?

Thanks,
Gene
Comment 13 Gene Snider 2010-06-02 18:41:24 EDT
NM, /usr/libexec/plymouth/plymouth-update-initrd should do it.

Gene
Comment 14 sd.domrep 2010-06-03 14:17:37 EDT
Selinux policy 3.8.1-5.fc14, I am still getting the same errors at boot time.
Linux: Fedora Rawhide. Kernel 2.6.34-20

Output:

SELinux: 2048 avtab hash slots, 196092 rules.
SELinux: 2048 avtab hash slots, 196092 rules.
SELinux:  9 users, 13 roles, 3265 types, 159 bools, 1 sens, 1024 cats
SELinux:  77 classes, 196092 rules
SELinux:  Completing initialization.
SELinux:  Setting up existing superblocks.
SELinux: initialized (dev dm-0, type ext4), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev securityfs, type securityfs), uses genfs_contexts
SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses transition SIDs
SELinux: initialized (dev devpts, type devpts), uses transition SIDs
SELinux: initialized (dev anon_inodefs, type anon_inodefs), uses genfs_contexts
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
SELinux: initialized (dev devtmpfs, type devtmpfs), uses transition SIDs
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev proc, type proc), uses genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
type=1403 audit(1275587461.492:3): policy loaded auid=4294967295 ses=4294967295
dracut: Switching root
type=1400 audit(1275587462.142:4): avc:  denied  { read write } for  pid=308 comm="hostname" path="/dev/console" dev=devtmpfs ino=5527 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=1400 audit(1275587462.148:5): avc:  denied  { read write } for  pid=308 comm="hostname" path="/dev/console" dev=devtmpfs ino=5527 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=1400 audit(1275587462.154:6): avc:  denied  { read write } for  pid=311 comm="consoletype" path="/dev/console" dev=devtmpfs ino=5527 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=1400 audit(1275587462.160:7): avc:  denied  { read write } for  pid=312 comm="consoletype" path="/dev/null" dev=devtmpfs ino=4019 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=1400 audit(1275587462.169:8): avc:  denied  { read write } for  pid=312 comm="consoletype" path="/dev/null" dev=devtmpfs ino=4019 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=1400 audit(1275587462.177:9): avc:  denied  { read write } for  pid=311 comm="consoletype" path="/dev/console" dev=devtmpfs ino=5527 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=1400 audit(1275587462.578:10): avc:  denied  { open } for  pid=313 comm="mount" name="null" dev=devtmpfs ino=4019 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=1400 audit(1275587462.588:11): avc:  denied  { read write } for  pid=318 comm="consoletype" path="/dev/console" dev=devtmpfs ino=5527 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file

I did not apply fix, want to wait until apropriate update.

Note You need to log in before you can comment on or make changes to this bug.