Description of problem: I notice AVCs generated during every boot: [root@tlondon ~]# boot2allow #============= consoletype_t ============== allow consoletype_t device_t:chr_file { read write ioctl getattr }; #============= hostname_t ============== allow hostname_t device_t:chr_file { read write }; #============= mount_t ============== allow mount_t device_t:chr_file open; #============= readahead_t ============== allow readahead_t device_t:chr_file { read write }; #============= setfiles_t ============== allow setfiles_t device_t:chr_file { read write }; [root@tlondon ~]# Here are the raw AVCs from /var/log/messages: [tbl@tlondon ~]$ dmesg | grep avc type=1400 audit(1275237332.739:3): avc: denied { read write } for pid=417 comm="hostname" path="/dev/console" dev=devtmpfs ino=5557 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=1400 audit(1275237332.811:5): avc: denied { read write } for pid=421 comm="consoletype" path="/dev/null" dev=devtmpfs ino=4055 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=1400 audit(1275237332.816:6): avc: denied { getattr } for pid=421 comm="consoletype" path="/dev/null" dev=devtmpfs ino=4055 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=1400 audit(1275237332.816:7): avc: denied { ioctl } for pid=421 comm="consoletype" path="/dev/null" dev=devtmpfs ino=4055 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=1400 audit(1275237333.034:8): avc: denied { open } for pid=422 comm="mount" name="null" dev=devtmpfs ino=4055 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=1400 audit(1275237333.278:9): avc: denied { read write } for pid=416 comm="readahead" path="/dev/console" dev=devtmpfs ino=5557 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=1400 audit(1275237333.325:10): avc: denied { read write } for pid=429 comm="restorecon" path="/dev/console" dev=devtmpfs ino=5557 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=1400 audit(1275237335.927:11): avc: denied { mmap_zero } for pid=491 comm="vbetool" scontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tcontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tclass=memprotect [tbl@tlondon ~]$ Here's a bit of context: May 30 09:35:42 tlondon kernel: EXT4-fs (dm-0): mounted filesystem with ordered data mode May 30 09:35:42 tlondon kernel: dracut: Mounted root filesystem /dev/mapper/vg_tlondon-lv_root May 30 09:35:42 tlondon kernel: dracut: Loading SELinux policy May 30 09:35:42 tlondon kernel: type=1403 audit(1275237332.031:2): policy loaded auid=4294967295 ses=4294967295 May 30 09:35:42 tlondon kernel: dracut: Switching root May 30 09:35:42 tlondon kernel: type=1400 audit(1275237332.739:3): avc: denied { read write } for pid=417 comm="hostname" path="/dev/console" dev=devtmpfs ino=5557 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file May 30 09:35:42 tlondon kernel: audit: audit_lost=1 audit_rate_limit=0 audit_backlog_limit=64 May 30 09:35:42 tlondon kernel: type=1400 audit(1275237332.811:5): avc: denied { read write } for pid=421 comm="consoletype" path="/dev/null" dev=devtmpfs ino=4055 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file May 30 09:35:42 tlondon kernel: audit: printk limit exceeded May 30 09:35:42 tlondon kernel: May 30 09:35:42 tlondon kernel: type=1400 audit(1275237332.816:6): avc: denied { getattr } for pid=421 comm="consoletype" path="/dev/null" dev=devtmpfs ino=4055 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file May 30 09:35:42 tlondon kernel: type=1400 audit(1275237332.816:7): avc: denied { ioctl } for pid=421 comm="consoletype" path="/dev/null" dev=devtmpfs ino=4055 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file May 30 09:35:42 tlondon kernel: type=1400 audit(1275237333.034:8): avc: denied { open } for pid=422 comm="mount" name="null" dev=devtmpfs ino=4055 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file May 30 09:35:42 tlondon kernel: readahead: starting May 30 09:35:42 tlondon kernel: type=1400 audit(1275237333.278:9): avc: denied { read write } for pid=416 comm="readahead" path="/dev/console" dev=devtmpfs ino=5557 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file May 30 09:35:42 tlondon kernel: type=1400 audit(1275237333.325:10): avc: denied { read write } for pid=429 comm="restorecon" path="/dev/console" dev=devtmpfs ino=5557 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file May 30 09:35:42 tlondon kernel: udev: starting version 156 May 30 09:35:42 tlondon kernel: microcode: CPU0 sig=0x10676, pf=0x80, revision=0x60c May 30 09:35:42 tlondon kernel: microcode: CPU1 sig=0x10676, pf=0x80, revision=0x60c May 30 09:35:42 tlondon kernel: microcode: Microcode Update Driver: v2.00 <tigran.co.uk>, Peter Oruba I got these booting with 'enforcing=0'. Comment from Dan Walsh: I think dracut should be doing a restorecon -R -v /dev right after it loads policy to fix all the device labels created during boot. Version-Release number of selected component (if applicable): dracut-005-2.fc14.noarch How reproducible: Every boot Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
*** Bug 598484 has been marked as a duplicate of this bug. ***
Created attachment 418640 [details] Here is a patch to run restorecon in the dracut/selinux script. This patch will fix the labels on any devices that were created during boot before SELinux policy was loaded.
*** Bug 597616 has been marked as a duplicate of this bug. ***
*** Bug 597624 has been marked as a duplicate of this bug. ***
That patch wont work because /dev is not mounted at that point. Eitherway, i have discussed this issue with hhoyer in #dracut and he assured me that a fix would be pushed to the repositories soon.
for reference: commit 769cf2477076a0ec0ab40de329eddc6d33435dde Author: Dominick Grift <domg472 at gmail.com> 2010-05-14 18:26:02 Committer: Dominick Grift <domg472 at gmail.com> 2010-05-14 18:26:02 Parent: 05997000a2389e510dd924bcf37b61c93b09f83a (Remove unused comments.) Child: f68796e9a8fd8c5234faf06484c99f2028c7b652 (Version 3.7.19-16.3) Added this: mount --bind /dev "$NEWROOT/dev" chroot "$NEWROOT" /sbin/restorecon -R /dev to: /usr/share/dracut/modules.d/99base/selinux-loadpolicy.sh so that devtmpfs gets restored right after dracut loads policy. So now we should be able to remove: dev_rw_generic_chr_files for both init_t and initrc_t i guess. instead add dev_read_urand(init_t) Signed-off-by: Dominick Grift <domg472 at gmail.com> ------------------------ policy/modules/system/init.te ------------------------ index 8018498..2a784c1 100644 @@ -139,7 +139,8 @@ corecmd_exec_bin(init_t) dev_read_sysfs(init_t) -dev_rw_generic_chr_files(init_t) +dev_read_urand(init_t) +# dev_rw_generic_chr_files(init_t) domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) @@ -346,7 +347,7 @@ dev_getattr_all_chr_files(initrc_t) dev_rw_xserver_misc(initrc_t) # Else readahead wont start -dev_rw_generic_chr_files(initrc_t) +# dev_rw_generic_chr_files(initrc_t) corecmd_exec_all_executables(initrc_t)
(In reply to comment #2) > Created an attachment (id=418640) [details] > Here is a patch to run restorecon in the dracut/selinux script. > > This patch will fix the labels on any devices that were created during boot > before SELinux policy was loaded. Tried Dan, but no luck. even after changing ~/dracut-005/* to ~/dracut/*
(In reply to comment #6) > for reference: > > > Added this: > mount --bind /dev "$NEWROOT/dev" > chroot "$NEWROOT" /sbin/restorecon -R /dev > to: > /usr/share/dracut/modules.d/99base/selinux-loadpolicy.sh Where exactly in files, would it go? Java been, what I *Have* to learn in college :(
Created attachment 419011 [details] Modfied selinux-loadpolicy.sh This is my modified dracut load policy script that is confirmed to work.
Also be aware that you need to generate an updated initrd.
Confirmed works here.
What is the easiest way to generate an updated initrd? Thanks, Gene
NM, /usr/libexec/plymouth/plymouth-update-initrd should do it. Gene
Selinux policy 3.8.1-5.fc14, I am still getting the same errors at boot time. Linux: Fedora Rawhide. Kernel 2.6.34-20 Output: SELinux: 2048 avtab hash slots, 196092 rules. SELinux: 2048 avtab hash slots, 196092 rules. SELinux: 9 users, 13 roles, 3265 types, 159 bools, 1 sens, 1024 cats SELinux: 77 classes, 196092 rules SELinux: Completing initialization. SELinux: Setting up existing superblocks. SELinux: initialized (dev dm-0, type ext4), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev securityfs, type securityfs), uses genfs_contexts SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses transition SIDs SELinux: initialized (dev devpts, type devpts), uses transition SIDs SELinux: initialized (dev anon_inodefs, type anon_inodefs), uses genfs_contexts SELinux: initialized (dev pipefs, type pipefs), uses task SIDs SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts SELinux: initialized (dev sockfs, type sockfs), uses task SIDs SELinux: initialized (dev devtmpfs, type devtmpfs), uses transition SIDs SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev proc, type proc), uses genfs_contexts SELinux: initialized (dev bdev, type bdev), uses genfs_contexts SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts type=1403 audit(1275587461.492:3): policy loaded auid=4294967295 ses=4294967295 dracut: Switching root type=1400 audit(1275587462.142:4): avc: denied { read write } for pid=308 comm="hostname" path="/dev/console" dev=devtmpfs ino=5527 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=1400 audit(1275587462.148:5): avc: denied { read write } for pid=308 comm="hostname" path="/dev/console" dev=devtmpfs ino=5527 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=1400 audit(1275587462.154:6): avc: denied { read write } for pid=311 comm="consoletype" path="/dev/console" dev=devtmpfs ino=5527 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=1400 audit(1275587462.160:7): avc: denied { read write } for pid=312 comm="consoletype" path="/dev/null" dev=devtmpfs ino=4019 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=1400 audit(1275587462.169:8): avc: denied { read write } for pid=312 comm="consoletype" path="/dev/null" dev=devtmpfs ino=4019 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=1400 audit(1275587462.177:9): avc: denied { read write } for pid=311 comm="consoletype" path="/dev/console" dev=devtmpfs ino=5527 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=1400 audit(1275587462.578:10): avc: denied { open } for pid=313 comm="mount" name="null" dev=devtmpfs ino=4019 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=1400 audit(1275587462.588:11): avc: denied { read write } for pid=318 comm="consoletype" path="/dev/console" dev=devtmpfs ino=5527 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file I did not apply fix, want to wait until apropriate update.