On Tue, May 25, 2010 at 11:47 AM, Karl-Michael Schneider karlmicha@gmail.com wrote:
On Mon, May 24, 2010 at 12:28 PM, Stephen Smalley sds@tycho.nsa.gov wrote:
On Mon, 2010-05-24 at 15:07 -0400, Stephen Smalley wrote:
On Mon, 2010-05-24 at 11:54 -0700, Karl-Michael Schneider wrote:
I have fc12 installed on a Lenovo R61 laptop with two kernels:
kernel-2.6.31.12-174.2.22.fc12.i686 kernel-2.6.32.12-115.fc12.i686
The 2.6.31 kernel has no problem. But when I try to boot the 2.6.32 kernel it fails because SELinux is blocking access to device nodes. I can only boot the 2.6.32 kernel in single user mode. The reason is that /dev and all files in it have no type:
$ ls -lZ /dev crw-------. root root system_u:object_r:unlabeled_t:s0 agpgart
<snip> > The filesystem is ext3 on LVM: > > $ cat /etc/fstab > /dev/VolGroup00/LogVol00 / ext3 defaults 1 1 > ... > > The filesystem was created when I installed FC9. Later I upgraded to > FC12. But the problem only appeared when the kernel was updated from > 2.6.31 to 2.6.32. All 2.6.32 kernels so far had the same problem. > > I have already relabeled the filesystem, but it didn't help. I tried > restorecon -R -v /dev after booting the 2.6.32 kernel but it didn't do > anything.
Sounds like the devtmpfs mount with a policy that doesn't know about it. dmesg | grep SELinux grep /dev /proc/mounts
I suspect your policy update didn't go cleanly and aborted during %post, especially if you tried going all the way from F9 to F12. I'd suggest doing: mv /etc/selinux/targeted /etc/selinux/targeted.orig yum reinstall selinux-policy-targeted
Thanks. This resolved the /dev labeling problem.
Now I got security exceptions for a number of applications. I remember I got the same exceptions after I upgraded to FC12. So I booted with enforcing=0 and built a local policy module from audit.log as described in the audit2allow man page. I post it here:
module local 1.0;
require { type unconfined_t; type system_dbusd_var_run_t; type sound_device_t; type usr_t; type xdm_var_lib_t; type dri_device_t; type NetworkManager_t; type user_home_t; type var_spool_t; type initrc_t; type system_dbusd_t; type var_lock_t; type xdm_dbusd_t; type session_dbusd_tmp_t; type unlabeled_t; type removable_device_t; type consolekit_t; type var_lib_t; type gnomeclock_t; type gconfd_exec_t; type var_t; type xdm_t; class process sigchld; class unix_stream_socket connectto; class dbus send_msg; class chr_file { getattr setattr }; class file { rename execute setattr read execmod getattr execute_no_trans write ioctl unlink open create append }; class sock_file { write create unlink }; class blk_file { getattr setattr }; class dir { write search setattr read remove_name add_name }; }
#============= NetworkManager_t ============== allow NetworkManager_t unlabeled_t:file { ioctl execute read open getattr execute_no_trans }; allow NetworkManager_t var_lib_t:file { read create open getattr }; allow NetworkManager_t var_lock_t:dir search;
#============= consolekit_t ============== allow consolekit_t dri_device_t:chr_file { getattr setattr }; allow consolekit_t removable_device_t:blk_file { getattr setattr }; allow consolekit_t sound_device_t:chr_file { getattr setattr };
#============= gnomeclock_t ============== allow gnomeclock_t initrc_t:dbus send_msg;
#============= unconfined_t ============== #!!!! This avc can be allowed using the boolean 'allow_execmod'
allow unconfined_t usr_t:file execmod;
#============= unlabeled_t ============== allow unlabeled_t unconfined_t:process sigchld;
#============= xdm_dbusd_t ============== allow xdm_dbusd_t gconfd_exec_t:file { read execute open execute_no_trans }; allow xdm_dbusd_t self:unix_stream_socket connectto; allow xdm_dbusd_t session_dbusd_tmp_t:sock_file { write create unlink }; allow xdm_dbusd_t system_dbusd_t:dbus send_msg; allow xdm_dbusd_t system_dbusd_t:unix_stream_socket connectto; allow xdm_dbusd_t system_dbusd_var_run_t:dir search; allow xdm_dbusd_t system_dbusd_var_run_t:sock_file write; allow xdm_dbusd_t xdm_t:unix_stream_socket connectto; #!!!! The source type 'xdm_dbusd_t' can write to a 'dir' of the following types: # session_dbusd_tmp_t, tmp_t
allow xdm_dbusd_t xdm_var_lib_t:dir { read write add_name remove_name }; #!!!! The source type 'xdm_dbusd_t' can write to a 'file' of the following type: # session_dbusd_tmp_t
allow xdm_dbusd_t xdm_var_lib_t:file { rename read create write getattr unlink open append };
#============= xdm_t ============== allow xdm_t initrc_t:dbus send_msg; #!!!! This avc can be allowed using the boolean 'allow_polyinstantiation'
allow xdm_t session_dbusd_tmp_t:dir setattr; #!!!! The source type 'xdm_t' can write to a 'dir' of the following types: # xserver_log_t, var_log_t, xdm_log_t, pam_var_run_t, xdm_var_lib_t, xdm_var_run_t, xdm_home_t, pam_var_console_t, pcscd_var_run_t, xkb_var_lib_t, xdm_rw_etc_t, var_lock_t, root_t, tmp_t, var_t, user_fonts_t, user_tmpfs_t, xdm_spool_t, fonts_cache_t, user_home_dir_t, locale_t, var_auth_t, tmpfs_t, var_spool_t, user_tmp_t, auth_cache_t, var_lib_t, var_run_t, xdm_tmpfs_t, xdm_tmp_t, root_t, nfs_t
allow xdm_t session_dbusd_tmp_t:dir { write remove_name add_name }; allow xdm_t session_dbusd_tmp_t:sock_file { write create unlink }; #!!!! This avc can be allowed using the boolean 'allow_polyinstantiation'
allow xdm_t user_home_t:file { write rename }; allow xdm_t var_spool_t:file unlink; allow xdm_t var_t:dir setattr; allow xdm_t var_t:file { write rename create unlink setattr };
Adding the local policy module did not fix all the problems. I had to relabel the filesystem, and that fixed it (no need for a local policy module anymore).
selinux@lists.fedoraproject.org
-
Karl-Michael Schneider