On Mon, Jan 12, 2009 at 10:53 AM, Daniel J Walsh <[email protected]> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Joe Nall wrote:
>> type=AVC msg=audit(1231458433.619:3): avc: denied { execute } for
>> pid=1 comm="init" name="plymouth" dev=rootfs ino=73
>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
>> tcontext=system_u:object_r:root_t:s0 tclass=file
>> type=AVC msg=audit(1231458433.621:4): avc: denied { read } for
>> pid=723 comm="init" name="plymouth" dev=rootfs ino=73
>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
>> tcontext=system_u:object_r:root_t:s0 tclass=file
>> type=AVC msg=audit(1231458433.621:4): avc: denied { execute_no_trans }
>> for pid=723 comm="init" path="/bin/plymouth" dev=rootfs ino=73
>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
>> tcontext=system_u:object_r:root_t:s0 tclass=file
>> type=AVC msg=audit(1231458433.623:5): avc: denied { getattr } for
>> pid=723 comm="plymouth" path="/etc/ld.so.cache" dev=rootfs ino=122
>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
>> tcontext=system_u:object_r:root_t:s0 tclass=file
>> type=AVC msg=audit(1231458433.625:6): avc: denied { search } for
>> pid=695 comm="plymouthd" name="lib" dev=dm-0 ino=555970
>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
>> tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
>> type=AVC msg=audit(1231458433.625:6): avc: denied { read } for
>> pid=695 comm="plymouthd" name="boot-duration" dev=dm-0 ino=564304
>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
>> tcontext=system_u:object_r:var_lib_t:s0 tclass=file
>> type=AVC msg=audit(1231458433.632:7): avc: denied { getattr } for
>> pid=695 comm="plymouthd" path="/var/lib/plymouth/boot-duration" dev=dm-0
>> ino=564304 scontext=system_u:system_r:kernel_t:s15:c0.c1023
>> tcontext=system_u:object_r:var_lib_t:s0 tclass=file
>> type=AVC msg=audit(1231458434.550:20): avc: denied { read } for
>> pid=695 comm="plymouthd" path="/ptmx" dev=tmpfs ino=354
>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
>> tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file
>>
>> type=AVC msg=audit(1231458434.550:21): avc: denied { write } for
>> pid=695 comm="plymouthd" path="/tty1" dev=tmpfs ino=357
>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
>> tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
>>
>> with the last avc repeated ~3000 times a second forever in enforcing.
>>
>> Should plymouthd have a dedicated type or should tty1 be SystemHigh?
>>
>> joe
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> I think plymouthd is started in the initrd, so I don't think we can
> have a transition. But shouldn't the kernel be able to override MLS So
> it could write to this terminal?
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAklrdYgACgkQrlYvE4MpobMYDACeOq906O8BalhlDJv94Lu/oe1Z
> Y6QAnj6r0CshCY5G819oBj+jVp4mr/iE
> =oOG1
> -----END PGP SIGNATURE-----
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
kernel_t already has mls_files_[read/write]_all_levels however it uses
term_use_console which doesn't cover tty_device_t. The options are to
use term_use_all_terms or to "allow kernel_t tty_device_t:chr_file
rw_file_perms;". Which will it be?
Ted
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I have sucked it up over the last couple of days and have cleaned up
most of the MLS avcs in Fedora 11. It now boots up and I can log in in
enforcing mode.
I would prefer to work with the F11 policy, although this can safely be
installed on an F10 system.
Tryout 3.6.3-5.f11
I gave the kernel_t the privs to run plymouth, it does not make much
sense to prevent kernel_t from any of the accesses it needed.
Also wrote most of the policy for wm_t.
Some problems like use of fusermount are going to be tougher to decide
on what the right thing to do is.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkl3kf0ACgkQrlYvE4MpobNMYwCeOHaZ3GokeMzg8oRrM8vU/S6Q
sqAAoNlF+b4v0c3pnd7BPb8ljzwMB3Vj
=WkHm
-----END PGP SIGNATURE-----
I'll give it a try on an F10 box when it finishes building.
Ted
On Wed, Jan 21, 2009 at 3:22 PM, Daniel J Walsh <[email protected]> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I have sucked it up over the last couple of days and have cleaned up
> most of the MLS avcs in Fedora 11. It now boots up and I can log in in
> enforcing mode.
>
> I would prefer to work with the F11 policy, although this can safely be
> installed on an F10 system.
>
> Tryout 3.6.3-5.f11
>
> I gave the kernel_t the privs to run plymouth, it does not make much
> sense to prevent kernel_t from any of the accesses it needed.
>
> Also wrote most of the policy for wm_t.
>
> Some problems like use of fusermount are going to be tougher to decide
> on what the right thing to do is.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkl3kf0ACgkQrlYvE4MpobNMYwCeOHaZ3GokeMzg8oRrM8vU/S6Q
> sqAAoNlF+b4v0c3pnd7BPb8ljzwMB3Vj
> =WkHm
> -----END PGP SIGNATURE-----
>
On Wed, Jan 21, 2009 at 3:25 PM, Xavier Toth <[email protected]> wrote:
> I'll give it a try on an F10 box when it finishes building.
>
> Ted
>
> On Wed, Jan 21, 2009 at 3:22 PM, Daniel J Walsh <[email protected]> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> I have sucked it up over the last couple of days and have cleaned up
>> most of the MLS avcs in Fedora 11. It now boots up and I can log in in
>> enforcing mode.
>>
>> I would prefer to work with the F11 policy, although this can safely be
>> installed on an F10 system.
>>
>> Tryout 3.6.3-5.f11
>>
>> I gave the kernel_t the privs to run plymouth, it does not make much
>> sense to prevent kernel_t from any of the accesses it needed.
>>
>> Also wrote most of the policy for wm_t.
>>
>> Some problems like use of fusermount are going to be tougher to decide
>> on what the right thing to do is.
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.9 (GNU/Linux)
>> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>>
>> iEYEARECAAYFAkl3kf0ACgkQrlYvE4MpobNMYwCeOHaZ3GokeMzg8oRrM8vU/S6Q
>> sqAAoNlF+b4v0c3pnd7BPb8ljzwMB3Vj
>> =WkHm
>> -----END PGP SIGNATURE-----
>>
>
No can do on FC10 as it requires policycoreutils which requires python
2.6 ... :(
Ted
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xavier Toth wrote:
> On Wed, Jan 21, 2009 at 3:25 PM, Xavier Toth <[email protected]> wrote:
>> I'll give it a try on an F10 box when it finishes building.
>>
>> Ted
>>
>> On Wed, Jan 21, 2009 at 3:22 PM, Daniel J Walsh <[email protected]> wrote:
> I have sucked it up over the last couple of days and have cleaned up
> most of the MLS avcs in Fedora 11. It now boots up and I can log in in
> enforcing mode.
>
> I would prefer to work with the F11 policy, although this can safely be
> installed on an F10 system.
>
> Tryout 3.6.3-5.f11
>
> I gave the kernel_t the privs to run plymouth, it does not make much
> sense to prevent kernel_t from any of the accesses it needed.
>
> Also wrote most of the policy for wm_t.
>
> Some problems like use of fusermount are going to be tougher to decide
> on what the right thing to do is.
>>>
> No can do on FC10 as it requires policycoreutils which requires python
> 2.6 ... :(
> Ted
The problem is the spec file has been converted to use the compressed
policycoreutils, You could simply take out the patch and the tgz file
and throw it in the F10 spec file and you could build a F10 policy, or
you could just start using F11/Rawhide.
One problem I have with it now is it is silently failing on dbus
(NetworkManager) even in permissive mode.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkl4e+gACgkQrlYvE4MpobPJDgCeKEK36nIyYeavIZY7knOkaVKS
umAAoMExfvdB+9fwWRG/pj0/l7FFcEF5
=CXFJ
-----END PGP SIGNATURE-----