From: txtoth@gmail.com (Xavier Toth) Date: Fri, 16 Jan 2009 08:30:11 -0600 Subject: [refpolicy] plymouthd avcs in MLS In-Reply-To: <496B7588.6000204@redhat.com> References: <496B7588.6000204@redhat.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, Jan 12, 2009 at 10:53 AM, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Joe Nall wrote: >> type=AVC msg=audit(1231458433.619:3): avc: denied { execute } for >> pid=1 comm="init" name="plymouth" dev=rootfs ino=73 >> scontext=system_u:system_r:kernel_t:s15:c0.c1023 >> tcontext=system_u:object_r:root_t:s0 tclass=file >> type=AVC msg=audit(1231458433.621:4): avc: denied { read } for >> pid=723 comm="init" name="plymouth" dev=rootfs ino=73 >> scontext=system_u:system_r:kernel_t:s15:c0.c1023 >> tcontext=system_u:object_r:root_t:s0 tclass=file >> type=AVC msg=audit(1231458433.621:4): avc: denied { execute_no_trans } >> for pid=723 comm="init" path="/bin/plymouth" dev=rootfs ino=73 >> scontext=system_u:system_r:kernel_t:s15:c0.c1023 >> tcontext=system_u:object_r:root_t:s0 tclass=file >> type=AVC msg=audit(1231458433.623:5): avc: denied { getattr } for >> pid=723 comm="plymouth" path="/etc/ld.so.cache" dev=rootfs ino=122 >> scontext=system_u:system_r:kernel_t:s15:c0.c1023 >> tcontext=system_u:object_r:root_t:s0 tclass=file >> type=AVC msg=audit(1231458433.625:6): avc: denied { search } for >> pid=695 comm="plymouthd" name="lib" dev=dm-0 ino=555970 >> scontext=system_u:system_r:kernel_t:s15:c0.c1023 >> tcontext=system_u:object_r:var_lib_t:s0 tclass=dir >> type=AVC msg=audit(1231458433.625:6): avc: denied { read } for >> pid=695 comm="plymouthd" name="boot-duration" dev=dm-0 ino=564304 >> scontext=system_u:system_r:kernel_t:s15:c0.c1023 >> tcontext=system_u:object_r:var_lib_t:s0 tclass=file >> type=AVC msg=audit(1231458433.632:7): avc: denied { getattr } for >> pid=695 comm="plymouthd" path="/var/lib/plymouth/boot-duration" dev=dm-0 >> ino=564304 scontext=system_u:system_r:kernel_t:s15:c0.c1023 >> tcontext=system_u:object_r:var_lib_t:s0 tclass=file >> type=AVC msg=audit(1231458434.550:20): avc: denied { read } for >> pid=695 comm="plymouthd" path="/ptmx" dev=tmpfs ino=354 >> scontext=system_u:system_r:kernel_t:s15:c0.c1023 >> tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file >> >> type=AVC msg=audit(1231458434.550:21): avc: denied { write } for >> pid=695 comm="plymouthd" path="/tty1" dev=tmpfs ino=357 >> scontext=system_u:system_r:kernel_t:s15:c0.c1023 >> tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file >> >> with the last avc repeated ~3000 times a second forever in enforcing. >> >> Should plymouthd have a dedicated type or should tty1 be SystemHigh? >> >> joe >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > I think plymouthd is started in the initrd, so I don't think we can > have a transition. But shouldn't the kernel be able to override MLS So > it could write to this terminal? > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iEYEARECAAYFAklrdYgACgkQrlYvE4MpobMYDACeOq906O8BalhlDJv94Lu/oe1Z > Y6QAnj6r0CshCY5G819oBj+jVp4mr/iE > =oOG1 > -----END PGP SIGNATURE----- > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > kernel_t already has mls_files_[read/write]_all_levels however it uses term_use_console which doesn't cover tty_device_t. The options are to use term_use_all_terms or to "allow kernel_t tty_device_t:chr_file rw_file_perms;". Which will it be? Ted