Running strict/enforcing off of Rawhide.
Doing yesterday's updates, the kernel failed to install to /boot. That is, no files installed under /boot, but worked OK installing files to /lib/modules.
I did an rpm -e, setenforce 0; rpm -ivh, and got the following: w Nov 30 19:36:32 fedora kernel: audit(1101872192.328:0): avc: denied { read } for pid=3647 exe=/bin/bash name=.bashrc dev=hda2 ino=1196086 scontext=root:sysadm_r:bootloader_t tcontext=root:object_r:staff_home_t tclass=file Nov 30 19:36:32 fedora kernel: audit(1101872192.328:0): avc: denied { getattr } for pid=3647 exe=/bin/bash path=/root/.bashrc dev=hda2 ino=1196086 scontext=root:sysadm_r:bootloader_t tcontext=root:object_r:staff_home_t tclass=file Nov 30 19:36:32 fedora kernel: audit(1101872192.337:0): avc: denied { read } for pid=3649 exe=/usr/bin/id name=config dev=hda2 ino=4509759 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:selinux_config_t tclass=file Nov 30 19:36:32 fedora kernel: audit(1101872192.338:0): avc: denied { getattr } for pid=3649 exe=/usr/bin/id path=/etc/selinux/config dev=hda2 ino=4509759 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:selinux_config_t tclass=file Nov 30 19:36:32 fedora kernel: audit(1101872192.501:0): avc: denied { execute } for pid=3647 exe=/bin/bash name=colorls.sh dev=hda2 ino=4474159 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:etc_t tclass=file Nov 30 19:36:32 fedora kernel: audit(1101872192.530:0): avc: denied { execute } for pid=3662 exe=/bin/bash name=consoletype dev=hda2 ino=2310212 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:consoletype_exec_t tclass=file Nov 30 19:36:32 fedora kernel: audit(1101872192.530:0): avc: denied { execute_no_trans } for pid=3662 exe=/bin/bash path=/sbin/consoletype dev=hda2 ino=2310212 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:consoletype_exec_t tclass=file Nov 30 19:36:32 fedora kernel: audit(1101872192.530:0): avc: denied { read } for pid=3662 exe=/bin/bash path=/sbin/consoletype dev=hda2 ino=2310212 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:consoletype_exec_t tclass=file
allow bootloader_t consoletype_exec_t:file { execute execute_no_trans read }; allow bootloader_t etc_t:file execute; allow bootloader_t selinux_config_t:file { getattr read }; allow bootloader_t staff_home_t:file { getattr read };
Tom London wrote:
Running strict/enforcing off of Rawhide.
Doing yesterday's updates, the kernel failed to install to /boot. That is, no files installed under /boot, but worked OK installing files to /lib/modules.
I did an rpm -e, setenforce 0; rpm -ivh, and got the following: w Nov 30 19:36:32 fedora kernel: audit(1101872192.328:0): avc: denied { read } for pid=3647 exe=/bin/bash name=.bashrc dev=hda2 ino=1196086 scontext=root:sysadm_r:bootloader_t tcontext=root:object_r:staff_home_t tclass=file Nov 30 19:36:32 fedora kernel: audit(1101872192.328:0): avc: denied { getattr } for pid=3647 exe=/bin/bash path=/root/.bashrc dev=hda2 ino=1196086 scontext=root:sysadm_r:bootloader_t tcontext=root:object_r:staff_home_t tclass=file Nov 30 19:36:32 fedora kernel: audit(1101872192.337:0): avc: denied { read } for pid=3649 exe=/usr/bin/id name=config dev=hda2 ino=4509759 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:selinux_config_t tclass=file Nov 30 19:36:32 fedora kernel: audit(1101872192.338:0): avc: denied { getattr } for pid=3649 exe=/usr/bin/id path=/etc/selinux/config dev=hda2 ino=4509759 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:selinux_config_t tclass=file Nov 30 19:36:32 fedora kernel: audit(1101872192.501:0): avc: denied { execute } for pid=3647 exe=/bin/bash name=colorls.sh dev=hda2 ino=4474159 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:etc_t tclass=file Nov 30 19:36:32 fedora kernel: audit(1101872192.530:0): avc: denied { execute } for pid=3662 exe=/bin/bash name=consoletype dev=hda2 ino=2310212 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:consoletype_exec_t tclass=file Nov 30 19:36:32 fedora kernel: audit(1101872192.530:0): avc: denied { execute_no_trans } for pid=3662 exe=/bin/bash path=/sbin/consoletype dev=hda2 ino=2310212 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:consoletype_exec_t tclass=file Nov 30 19:36:32 fedora kernel: audit(1101872192.530:0): avc: denied { read } for pid=3662 exe=/bin/bash path=/sbin/consoletype dev=hda2 ino=2310212 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:consoletype_exec_t tclass=file
allow bootloader_t consoletype_exec_t:file { execute execute_no_trans read }; allow bootloader_t etc_t:file execute; allow bootloader_t selinux_config_t:file { getattr read }; allow bootloader_t staff_home_t:file { getattr read };
Can you try selinux-policy-strict-1.19.8-4 out on my
ftp://people.redhat.com/dwalsh/SELinux/Fedora
I added can_exec_any(bootloader_t) which should allow it to run consoletype. Not sure what the etc_t:file execute is about, the others are just because you are running under permissive mode.
Dan
On Wed, 01 Dec 2004 11:08:31 -0500, Daniel J Walsh dwalsh@redhat.com wrote:
Tom London wrote: Can you try selinux-policy-strict-1.19.8-4 out on my
ftp://people.redhat.com/dwalsh/SELinux/Fedora
I added can_exec_any(bootloader_t) which should allow it to run consoletype. Not sure what the etc_t:file execute is about, the others are just because you are running under permissive mode.
Dan
Dan,
Thanks for the updated policy.
I installed via 'rpm -Uvh' both selinux-policy-strict and selinux-policy-strict-sources, rpm -e'ed the latest kernel install, and redid 'yum update' with strict/enforcing.
Got the following: Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing: kernel 100 % done 1/1 /bin/bash: /root/.bashrc: Permission denied
Installed: kernel.i686 0:2.6.9-1.1008_FC4 Complete!
[The usual output}. No avc's in log, and it looks like files under /boot were successfully installed.
Thanks! tom
selinux@lists.fedoraproject.org