Running targeted/enforcing, latest rawhide.
Rebooting after today's updates (including .1261 and selinux-policy-targeted-1.23.12-4), graphical logins fail.
Looks like search access to /proc/PROCESS-ID directories are failing. (Also show an early hotplug attempt at writing to sysfs_t).
I worked around this by doing an 'ALT-CTL-F2', and logging in on the text console, and doing a 'setenforce 0'. Reverting to graphical via 'ALT-CTL-F7' now allows login.
/var/log messages show a very large number of avcs, including many that look like: Apr 23 13:04:18 localhost dhclient: DHCPREQUEST on eth0 to 255.255.255.255 port 67 Apr 23 13:04:18 localhost dhclient: DHCPACK from 10.10.192.1 Apr 23 13:04:18 localhost kernel: audit(1114286658.747:0): avc: denied { write } for name=vcs7 dev=sysfs ino=6997 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:sysfs_t tclass=dir Apr 23 13:04:18 localhost kernel: audit(1114286658.747:0): avc: denied { write } for name=vcsa7 dev=sysfs ino=7003 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:sysfs_t tclass=dir Apr 23 13:04:19 localhost NET[2301]: /sbin/dhclient-script : updated /etc/resolv.conf
and Apr 23 13:05:15 localhost kernel: audit(1114286715.636:0): avc: denied { search } for name=2 dev=proc ino=131074 scontext=system_u:system_r:init_t tcontext=system_u:system_r:kernel_t tclass=dir Apr 23 13:05:15 localhost kernel: audit(1114286715.636:0): avc: denied { search } for name=3 dev=proc ino=196610 scontext=system_u:system_r:init_t tcontext=system_u:system_r:kernel_t tclass=dir Apr 23 13:05:15 localhost kernel: audit(1114286715.636:0): avc: denied { search } for name=4 dev=proc ino=262146 scontext=system_u:system_r:init_t tcontext=system_u:system_r:kernel_t tclass=dir <<<<SNIP many, many >>>> Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: denied { search } for name=2103 dev=proc ino=137822210 scontext=system_u:system_r:init_t tcontext=system_u:system_r:initrc_t tclass=dir Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: denied { search } for name=2111 dev=proc ino=138346498 scontext=system_u:system_r:init_t tcontext=system_u:system_r:initrc_t tclass=dir Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: denied { search } for name=2303 dev=proc ino=150929410 scontext=system_u:system_r:init_t tcontext=system_u:system_r:dhcpc_t tclass=dir Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: denied { search } for name=2476 dev=proc ino=162267138 scontext=system_u:system_r:init_t tcontext=system_u:system_r:initrc_t tclass=dir Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: denied { search } for name=2530 dev=proc ino=165806082 scontext=system_u:system_r:init_t tcontext=system_u:system_r:portmap_t tclass=dir Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: denied { search } for name=2548 dev=proc ino=166985730 scontext=system_u:system_r:init_t tcontext=system_u:system_r:rpcd_t tclass=dir Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: denied { search } for name=2575 dev=proc ino=168755202 scontext=system_u:system_r:init_t tcontext=system_u:system_r:rpcd_t tclass=dir <<<<SNIP many, many.... >>>>
etc. etc.
Is this a policy change, or did something else change? Or, did I just botch it again?
thanks, tom
Booting w/ enforcing=0 produces the attached log file.
My guess is that this happens when init is checking to see if gdm is up (I boot with 'early-login'). Sound reasonable?
tom
On Monday 25 April 2005 03:45, Tom London selinux@gmail.com wrote:
Booting w/ enforcing=0 produces the attached log file.
My guess is that this happens when init is checking to see if gdm is up (I boot with 'early-login'). Sound reasonable?
early-login is implemented in /etc/rc.sysinit so it should be running as initrc_t not init_t.
avc: denied { write } for name=vcs7 dev=sysfs ino=5938 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:sysfs_t tclass=dir
This seems like a bug in hotplug to me. AFAIK it's not valid to create a file under /sys/class/vc/vcs7 or do anything else that requires write access to the directory. Could you please try and track down what is happening and file a bugzilla?
avc: denied { read } for name=config dev=dm-0 ino=1275872 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:selinux_config_t tclass=file
Is dhclient trying to run restorecon? At one stage it was trying to run restorecon which could result in such access. Please find out what it's doing, presumably it's something from /sbin/dhclient-script that's doing this.
As for init_t trying to do something like "ps", could you find out what exactly it's trying to do? Also it would be best if you posted the logs of running with enforcing=0, if nothing else it will give more terse logs that are easier to interpret.
selinux@lists.fedoraproject.org