|
Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
 |
SELinux Mailing ListRe: [PATCH 1/1] refpolicy: Do not want to transition to sysadm_t when upstart runs a shell
From: Daniel J Walsh <dwalsh_at_redhat.com>
Date: Fri, 07 Mar 2008 08:52:47 -0500
Joe Nall wrote:
>> Upstart spawns a shell during boot and, without this patch, it will >> transition to the sysadm_t domain, but remain in the system_r role. > > Is that the cause of these mls avcs I'm seeing in /var/log/messages from > selinux-policy-mls-3.3.1-12.fc9? > > [root@rawhide ~]# grep sysadm_t /var/log/messages > Mar 7 04:16:21 rawhide kernel: type=1400 audit(1204884961.873:3): avc: > denied { read write } for pid=502 comm="sh" path="/dev/console" > dev=tmpfs ino=230 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 > tcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 tclass=chr_file > Mar 7 04:16:21 rawhide kernel: type=1400 audit(1204884961.937:4): avc: > denied { ioctl } for pid=502 comm="sh" path="/dev/console" dev=tmpfs > ino=230 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 > tcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 tclass=chr_file > Mar 7 04:16:21 rawhide kernel: type=1400 audit(1204884963.239:5): avc: > denied { signal } for pid=502 comm="rc.sysinit" > scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 > tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=process > Mar 7 04:16:21 rawhide kernel: type=1400 audit(1204884963.511:6): avc: > denied { setattr } for pid=542 comm="MAKEDEV" name="tty1-" dev=tmpfs > ino=1803 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 > tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file > Mar 7 04:16:21 rawhide kernel: type=1400 audit(1204884963.557:7): avc: > denied { create } for pid=542 comm="MAKEDEV" name="loop0-" > scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 > tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 tclass=blk_file > Mar 7 04:16:21 rawhide kernel: type=1400 audit(1204884963.557:8): avc: > denied { setattr } for pid=542 comm="MAKEDEV" name="loop0-" dev=tmpfs > ino=1822 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 > tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 tclass=blk_file > Mar 7 04:16:21 rawhide kernel: type=1400 audit(1204884963.557:9): avc: > denied { rename } for pid=542 comm="MAKEDEV" name="loop0-" dev=tmpfs > ino=1822 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 > tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 tclass=blk_file > Mar 7 04:16:21 rawhide kernel: type=1400 audit(1204884963.658:10): > avc: denied { setattr } for pid=542 comm="MAKEDEV" name="parport0-" > dev=tmpfs ino=1847 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 > tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file > Mar 7 04:16:21 rawhide kernel: type=1400 audit(1204884963.680:11): > avc: denied { setattr } for pid=542 comm="MAKEDEV" name="tun-" > dev=tmpfs ino=1862 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 > tcontext=system_u:object_r:tun_tap_device_t:s0 tclass=chr_file > Mar 7 04:16:21 rawhide kernel: type=1400 audit(1204884967.023:30): > avc: denied { unlink } for pid=785 comm="udevd" name=".tmp-8-0" > dev=tmpfs ino=2965 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 > tcontext=system_u:object_r:device_t:s0 tclass=blk_file > Mar 7 04:16:21 rawhide kernel: type=1400 audit(1204884971.907:52): > avc: denied { write } for pid=1395 comm="rc.sysinit" name="urandom" > dev=tmpfs ino=3788 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 > tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file > Mar 7 04:16:21 rawhide kernel: type=1400 audit(1204884980.089:55): > avc: denied { listen } for pid=2051 comm="rpcbind" lport=955 > scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 > tcontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 tclass=udp_socket > > joe > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov > with > the words "unsubscribe selinux" without quotes as the message. Looks like it. I think leaving making it initrc_t would fix most of your avc messages. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkfRSKoACgkQrlYvE4MpobM71gCgvA3E19iSjZf4Fgz9WpIXk3ed
TVgAnRPxSuyLZXGqqEpOGnR1mGN1HTDE
-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Fri 7 Mar 2008 - 08:52:56 EST |
|
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |
Top NSA Banner
2008 National Security Agency
Privacy
|
Terms of Use
|
NoFEAR Act
|
FOIA
|
DNI.gov
|
DOD.mil
|
USA.gov
|
Contact Us
|
Site Map
Privacy
|
Terms of Use
|
NoFEAR Act
|
FOIA
|
DNI.gov
|
DOD.mil
|
USA.gov
|
Contact Us
|
Site Map