From: Dennis Wronka <linuxweb@gmx.net>
To: SELinux Mailing List <selinux@tycho.nsa.gov>
Subject: Re: Problem with MLS because /dev is labeled tmpfs_t
Date: Sat, 9 Aug 2008 16:49:58 +0800 [thread overview]
Message-ID: <200808091650.01774.linuxweb@gmx.net> (raw)
In-Reply-To: <200808081200.41418.russell@coker.com.au>
[-- Attachment #1: Type: text/plain, Size: 2144 bytes --]
On Friday 08 August 2008 10:00:39 Russell Coker wrote:
> On Friday 08 August 2008 00:10, Dennis Wronka <linuxweb@gmx.net> wrote:
> > Does anybody know where this problem is? Is it udev? I already compiled
> > it with SELinux-support, but /dev is always tmpfs_t.
> > As said, I suspect udev here, but of course I might be wrong.
>
> Your udev script which mounts the tmpfs (which might be /etc/init.d/udev or
> a script called by it) needs to call restorecon.
>
> See the scripts in Debian and Fedora for examples of how it's done.
Thansk, this already helped with the wrongly labeled /dev, but not with the
error, which I believe will still stop the boot if I'd switch to enforcing.
Here's the message:
type=1401 audit(1218261917.800:3): security_validate_transition: denied for
oldcontext=system_u:object_r:fixed_disk_device_t:s0
newconext=system_u:object_r:fixed_disk_device_t:s15:c0.c255
taskcontext=system_u:system_r:lvm_t:s0-s15:c0.c255 tclass=blk_file
As the message doesn't show anything I do not know for sure which file it
exactly is. As this message is caused by the call of dmsetup mknodes (I use
an encrypted root-partition in this setup) it must be either /dev/hdaX (all
three hda-partitions have this context, hda3 is the actual root-fs)
or /dev/mapper/cryptroot, which also has that context and is the file that's
actually supposed to be created by dmsetup.
I had a look around in the policy but couldn't find a way to get around this.
Also Google wasn't very helpful as it points to patches and sources of the
SELinux-libraries.
Just for testing I removed the call of dmsetup mknodes, but the error still
happens, as lvm vgmknodes still is called and it causes the same problem.
I also switched (disabled the lvm-call and re-enabled the dmsetup-call) and I
get the error. So, both calls give this error, as they both run in the same
domain lvm_t and want to do the same stuff with my files.
Now the problem is, how do I get rid of this problem? Both LVM and DevMapper
are compiled with SELinux-support, but somehow MLS doesn't allow them to
perform this transition.
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 197 bytes --]
next prev parent reply other threads:[~2008-08-09 8:50 UTC|newest]
Thread overview: 89+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-08-04 12:34 [patch 00/35] Second round of Fedora/RedHat SELinux changes david
2008-08-04 12:34 ` [patch 01/35] anaconda policy update david
2008-08-07 14:22 ` Christopher J. PeBenito
2008-08-04 12:34 ` [patch 02/35] kudzu " david
2008-08-14 14:25 ` Christopher J. PeBenito
2008-08-04 12:34 ` [patch 03/35] logrotate " david
2008-08-14 13:26 ` Christopher J. PeBenito
2008-08-04 12:35 ` [patch 04/35] corenetwork " david
2008-08-21 14:40 ` Christopher J. PeBenito
2008-08-21 14:41 ` [refpolicy] " Christopher J. PeBenito
2008-08-25 17:25 ` [refpolicy] cyphesis policy Daniel J Walsh
2008-09-03 14:44 ` Christopher J. PeBenito
2008-08-25 17:29 ` [refpolicy] nsplugin policy Daniel J Walsh
2008-08-25 17:40 ` [refpolicy] Updated kerberos patch to add kprop port definition Daniel J Walsh
2008-08-25 17:44 ` [refpolicy] Updated munin support Daniel J Walsh
2008-08-25 17:52 ` [refpolicy] [patch 04/35] corenetwork policy update Daniel J Walsh
2008-09-03 14:44 ` Christopher J. PeBenito
2008-08-04 12:35 ` [patch 05/35] courier " david
2008-08-14 14:25 ` Christopher J. PeBenito
2008-08-04 12:35 ` [patch 06/35] soundserver " david
2008-08-07 13:33 ` Christopher J. PeBenito
2008-08-07 15:09 ` Daniel J Walsh
2008-08-11 13:18 ` Christopher J. PeBenito
2008-08-11 14:15 ` Daniel J Walsh
2008-08-11 14:19 ` Daniel J Walsh
2008-08-11 14:22 ` Daniel J Walsh
2008-08-04 12:35 ` [patch 07/35] w3c policy addition david
2008-08-21 14:00 ` [refpolicy] " Christopher J. PeBenito
2008-08-04 12:35 ` [patch 08/35] logging policy update david
2008-08-22 15:25 ` [refpolicy] " Christopher J. PeBenito
2008-08-04 12:35 ` [patch 09/35] xen " david
2008-08-04 12:35 ` [patch 10/35] qemu " david
2008-08-04 12:35 ` [patch 11/35] hotplug " david
2008-08-07 14:23 ` Christopher J. PeBenito
2008-08-04 12:35 ` [patch 12/35] getty " david
2008-08-14 14:25 ` Christopher J. PeBenito
2008-08-04 12:35 ` [patch 13/35] ricci " david
2008-08-07 14:22 ` Christopher J. PeBenito
2008-08-04 12:35 ` [patch 14/35] remotelogin " david
2008-08-14 13:44 ` Christopher J. PeBenito
2008-08-04 12:35 ` [patch 15/35] kernel terminal " david
2008-08-07 13:46 ` Christopher J. PeBenito
2008-08-04 12:35 ` [patch 16/35] usernet policy updates david
2008-08-07 14:22 ` Christopher J. PeBenito
2008-08-04 12:35 ` [patch 17/35] brctl policy update david
2008-08-07 13:47 ` Christopher J. PeBenito
2008-08-07 15:11 ` Daniel J Walsh
2008-08-11 13:20 ` Christopher J. PeBenito
2008-08-04 12:35 ` [patch 18/35] fsadm " david
2008-08-07 13:49 ` Christopher J. PeBenito
2008-08-07 14:10 ` Problem with MLS because /dev is labeled tmpfs_t Dennis Wronka
2008-08-08 2:00 ` Russell Coker
2008-08-09 8:49 ` Dennis Wronka [this message]
2008-08-04 12:35 ` [patch 19/35] kernel storage module policy updates david
2008-08-07 14:22 ` Christopher J. PeBenito
2008-08-04 12:35 ` [patch 20/35] rpc policy update david
2008-08-14 14:25 ` Christopher J. PeBenito
2008-08-04 12:35 ` [patch 21/35] kismet " david
2008-08-07 14:22 ` Christopher J. PeBenito
2008-08-04 12:35 ` [patch 22/35] oav policy updates david
2008-08-07 14:22 ` Christopher J. PeBenito
2008-08-04 12:35 ` [patch 23/35] iptables policy update david
2008-08-12 19:57 ` Christopher J. PeBenito
2008-08-04 12:35 ` [patch 24/35] bootloader policy updates david
2008-08-14 14:25 ` Christopher J. PeBenito
2008-08-04 12:35 ` [patch 25/35] rdisc policy update david
2008-08-14 14:25 ` Christopher J. PeBenito
2008-08-04 12:35 ` [patch 26/35] stunnel " david
2008-08-07 14:22 ` Christopher J. PeBenito
2008-08-04 12:35 ` [patch 27/35] inetd " david
2008-08-11 13:50 ` Christopher J. PeBenito
2008-08-04 12:35 ` [patch 28/35] iscsi " david
2008-08-11 14:09 ` Christopher J. PeBenito
2008-08-04 12:35 ` [patch 29/35] ipsec " david
2008-08-11 14:08 ` Christopher J. PeBenito
2008-08-04 12:35 ` [patch 30/35] fetchmail " david
2008-08-07 14:22 ` Christopher J. PeBenito
2008-08-04 12:35 ` [patch 31/35] amanda " david
2008-08-07 14:22 ` Christopher J. PeBenito
2008-08-04 12:35 ` [patch 32/35] rsync " david
2008-08-07 14:22 ` Christopher J. PeBenito
2008-08-04 12:35 ` [patch 33/35] mailscanner policy addition david
2008-08-21 14:06 ` [refpolicy] " Christopher J. PeBenito
2008-08-25 17:18 ` Daniel J Walsh
2008-09-05 12:54 ` Christopher J. PeBenito
2008-09-05 13:57 ` Daniel J Walsh
2008-08-04 12:35 ` [patch 34/35] qmail policy update david
2008-08-11 14:08 ` Christopher J. PeBenito
2008-08-04 12:35 ` [patch 35/35] livecd policy addition david
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200808091650.01774.linuxweb@gmx.net \
--to=linuxweb@gmx.net \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.