These changes eliminated all my boot avc: denied violations. > fsadm.te ----------- # Allow /sbin/resierfsck to do its checks. - port001 allow fsadm_t memory_device_t:chr_file getattr; allow fsadm_t memory_device_t:dir getattr; allow fsadm_t memory_device_t:fifo_file getattr; allow fsadm_t zero_device_t:chr_file getattr; allow fsadm_t device_t:chr_file getattr; allow fsadm_t random_device_t:chr_file getattr; allow fsadm_t devtty_t:chr_file getattr; allow fsadm_t ptmx_t:chr_file getattr; allow fsadm_t devpts_t:dir getattr; allow fsadm_t initctl_t:fifo_file getattr; allow fsadm_t tty_device_t:chr_file getattr; ---- > initrc.te ----------- # Allow tmpfs to run its course - port001 allow initrc_t tmpfs_t:dir { write add_name read create remove_name rmdir rename }; allow initrc_t tmpfs_t:file { create append read unlink setattr write }; allow initrc_t tmpfs_t:lnk_file { read create unlink }; # reading of /bin/id for the context - port001 allow initrc_t security_t:security sid_to_context; # some /bin/ps stuff - port001 allow initrc_t proc_hw_t:dir search; allow initrc_t proc_hw_t:file read; ---- Sorry for the poor comments for each bit, I wasn't sure what scripts were calling the programs that caused the warnings. Should be lots more on the way from me, as those were only my boot ones. Reproducible: Always Steps to Reproduce:
I'm going to have to check out the reiserfsck rules; most likely those should be dontaudit rules, instead of allow. Where do you have the tmpfs mounted? /tmp? Either way, tmpfs is not well supported, and its somewhat messy when it comes to use. A better solution to your rules would probably be "tmpfs_domain(initrc)" As for the proc and id rules, I'll need more info if possible.
I got these violations with baselayout 1.8.5.9 They are all gnone with baselayout 1.8.6.8-r1.
Created attachment 14026 [details] reiser denies on boot Using the most recent baselayout and CVS policies.... Also, I took the end of the dmesg out because it wasn't relevant to the bug. The whole dmesg preceeding the denies has been included, however. Enjoy ;)
I've committed fixes for most of this, including updating the baselayout version in the profile. However, I'm still curious about the ps and id, why would initrc_t be running these commands?
ps and id denials were also fixed by the newer baselayout. closing.