I use sys-apps/genkernel-next (this applies to regular genkernel as well) to build my initrd's so I can have handy things like luks / lvm / whatever in them. As a part of that build process, device nodes have to be managed in order to build the initrd. Which SELinux doesn't like: Nov 15 08:26:39 testbed kernel: [ 970.214459] audit: type=1400 audit(1416061599.124:72): avc: denied { create } for pid=11696 comm="mknod" name="console" ipaddr=173.173.113.156 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmp_t tclass=chr_file permissive=1 Nov 15 08:26:39 testbed kernel: [ 970.214521] audit: type=1400 audit(1416061599.124:73): avc: denied { setattr } for pid=11696 comm="mknod" name="console" dev="dm-4" ino=544891 ipaddr=173.173.113.156 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmp_t tclass=chr_file permissive=1 Nov 15 08:26:39 testbed kernel: [ 970.238119] audit: type=1400 audit(1416061599.147:74): avc: denied { unlink } for pid=11707 comm="rm" name="tty1" dev="dm-4" ino=544895 ipaddr=173.173.113.156 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmp_t tclass=chr_file permissive=1 This is pretty easy to fix for sysadm_r: diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 54c3026..333476f 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -34,6 +34,7 @@ ubac_file_exempt(sysadm_t) ubac_fd_exempt(sysadm_t) init_exec(sysadm_t) +allow sysadm_t user_tmp_t:chr_file manage_chr_file_perms; # Add/remove user home directories userdom_manage_user_home_dirs(sysadm_t) This will mean that genkernel (still) won't work on a normal root login of staff_t, but I think that's OK. If you need to be tinkering with device nodes, you are going to be in sysadm_r anyway. Plus you need to be able to manage the contents of /boot. Patch: diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 54c3026..333476f 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -34,6 +34,7 @@ ubac_file_exempt(sysadm_t) ubac_fd_exempt(sysadm_t) init_exec(sysadm_t) +allow sysadm_t user_tmp_t:chr_file manage_chr_file_perms; # Add/remove user home directories userdom_manage_user_home_dirs(sysadm_t) Reproducible: Always
Oops, disregard doublepatch. Bug entry window is small :p
This has been fixed in the master branch in the repo
Will be part of r8 release
r1 is now stable