Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 417937

Summary: dmesg wants to read/write /dev/console while still device_t labeled
Product: Gentoo Linux Reporter: Sven Vermeulen (RETIRED) <swift>
Component: HardenedAssignee: Sven Vermeulen (RETIRED) <swift>
Status: VERIFIED FIXED    
Severity: normal CC: selinux
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: sec-policy r11
Package list:
Runtime testing required: ---

Description Sven Vermeulen (RETIRED) gentoo-dev 2012-05-28 08:39:29 UTC 
Early during the boot process, around the time that we start udev, we also have dmesg write out information. In this process, dmesg tries to read/write /dev/console which by that time is still labeled device_t (as the /dev structure is devtmpfs).

This results in denials from SELinux.

Later, when udev has started and relabeled all files, dmesg succeeds in this.

Reproducible: Always
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2012-05-28 08:39:55 UTC 
Will be dontaudit'ed in r11
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2012-05-28 08:41:09 UTC 
AVC denials shown:

"""
[    3.247401] type=1400 audit(1338194354.246:5): avc:  denied  { read write } for  pid=997 comm="dmesg" name="console" dev="devtmpfs" ino=1035 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:device_t tclass=chr_file
[    3.260807] type=1400 audit(1338194354.259:6): avc:  denied  { read write } for  pid=997 comm="dmesg" path="/dev/console" dev="devtmpfs" ino=1035 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:device_t tclass=chr_file
[    3.268971] type=1400 audit(1338194354.267:7): avc:  denied  { read write } for  pid=997 comm="dmesg" path="/dev/console" dev="devtmpfs" ino=1035 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:device_t tclass=chr_file
[    3.273404] type=1400 audit(1338194354.272:8): avc:  denied  { read write } for  pid=997 comm="dmesg" path="/dev/console" dev="devtmpfs" ino=1035 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:device_t tclass=chr_file
"""
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2012-05-28 09:14:28 UTC 
In hardened-dev overlay, rev 11
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2012-06-27 21:59:10 UTC 
In main tree, ~arch'ed
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2012-07-30 16:36:46 UTC 
Stabilized