417937 – dmesg wants to read/write /dev/console while still device_t labeled

Bug 417937 - dmesg wants to read/write /dev/console while still device_t labeled

Summary: dmesg wants to read/write /dev/console while still device_t labeled

Status:	VERIFIED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Hardened (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Sven Vermeulen (RETIRED)

URL:
Whiteboard:	sec-policy r11
Keywords:

Depends on:
Blocks:

Reported:	2012-05-28 08:39 UTC by Sven Vermeulen (RETIRED)
Modified:	2012-07-30 16:36 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sven Vermeulen (RETIRED) gentoo-dev

2012-05-28 08:39:29 UTC

Early during the boot process, around the time that we start udev, we also have dmesg write out information. In this process, dmesg tries to read/write /dev/console which by that time is still labeled device_t (as the /dev structure is devtmpfs).

This results in denials from SELinux.

Later, when udev has started and relabeled all files, dmesg succeeds in this.

Reproducible: Always

Comment 1 Sven Vermeulen (RETIRED) gentoo-dev

2012-05-28 08:39:55 UTC

Will be dontaudit'ed in r11

Comment 2 Sven Vermeulen (RETIRED) gentoo-dev

2012-05-28 08:41:09 UTC

AVC denials shown:

"""
[    3.247401] type=1400 audit(1338194354.246:5): avc:  denied  { read write } for  pid=997 comm="dmesg" name="console" dev="devtmpfs" ino=1035 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:device_t tclass=chr_file
[    3.260807] type=1400 audit(1338194354.259:6): avc:  denied  { read write } for  pid=997 comm="dmesg" path="/dev/console" dev="devtmpfs" ino=1035 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:device_t tclass=chr_file
[    3.268971] type=1400 audit(1338194354.267:7): avc:  denied  { read write } for  pid=997 comm="dmesg" path="/dev/console" dev="devtmpfs" ino=1035 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:device_t tclass=chr_file
[    3.273404] type=1400 audit(1338194354.272:8): avc:  denied  { read write } for  pid=997 comm="dmesg" path="/dev/console" dev="devtmpfs" ino=1035 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:device_t tclass=chr_file
"""

Comment 3 Sven Vermeulen (RETIRED) gentoo-dev

2012-05-28 09:14:28 UTC

In hardened-dev overlay, rev 11

Comment 4 Sven Vermeulen (RETIRED) gentoo-dev

2012-06-27 21:59:10 UTC

In main tree, ~arch'ed

Comment 5 Sven Vermeulen (RETIRED) gentoo-dev

2012-07-30 16:36:46 UTC

Stabilized