On Mon, Feb 20, 2012 at 07:17:02AM +0100, Tomáš Dobrovolný wrote:
> I think, that /dev/console has correct label (on --bind / /mn/gentoo) -
>
> crw-------. 1 root root system_u:object_r:console_device_t 5, 1 Feb 20
> 01:34 /mnt/gentoo/dev/console
Weird, your previous denial logs showed the following:
type=1400 audit(1329556527.347:3): avc: denied { read write } for
pid=1 comm="init" path="/dev/console" dev="rootfs" ino=99
scontext=system_u:system_r:init_t tcontext=system_u:object_r:root_t
tclass=chr_file
Either the mislabeling then was already solved, or the /dev on your root
file system isn't the same as the one that init found back then. Can you
check if /dev/console has inode 99?
> But for now I have one avc denials -- the /etc/init.d/sysctl cannot set
> kernel parameters, but direct calling of syctl -p can. avc error is:
> avc: denied { sys_admin } for pid=1860 comm="sysctl" capability=21
> scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t
> tclass=capabilty
Hmm... for some reason, refpolicy has explicitly disabled the sys_admin
capability for the initrc_t domain:
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
allow initrc_t self:capability ~{ sys_admin sys_module };
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
I'll need to check the commit history to see if there was a particular
reason why it is explicitly not set.
Wkr,
Sven Vermeulen
