Ticket #45 (new Bug)

Opened 4 months ago

Last modified 4 months ago

DISTRO=redhat unusable on RedHat/Fedora Linux

Reported by: Vikram Assigned to: pebenito
Priority: Normal Component: Policy
Version: SVN HEAD Keywords:
Cc:

Description

As the title suggests. The DISTRO=redhat build conf option provided by refpolicy is not compatible with a RedHat? rootfs. The policy produced is far too strict.

Here are a few examples that cause the system to stop or fail to load vital services during init. 

#============= consoletype_t ==============
allow consoletype_t file_t:dir search;

#============= crond_t ==============
allow crond_t file_t:dir search;
allow crond_t tmpfs_t:dir search;
allow crond_t tmpfs_t:sock_file write;

#============= depmod_t ==============
allow depmod_t file_t:chr_file { read write };
allow depmod_t file_t:dir search;

#============= fsadm_t ==============
allow fsadm_t file_t:chr_file { read write };

#============= getty_t ==============
allow getty_t file_t:dir search;

#============= ifconfig_t ==============
allow ifconfig_t file_t:dir search;

#============= inetd_t ==============
allow inetd_t bin_t:file { execute getattr };
allow inetd_t file_t:dir search;
allow inetd_t tmpfs_t:dir search;
allow inetd_t tmpfs_t:sock_file write;

#============= insmod_t ==============
allow insmod_t file_t:chr_file { read write getattr };
allow insmod_t tmpfs_t:sock_file write;

#============= mount_t ==============
allow mount_t etc_t:file write;
allow mount_t var_lock_t:dir { write add_name };
allow mount_t var_lock_t:file { write create };

#============= portmap_t ==============
allow portmap_t file_t:dir search;

#============= syslogd_t ==============
allow syslogd_t tmpfs_t:dir search;

My understanding is that DISTRO=redhat will produce a RedHat? Linux compatible policy. But this is clearly not the case. Or is there something vital I am missing from my configuration?

Testing done on Fedora 9 with SELinux svn revision 2928 and refpolicy svn revision 2767

Change History

07/29/08 15:11:35 changed by Vikram

I think this was a problem with file labels. There seems to be a flaw in the way init deals with selinux. Especially with contexts associated with /dev/.

07/30/08 15:26:32 changed by Vikram

Nevertheless, with refpolicy enabled, init is unable to spawn a shell... 

INIT: Id "1" respawning too fast: disabled for 5 minutes
INIT: Id "0" respawning too fast: disabled for 5 minutes
INIT: Id "2" respawning too fast: disabled for 5 minutes
INIT: Id "3" respawning too fast: disabled for 5 minutes
INIT: Id "4" respawning too fast: disabled for 5 minutes
INIT: Id "5" respawning too fast: disabled for 5 minutes
INIT: Id "6" respawning too fast: disabled for 5 minutes
INIT: no more processes left in this runlevel