SELinux & Permission Denied for /dev/null in glibc ch.6

Declan Moriarty junk_mail at iol.ie
Wed May 17 06:40:31 PDT 2006


> > touch /dev/null - succeeds
> > echo "fart" > /dev/null gets permission denied error.
> > echo "fart" > /dev/file succeeds
> > /dev/null is 0666
> > 
> 
>  I have no idea how selinux works, but I suppose one possibility is
> that you aren't allowed to create devices here with the current
> policies.
> 
>  But, in some ways this resembles missing devices.  Specifically,
> some or all of them might be regular files.  What does ls -l in /dev
> (chroot, obviously) show ?  NB I mean /dev in the tmpfs, not the
> underlying /dev.
> 
>  If it is a selinux thing, you might be able to get round it by
> using mount --bind from outside chroot to mount /dev over the
> minimal /mnt/lfs/dev (you will still need to ensure the minimal dev
> has null and console before you try to boot the new system).

Well, I'm just a little wiser. It's reassuring to know I hadn't done
something laughably silly again :).

There are two modes of SELinux, the full monty and a 'targeted' mode. By
default distros are using the targeted mode, which targets a number of
server daemons, including syslogd. 

The attached file from the logs shows SELinux jumping up at everything
like tmpfs, sysfs and dev and assigning them obscure ways of being
handled. The search +xattr +"transition SIDs" +genfs_context  might get
you to an interesting coder's page on this SELinux somewhere. I don't
have /usr/bin/setstatus, btw.

Let's think about options. 

1. Somebody might know how to get out of this, or mebbe figure it.
You guys are going to get more of this.

2. I'll ask elsewhere, and maybe get a way out.

3. hlfs just may work for me, as I have the static compiler from ch. 5.
I don't look forward to meeting pax or grsecurity there. 

4. How much ram do you need for the livecd approach?
 
-- 
        With Best Regards,

        Declan Moriarty.
-------------- next part --------------
>From DMESG:

security:  3 users, 4 roles, 350 types, 25 bools
security:  55 classes, 18989 rules
SELinux:  Completing initialization.
SELinux:  Setting up existing superblocks.
SELinux: initialized (dev hda8, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
SELinux: initialized (dev mqueue, type mqueue), not configured for labeling
SELinux: initialized (dev hugetlbfs, type hugetlbfs), not configured for labeling
SELinux: initialized (dev devpts, type devpts), uses transition SIDs
SELinux: initialized (dev eventpollfs, type eventpollfs), uses genfs_contexts
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
SELinux: initialized (dev proc, type proc), uses genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
inserting floppy driver for 2.6.9-34.EL

Later:
SELinux: initialized (dev usbdevfs, type usbdevfs), uses genfs_contexts

Later:
EXT3 FS on hda2, internal journal
EXT3-fs: mounted filesystem with ordered data mode.
SELinux: initialized (dev hda2, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev hda1, type vfat), uses genfs_contexts
SELinux: initialized (dev hda5, type vfat), uses genfs_contexts

Later:
EXT3-fs: mounted filesystem with ordered data mode.
SELinux: initialized (dev hda6, type ext3), uses xattr
kjournald starting.  Commit interval 5 seconds

>From /var/log/messages (=sys.log)
May 17 13:20:04 genius haldaemon: haldaemon startup succeeded
May 17 13:20:05 genius fstab-sync[2924]: removed all generated mount points
May 17 13:20:05 genius fstab-sync[2949]: added mount point /media/cdrecorder for /dev/hdc
May 17 13:20:06 genius fstab-sync[3087]: added mount point /media/usbdisk for /dev/sda
May 17 13:20:06 genius fstab-sync[3097]: added mount point /media/floppy for /dev/fd0



More information about the lfs-support mailing list