Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 157373

Summary: avc warnings de jour.
Product: [Fedora] Fedora Reporter: Dave Jones <davej>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4CC: pfrields
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-05-19 14:10:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Dave Jones 2005-05-10 23:59:49 UTC
Description of problem:

todays rawhide (May 10th), with tomorrows kernel (1290)..

usb-storage: device scan complete
audit(1115769281.997:0): avc:  denied  { ioctl } for  path=/proc/2520/mounts
dev=proc ino=165150737 scontext=system_u:system_r:hotplug_t
tcontext=system_u:system_r:hotplug_t tclass=file
audit(1115769281.999:0): avc:  denied  { ioctl } for  path=/proc/2521/mounts
dev=proc ino=165216273 scontext=system_u:system_r:hotplug_t
tcontext=system_u:system_r:hotplug_t tclass=file
audit(1115769281.999:0): avc:  denied  { ioctl } for  path=/proc/2522/mounts
dev=proc ino=165281809 scontext=system_u:system_r:hotplug_t
tcontext=system_u:system_r:hotplug_t tclass=file
audit(1115769282.000:0): avc:  denied  { ioctl } for  path=/proc/2519/mounts
dev=proc ino=165085201 scontext=system_u:system_r:hotplug_t
tcontext=system_u:system_r:hotplug_t tclass=file
audit(1115769283.019:0): avc:  denied  { write } for  name=2:0:0:0 dev=sysfs
ino=7471 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:sysfs_t
tclass=dir
audit(1115769283.019:0): avc:  denied  { write } for  name=sdc1 dev=sysfs
ino=7468 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:sysfs_t
tclass=dir
audit(1115769283.019:0): avc:  denied  { write } for  name=sdc dev=sysfs
ino=7465 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:sysfs_t
tclass=dir
audit(1115769283.019:0): avc:  denied  { write } for  name=2:0:0:0 dev=sysfs
ino=7463 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:sysfs_t
tclass=dir
audit(1115769285.916:0): avc:  denied  { read } for  name=loginuid dev=proc
ino=174194713 scontext=system_u:system_r:auditd_t
tcontext=system_u:system_r:auditd_t tclass=file
SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts


also later..

SELinux: initialized (dev autofs, type autofs), uses genfs_contexts
SELinux: initialized (dev autofs, type autofs), uses genfs_contexts

Is it normal for that to happen twice ?

Comment 1 Dave Jones 2005-05-11 00:00:17 UTC
using selinux-policy-targeted-1.23.14-2 btw.

Comment 2 Daniel Walsh 2005-05-11 10:46:43 UTC
Fixed in selinux-policy-targeted-1.23.15-4

Policy contains the following
grep autofs genfs_contexts
# autofs
genfscon autofs /                       system_u:object_r:autofs_t
genfscon automount /                    system_u:object_r:autofs_t

So I guess that is why you get the genfs_contexts line twice.

Comment 3 Dave Jones 2005-05-19 05:20:28 UTC
FYI: whilst installing this I got..

(01:19:41:davej@nwo:~)$ sudo rpm -Uvh selinux-policy-targeted-1.23.16-1.noarch.rpm
Preparing...                ########################################### [100%]
   1:selinux-policy-targeted########################################### [100%]
sepol_genbools_array:  unknown boolean use_syslogng
/usr/sbin/load_policy:  Warning!  Error while setting booleans:  Invalid argument
/sbin/restorecon reset /boot/lost+found context ->system_u:object_r:lost_found_t
/sbin/restorecon reset /etc/sysconfig/network-scripts/ifcfg-eth0 context
system_u:object_r:etc_t->system_u:object_r:net_conf_t
/sbin/restorecon reset /etc/sysconfig/network-scripts/ifcfg-lo context
system_u:object_r:etc_t->system_u:object_r:net_conf_t
/sbin/restorecon reset /lost+found context ->system_u:object_r:lost_found_t
/sbin/restorecon reset /usr/sbin/hid2hci context
system_u:object_r:sbin_t->system_u:object_r:bluetooth_exec_t
(01:19:47:davej@nwo:~)$


Comment 4 Daniel Walsh 2005-05-19 14:10:21 UTC
Dave these are all expected.  We removed use_syslogng boolean from policy.  When
you update policy in the kernel, we attempt to get the current setting of
booleans and maintain it, so since the boolean existed in the old policy and not
in the new one, it puts out a warning.  The restorecon is caused by changes in
file context.  

Basically when policy is updatede we run a diff between the old file context and
the new and then run restorecon on the diff.