Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 156337 - SELinux strict policy denied messages on boot
Summary: SELinux strict policy denied messages on boot
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-strict
Version: 4
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-04-29 00:30 UTC by Che Gonzalez
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-06-08 18:09:06 UTC


Attachments (Terms of Use)

Description Che Gonzalez 2005-04-29 00:30:49 UTC
Description of problem:
A list of avc denied messages after a fresh install under the strict policy
(some fatal if enforcing). See Additional Info below.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.23.13-4
selinux-doc-1.19.5-1
selinux-policy-strict-1.23.13-4
selinux-policy-strict-sources-1.23.13-4

How reproducible:
After fresh install and all updates as of April 28, 2005.

Steps to Reproduce:
1. Install fc4test2
2. update the previously listed packages.
3. switch to policy strict and permissive
4. reboot
5. capture /var/log/messages for current boot
  
Actual results:
The log messages listed below under Additional Info.

Expected results:
A boot that would not be fatal or prevent booting into the gui.  

Additional info:

[audit2allow output]
allow dhcpc_t selinux_config_t:file { getattr read };
allow fsadm_t ramfs_t:fifo_file ioctl;
allow initrc_t ramfs_t:fifo_file write;
allow initrc_t root_t:file unlink;
allow insmod_t hotplug_etc_t:dir { getattr search };
allow insmod_t nscd_var_run_t:dir search;
allow lvm_t removable_device_t:blk_file { ioctl read };
allow xdm_xserver_t self:process execmem;

# The following entry errors when testing in a policy, but it is logged in under
another bug
allow rhgb_t etc_t:dir mounton; 

[/var/log/messages]
Apr 28 19:32:54 xix kernel: audit(1114716744.637:0): avc:  denied  { search }
for  name=nscd dev=dm-0 ino=20250719 scontext=system_u:system_r:insmod_t
tcontext=system_u:object_r:nscd_var_run_t tclass=dir

Apr 28 19:32:54 xix kernel: audit(1114716754.618:0): avc:  denied  { getattr }
for  path=/etc/hotplug dev=dm-0 ino=17465355 scontext=system_u:system_r:insmod_t
tcontext=system_u:object_r:hotplug_etc_t tclass=dir

Apr 28 19:32:54 xix kernel: audit(1114716754.618:0): avc:  denied  { search }
for  name=hotplug dev=dm-0 ino=17465355 scontext=system_u:system_r:insmod_t
tcontext=system_u:object_r:hotplug_etc_t tclass=dir

Apr 28 19:32:54 xix kernel: audit(1114716755.277:0): avc:  denied  { mounton }
for  path=/etc/rhgb/temp dev=dm-0 ino=17467378 scontext=system_u:system_r:rhgb_t
tcontext=system_u:object_r:etc_t tclass=dir

Apr 28 19:32:54 xix kernel: audit(1114716756.459:0): avc:  denied  { execmem }
for  scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:system_r:xdm_xserver_t tclass=process

Apr 28 19:32:54 xix kernel: audit(1114731158.024:0): avc:  denied  { write } for
 name=rhgb-console dev=ramfs ino=5990 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:ramfs_t tclass=fifo_file

Apr 28 19:32:54 xix kernel: audit(1114731158.978:0): avc:  denied  { read } for
 name=hdc dev=tmpfs ino=672 scontext=system_u:system_r:lvm_t
tcontext=system_u:object_r:removable_device_t tclass=blk_file

Apr 28 19:32:54 xix kernel: audit(1114731159.017:0): avc:  denied  { ioctl } for
 path=/dev/hdc dev=tmpfs ino=672 scontext=system_u:system_r:lvm_t
tcontext=system_u:object_r:removable_device_t tclass=blk_file

Apr 28 19:32:54 xix kernel: audit(1114731159.852:0): avc:  denied  { write } for
 name=rhgb-console dev=ramfs ino=5990 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:ramfs_t tclass=fifo_file

Apr 28 19:32:54 xix kernel: audit(1114731160.535:0): avc:  denied  { ioctl } for
 path=/etc/rhgb/temp/rhgb-console dev=ramfs ino=5990
scontext=system_u:system_r:fsadm_t tcontext=system_u:object_r:ramfs_t
tclass=fifo_file

Apr 28 19:32:54 xix kernel: audit(1114731161.265:0): avc:  denied  { unlink }
for  name=halt dev=dm-0 ino=13 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:root_t tclass=file

Apr 28 19:32:54 xix kernel: audit(1114731166.113:0): avc:  denied  { read } for
 name=config dev=dm-0 ino=17465776 scontext=system_u:system_r:dhcpc_t
tcontext=user_u:object_r:selinux_config_t tclass=file

Apr 28 19:32:54 xix kernel: audit(1114731166.113:0): avc:  denied  { getattr }
for  path=/etc/selinux/config dev=dm-0 ino=17465776
scontext=system_u:system_r:dhcpc_t tcontext=user_u:object_r:selinux_config_t
tclass=file

Comment 1 Daniel Walsh 2005-04-29 17:48:25 UTC
Please only report bugs in enforcing mode.  (At least on the first pass.)
A lot of these avc messages disappear in enforcing mode.

/halt is mislabeled.  restorecon /halt

/etc/rhgb is mislabeled.

Did you relabel?

Also clear the log files after you switch and reboot, in enforcing mode.  Then
report the errors.

Thanks.

Comment 2 Che Gonzalez 2005-04-29 21:39:39 UTC
Relabel was performed before reboot, and /var/log/messages was cleared. I
relabeled twice from system-config-securitylevel and /etc/rhgb was not relabeled
correctly.  I checked /etc/rhgb and resolved the problem with fixfiles. For
/halt I had to mkdir then restorecon it.  The rest is set to allow in my
custom.te file.

I unchecked my custom.te in sepcut, shutdown in permissive, and restarted with
enforcing.  I was unable to boot into X server.  A blue ncurses X configuration
screen came up so I set it back to permissive and rebooted.  The following log
entries occurred.

[Strict - Boot - Enforcing]

Apr 29 17:15:36 xix kernel: audit(1114794926.175:0): avc:  denied  { getattr }
for  path=/etc/hotplug dev=dm-0 ino=17465355 scontext=system_u:system_r:insmod_t
tcontext=system_u:object_r:hotplug_etc_t tclass=dir

Apr 29 17:15:36 xix kernel: audit(1114794926.175:0): avc:  denied  { search }
for  name=hotplug dev=dm-0 ino=17465355 scontext=system_u:system_r:insmod_t
tcontext=system_u:object_r:hotplug_etc_t tclass=dir

Apr 29 17:15:36 xix kernel: audit(1114794927.858:0): avc:  denied  { execmem }
for  scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:system_r:xdm_xserver_t tclass=process

Apr 29 17:15:36 xix kernel: audit(1114794927.859:0): avc:  denied  { execmem }
for  scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:system_r:xdm_xserver_t tclass=process

Apr 29 17:15:36 xix kernel: audit(1114794927.860:0): avc:  denied  { execmem }
for  scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:system_r:xdm_xserver_t tclass=process

Apr 29 17:15:36 xix kernel: audit(1114794927.861:0): avc:  denied  { execmem }
for  scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:system_r:xdm_xserver_t tclass=process

Comment 3 Daniel Walsh 2005-04-30 23:53:58 UTC
setsebool -P allow_execmem=1


Note You need to log in before you can comment on or make changes to this bug.