Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 157373 - avc warnings de jour.
Summary: avc warnings de jour.
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 4
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-05-10 23:59 UTC by Dave Jones
Modified: 2015-01-04 22:19 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-05-19 14:10:21 UTC


Attachments (Terms of Use)

Description Dave Jones 2005-05-10 23:59:49 UTC
Description of problem:

todays rawhide (May 10th), with tomorrows kernel (1290)..

usb-storage: device scan complete
audit(1115769281.997:0): avc:  denied  { ioctl } for  path=/proc/2520/mounts
dev=proc ino=165150737 scontext=system_u:system_r:hotplug_t
tcontext=system_u:system_r:hotplug_t tclass=file
audit(1115769281.999:0): avc:  denied  { ioctl } for  path=/proc/2521/mounts
dev=proc ino=165216273 scontext=system_u:system_r:hotplug_t
tcontext=system_u:system_r:hotplug_t tclass=file
audit(1115769281.999:0): avc:  denied  { ioctl } for  path=/proc/2522/mounts
dev=proc ino=165281809 scontext=system_u:system_r:hotplug_t
tcontext=system_u:system_r:hotplug_t tclass=file
audit(1115769282.000:0): avc:  denied  { ioctl } for  path=/proc/2519/mounts
dev=proc ino=165085201 scontext=system_u:system_r:hotplug_t
tcontext=system_u:system_r:hotplug_t tclass=file
audit(1115769283.019:0): avc:  denied  { write } for  name=2:0:0:0 dev=sysfs
ino=7471 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:sysfs_t
tclass=dir
audit(1115769283.019:0): avc:  denied  { write } for  name=sdc1 dev=sysfs
ino=7468 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:sysfs_t
tclass=dir
audit(1115769283.019:0): avc:  denied  { write } for  name=sdc dev=sysfs
ino=7465 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:sysfs_t
tclass=dir
audit(1115769283.019:0): avc:  denied  { write } for  name=2:0:0:0 dev=sysfs
ino=7463 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:sysfs_t
tclass=dir
audit(1115769285.916:0): avc:  denied  { read } for  name=loginuid dev=proc
ino=174194713 scontext=system_u:system_r:auditd_t
tcontext=system_u:system_r:auditd_t tclass=file
SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts


also later..

SELinux: initialized (dev autofs, type autofs), uses genfs_contexts
SELinux: initialized (dev autofs, type autofs), uses genfs_contexts

Is it normal for that to happen twice ?

Comment 1 Dave Jones 2005-05-11 00:00:17 UTC
using selinux-policy-targeted-1.23.14-2 btw.

Comment 2 Daniel Walsh 2005-05-11 10:46:43 UTC
Fixed in selinux-policy-targeted-1.23.15-4

Policy contains the following
grep autofs genfs_contexts
# autofs
genfscon autofs /                       system_u:object_r:autofs_t
genfscon automount /                    system_u:object_r:autofs_t

So I guess that is why you get the genfs_contexts line twice.

Comment 3 Dave Jones 2005-05-19 05:20:28 UTC
FYI: whilst installing this I got..

(01:19:41:davej@nwo:~)$ sudo rpm -Uvh selinux-policy-targeted-1.23.16-1.noarch.rpm
Preparing...                ########################################### [100%]
   1:selinux-policy-targeted########################################### [100%]
sepol_genbools_array:  unknown boolean use_syslogng
/usr/sbin/load_policy:  Warning!  Error while setting booleans:  Invalid argument
/sbin/restorecon reset /boot/lost+found context ->system_u:object_r:lost_found_t
/sbin/restorecon reset /etc/sysconfig/network-scripts/ifcfg-eth0 context
system_u:object_r:etc_t->system_u:object_r:net_conf_t
/sbin/restorecon reset /etc/sysconfig/network-scripts/ifcfg-lo context
system_u:object_r:etc_t->system_u:object_r:net_conf_t
/sbin/restorecon reset /lost+found context ->system_u:object_r:lost_found_t
/sbin/restorecon reset /usr/sbin/hid2hci context
system_u:object_r:sbin_t->system_u:object_r:bluetooth_exec_t
(01:19:47:davej@nwo:~)$


Comment 4 Daniel Walsh 2005-05-19 14:10:21 UTC
Dave these are all expected.  We removed use_syslogng boolean from policy.  When
you update policy in the kernel, we attempt to get the current setting of
booleans and maintain it, so since the boolean existed in the old policy and not
in the new one, it puts out a warning.  The restorecon is caused by changes in
file context.  

Basically when policy is updatede we run a diff between the old file context and
the new and then run restorecon on the diff. 




Note You need to log in before you can comment on or make changes to this bug.