Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 224441 - AVC while updating machine
Summary: AVC while updating machine
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted
Version: 5.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-01-25 18:45 UTC by Steve Grubb
Modified: 2007-11-30 22:07 UTC (History)
3 users (show)

Fixed In Version: RHBA-2007-0544
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-11-07 16:38:09 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2007:0544 normal SHIPPED_LIVE selinux-policy bug fix update 2007-11-08 14:16:49 UTC

Description Steve Grubb 2007-01-25 18:45:51 UTC
Description of problem:
avc: denied { sys_resource } for comm="semodule" egid=0 euid=0
exe="/usr/sbin/semodule" exit=32 fsgid=0 fsuid=0 gid=0 items=0 pid=4002
scontext=system_u:system_r:semanage_t:s0 sgid=0
subj=system_u:system_r:semanage_t:s0 suid=0 tclass=capability
tcontext=system_u:system_r:semanage_t:s0 tty=(none) uid=0 

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-24.el5

Steps to Reproduce:
1. Updated via pup

Comment 1 Daniel Walsh 2007-01-25 19:25:45 UTC
Fixed in selinux-policy-2.4.6-31.el5

Comment 2 RHEL Product and Program Management 2007-01-25 19:40:46 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.

Comment 3 Daniel Walsh 2007-01-25 20:15:14 UTC
I have been asked to hold off til after release.  So pushing it back so we can
build it for Day 0 Release.

Comment 4 James Laska 2007-01-25 20:43:10 UTC
I'm trying to inspect the fix for this issue, as well as get a sense for what
selinux prevented in this case.  Any thoughts?

Comment 5 Daniel Walsh 2007-01-25 21:09:56 UTC
One of the libraries used in semodule requested CAP_SYS_RESOURCE capability. 
Probably to override a resource limit.  The kernel denied it, and the app seemed
to continue running fine.

The following defines what CAP_SYS_RESOURCE is:

CAP_SYS_RESOURCE:
· Override resource limits. Set resource limits; 
· Override quota limits; 
· Override reserved space on ext2 filesystem; 
· Modify data journaling mode on ext3 filesystem (uses journaling resources); 
  NOTE: ext2 honors fsuid when checking for resource overrides, 
  so you can override using fsuid too; 
· Override size restrictions on IPC message queues; 
· Allow more than 64hz interrupts from the real?time clock; 
· Override max number of consoles on console allocation; 
· Override max number of keymaps.

Comment 6 James Laska 2007-01-25 21:54:57 UTC
Sounds like the app was able to successfully recover ... thank you for that
analysis.  QA_ACK for 5.1

Comment 11 errata-xmlrpc 2007-11-07 16:38:09 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0544.html



Note You need to log in before you can comment on or make changes to this bug.