Bug 244574

Summary: ricci_mod_clusterd_t selinux policy prevents "use" access to /dev/null (rpm_script_t)
Product: Red Hat Enterprise Linux 5 Reporter: Subhendu Ghosh <sghosh>
Component: congaAssignee: Jim Parsons <jparsons>
Status: CLOSED CURRENTRELEASE QA Contact: Brian Brock <bbrock>
Severity: low Docs Contact:
Priority: low    
Version: 5.0CC: cluster-maint, dwalsh, ghelleks, kanderso, kupcevic, rmccabe
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: 5.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-18 18:55:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Subhendu Ghosh 2007-06-17 15:09:13 UTC
/sbin/modclusterd is trying to access /dev/null

Source Context:  root:system_r:ricci_modclusterd_t
Target Context:  root:system_r:rpm_script_t:SystemLow-SystemHigh
Target Objects:  /dev/null [ fd ]
Affected RPM Packages:  modcluster-0.9.2-6.el5 [application]
Policy RPM:  selinux-policy-2.4.6-30.el5
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Permissive
Plugin Name:  plugins.disable_trans
Host Name:  albany.sa.lga.redhat.com
Platform:  Linux albany.sa.lga.redhat.com 2.6.18-8.el5PAE #1 SMP Fri Jan 26
14:28:43 EST 2007 i686 i686
Alert Count:  1
Line Numbers:   

Raw Audit Messages :

avc: denied { use } for comm="modclusterd" dev=tmpfs egid=0 euid=0
exe="/usr/sbin/modclusterd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="null"
path="/dev/null" pid=8869 scontext=root:system_r:ricci_modclusterd_t:s0 sgid=0
subj=root:system_r:ricci_modclusterd_t:s0 suid=0 tclass=fd
tcontext=root:system_r:rpm_script_t:s0-s0:c0.c1023 tty=pts1 uid=0 

How reproducible:
Always-install conga on RHEL5

Steps to Reproduce:
Actual results:

Expected results:

Additional info:

Comment 1 Daniel Walsh 2007-06-18 15:25:49 UTC
This can be ignored.  The update should have succeeded even though this avc was
generated.  I will dontaudit this message in the future.

Fixed in selinux-policy-2.4.6-76.el5

Comment 2 Ryan McCabe 2008-01-18 18:55:40 UTC
Closing per comment #1