Bug 156337
| Summary: | SELinux strict policy denied messages on boot | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Che Gonzalez <che.gonzalez> |
| Component: | selinux-policy-strict | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2005-06-08 18:09:06 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Please only report bugs in enforcing mode. (At least on the first pass.) A lot of these avc messages disappear in enforcing mode. /halt is mislabeled. restorecon /halt /etc/rhgb is mislabeled. Did you relabel? Also clear the log files after you switch and reboot, in enforcing mode. Then report the errors. Thanks. Relabel was performed before reboot, and /var/log/messages was cleared. I
relabeled twice from system-config-securitylevel and /etc/rhgb was not relabeled
correctly. I checked /etc/rhgb and resolved the problem with fixfiles. For
/halt I had to mkdir then restorecon it. The rest is set to allow in my
custom.te file.
I unchecked my custom.te in sepcut, shutdown in permissive, and restarted with
enforcing. I was unable to boot into X server. A blue ncurses X configuration
screen came up so I set it back to permissive and rebooted. The following log
entries occurred.
[Strict - Boot - Enforcing]
Apr 29 17:15:36 xix kernel: audit(1114794926.175:0): avc: denied { getattr }
for path=/etc/hotplug dev=dm-0 ino=17465355 scontext=system_u:system_r:insmod_t
tcontext=system_u:object_r:hotplug_etc_t tclass=dir
Apr 29 17:15:36 xix kernel: audit(1114794926.175:0): avc: denied { search }
for name=hotplug dev=dm-0 ino=17465355 scontext=system_u:system_r:insmod_t
tcontext=system_u:object_r:hotplug_etc_t tclass=dir
Apr 29 17:15:36 xix kernel: audit(1114794927.858:0): avc: denied { execmem }
for scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:system_r:xdm_xserver_t tclass=process
Apr 29 17:15:36 xix kernel: audit(1114794927.859:0): avc: denied { execmem }
for scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:system_r:xdm_xserver_t tclass=process
Apr 29 17:15:36 xix kernel: audit(1114794927.860:0): avc: denied { execmem }
for scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:system_r:xdm_xserver_t tclass=process
Apr 29 17:15:36 xix kernel: audit(1114794927.861:0): avc: denied { execmem }
for scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:system_r:xdm_xserver_t tclass=process
setsebool -P allow_execmem=1 |
Description of problem: A list of avc denied messages after a fresh install under the strict policy (some fatal if enforcing). See Additional Info below. Version-Release number of selected component (if applicable): selinux-policy-targeted-1.23.13-4 selinux-doc-1.19.5-1 selinux-policy-strict-1.23.13-4 selinux-policy-strict-sources-1.23.13-4 How reproducible: After fresh install and all updates as of April 28, 2005. Steps to Reproduce: 1. Install fc4test2 2. update the previously listed packages. 3. switch to policy strict and permissive 4. reboot 5. capture /var/log/messages for current boot Actual results: The log messages listed below under Additional Info. Expected results: A boot that would not be fatal or prevent booting into the gui. Additional info: [audit2allow output] allow dhcpc_t selinux_config_t:file { getattr read }; allow fsadm_t ramfs_t:fifo_file ioctl; allow initrc_t ramfs_t:fifo_file write; allow initrc_t root_t:file unlink; allow insmod_t hotplug_etc_t:dir { getattr search }; allow insmod_t nscd_var_run_t:dir search; allow lvm_t removable_device_t:blk_file { ioctl read }; allow xdm_xserver_t self:process execmem; # The following entry errors when testing in a policy, but it is logged in under another bug allow rhgb_t etc_t:dir mounton; [/var/log/messages] Apr 28 19:32:54 xix kernel: audit(1114716744.637:0): avc: denied { search } for name=nscd dev=dm-0 ino=20250719 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 28 19:32:54 xix kernel: audit(1114716754.618:0): avc: denied { getattr } for path=/etc/hotplug dev=dm-0 ino=17465355 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:hotplug_etc_t tclass=dir Apr 28 19:32:54 xix kernel: audit(1114716754.618:0): avc: denied { search } for name=hotplug dev=dm-0 ino=17465355 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:hotplug_etc_t tclass=dir Apr 28 19:32:54 xix kernel: audit(1114716755.277:0): avc: denied { mounton } for path=/etc/rhgb/temp dev=dm-0 ino=17467378 scontext=system_u:system_r:rhgb_t tcontext=system_u:object_r:etc_t tclass=dir Apr 28 19:32:54 xix kernel: audit(1114716756.459:0): avc: denied { execmem } for scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:system_r:xdm_xserver_t tclass=process Apr 28 19:32:54 xix kernel: audit(1114731158.024:0): avc: denied { write } for name=rhgb-console dev=ramfs ino=5990 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t tclass=fifo_file Apr 28 19:32:54 xix kernel: audit(1114731158.978:0): avc: denied { read } for name=hdc dev=tmpfs ino=672 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:removable_device_t tclass=blk_file Apr 28 19:32:54 xix kernel: audit(1114731159.017:0): avc: denied { ioctl } for path=/dev/hdc dev=tmpfs ino=672 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:removable_device_t tclass=blk_file Apr 28 19:32:54 xix kernel: audit(1114731159.852:0): avc: denied { write } for name=rhgb-console dev=ramfs ino=5990 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t tclass=fifo_file Apr 28 19:32:54 xix kernel: audit(1114731160.535:0): avc: denied { ioctl } for path=/etc/rhgb/temp/rhgb-console dev=ramfs ino=5990 scontext=system_u:system_r:fsadm_t tcontext=system_u:object_r:ramfs_t tclass=fifo_file Apr 28 19:32:54 xix kernel: audit(1114731161.265:0): avc: denied { unlink } for name=halt dev=dm-0 ino=13 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:root_t tclass=file Apr 28 19:32:54 xix kernel: audit(1114731166.113:0): avc: denied { read } for name=config dev=dm-0 ino=17465776 scontext=system_u:system_r:dhcpc_t tcontext=user_u:object_r:selinux_config_t tclass=file Apr 28 19:32:54 xix kernel: audit(1114731166.113:0): avc: denied { getattr } for path=/etc/selinux/config dev=dm-0 ino=17465776 scontext=system_u:system_r:dhcpc_t tcontext=user_u:object_r:selinux_config_t tclass=file