Bug 158699

Summary: avc: denied { read } for pid=1692 comm="cp" name=config dev=dm-0
Product: [Fedora] Fedora Reporter: Doug Henderson <djhender>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-05-25 12:24:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
full dmesg output none

Description Doug Henderson 2005-05-24 22:51:09 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

Description of problem:
After yum --exclude=\*4.0.0-8\* update and reboot,
dmesg shows following lines:

ip_tables: (C) 2000-2002 Netfilter core team
ip_conntrack version 2.1 (8191 buckets, 65528 max) - 272 bytes per conntrack
eth0: link up, 100Mbps, full-duplex, lpa 0x45E1
audit(1116973947.095:0): avc:  denied  { read } for  pid=1692 comm="cp" name=config dev=dm-0 ino=10797472 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:selinux_config_t tclass=file
audit(1116973947.095:0): avc:  denied  { getattr } for  pid=1692 comm="cp" name=config dev=dm-0 ino=10797472 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:selinux_config_t tclass=file
SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts
SELinux: initialized (dev autofs, type autofs), uses genfs_contexts
SELinux: initialized (dev autofs, type autofs), uses genfs_contexts
parport: PnPBIOS parport detected.


full dmesg is attached.


Version-Release number of selected component (if applicable):
kernel-2.6.11-1.1341_FC4

How reproducible:
Didn't try

Steps to Reproduce:


Additional info:
Comment 1 Doug Henderson 2005-05-24 22:52:30 UTC 
Created attachment 114805 [details]
full dmesg output
Comment 2 Daniel Walsh 2005-05-25 00:40:10 UTC 
Were you in permissive mode when you got these AVC messages?  If so they would
not show up in enforcing mode, so we ignore them.  There is a dontaudit rule
that tells the system to not audit an attempt to read the config file. 
(Something all tools linked with libselinux try to do).  But in permissive mode
the app is allowed to continue on and hits additional denials.

If in permissive mode, this bug should be closed.

Dan
Comment 3 Doug Henderson 2005-05-25 02:40:44 UTC 
If I interprete this correctly:

[root@lambda ~]# yum list | grep -i selinux
libselinux.i386                          1.23.10-2              installed       
libselinux-devel.i386                    1.23.10-2              installed       
selinux-policy-targeted.noarch           1.23.16-6              installed       
libselinux-debuginfo.i386                1.23.10-2              development     
selinux-doc.noarch                       1.19.5-1               development     
selinux-policy-strict.noarch             1.23.16-6              development     
selinux-policy-strict-sources.noarch     1.23.16-6              development     
selinux-policy-targeted-sources.noarch   1.23.16-6              development     
[root@lambda ~]#

I am using targeted, rather than strict policies. And:

[root@lambda ~]# selinuxenabled 
[root@lambda ~]# echo $?
0


[root@lambda ~]# cat /etc/selinux/config 
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX=permissive
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=targeted

and permissive mode rather than strict.

I touched /.autorelabel and rebooted.

I still get these messages in /var/log/messages:

May 24 20:08:02 lambda kernel: audit(1116986880.078:0): avc:  denied  { read }
for  pid=1708 comm="cp" name=config dev=dm-0 ino=10797472
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:selinux_config_t
tclass=file
May 24 20:08:02 lambda kernel: audit(1116986880.078:0): avc:  denied  { getattr
} for  pid=1708 comm="cp" name=config dev=dm-0 ino=10797472
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:selinux_config_t
tclass=file

So it looks like a process or file related to starting this daemon:

system_u:system_r:dhcpc_t       root      1716     1  0 20:07 ?        00:00:00
/sbin/dhclient -1 -q -cf /etc/dhclient-eth0.conf -lf
/var/lib/dhcp/dhclient-eth0.leases -pf /var/run/dhclient-eth0.pid eth0

might have a problem with its security policy.

Please redirect this issue so it gets resolved properly rather than simply
closing it. Thanks.
Comment 4 Daniel Walsh 2005-05-25 12:24:13 UTC 
You need to change permissive to enforcing and then the AVC messages will go away.
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=targeted

We only fix AVC messages in that show up in enforcing mode.
Comment 5 Doug Henderson 2005-05-26 03:01:56 UTC 
I changed /etc/selinux/config to set SELINUX=enforcing
touched /.autorelabel
entered shutdown -r now

the messages disappeared.