Bug 158699
Summary: | avc: denied { read } for pid=1692 comm="cp" name=config dev=dm-0 | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Doug Henderson <djhender> | ||||
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> | ||||
Status: | CLOSED NOTABUG | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 4 | ||||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | i386 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2005-05-25 12:24:13 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Doug Henderson
2005-05-24 22:51:09 UTC
Created attachment 114805 [details]
full dmesg output
Were you in permissive mode when you got these AVC messages? If so they would not show up in enforcing mode, so we ignore them. There is a dontaudit rule that tells the system to not audit an attempt to read the config file. (Something all tools linked with libselinux try to do). But in permissive mode the app is allowed to continue on and hits additional denials. If in permissive mode, this bug should be closed. Dan If I interprete this correctly: [root@lambda ~]# yum list | grep -i selinux libselinux.i386 1.23.10-2 installed libselinux-devel.i386 1.23.10-2 installed selinux-policy-targeted.noarch 1.23.16-6 installed libselinux-debuginfo.i386 1.23.10-2 development selinux-doc.noarch 1.19.5-1 development selinux-policy-strict.noarch 1.23.16-6 development selinux-policy-strict-sources.noarch 1.23.16-6 development selinux-policy-targeted-sources.noarch 1.23.16-6 development [root@lambda ~]# I am using targeted, rather than strict policies. And: [root@lambda ~]# selinuxenabled [root@lambda ~]# echo $? 0 [root@lambda ~]# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=permissive # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted and permissive mode rather than strict. I touched /.autorelabel and rebooted. I still get these messages in /var/log/messages: May 24 20:08:02 lambda kernel: audit(1116986880.078:0): avc: denied { read } for pid=1708 comm="cp" name=config dev=dm-0 ino=10797472 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:selinux_config_t tclass=file May 24 20:08:02 lambda kernel: audit(1116986880.078:0): avc: denied { getattr } for pid=1708 comm="cp" name=config dev=dm-0 ino=10797472 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:selinux_config_t tclass=file So it looks like a process or file related to starting this daemon: system_u:system_r:dhcpc_t root 1716 1 0 20:07 ? 00:00:00 /sbin/dhclient -1 -q -cf /etc/dhclient-eth0.conf -lf /var/lib/dhcp/dhclient-eth0.leases -pf /var/run/dhclient-eth0.pid eth0 might have a problem with its security policy. Please redirect this issue so it gets resolved properly rather than simply closing it. Thanks. You need to change permissive to enforcing and then the AVC messages will go away. # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=enforcing # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted We only fix AVC messages in that show up in enforcing mode. I changed /etc/selinux/config to set SELINUX=enforcing touched /.autorelabel entered shutdown -r now the messages disappeared. |