Bug 182435

Summary: Denials on fresh install
Product: [Fedora] Fedora Reporter: Orion Poplawski <orion>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: fc5-updates Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-05-09 20:19:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Orion Poplawski 2006-02-22 15:54:23 UTC 
Description of problem:
Freshly installed FC5T3 x86_64 with Xen and Software Development installed.

audit(1140563214.611:2): avc:  denied  { getattr } for  pid=1297 comm="fsck"
name="hpet" dev=tmpfs ino=3124 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
audit(1140563214.611:3): avc:  denied  { getattr } for  pid=1297 comm="fsck"
name="evtchn" dev=tmpfs ino=3077 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
audit(1140563214.611:4): avc:  denied  { getattr } for  pid=1297 comm="fsck"
name="kmsg" dev=tmpfs ino=2290 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
audit(1140563214.611:5): avc:  denied  { getattr } for  pid=1297 comm="fsck"
name="kcore" dev=proc ino=4026531861 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file
audit(1140563214.611:6): avc:  denied  { getattr } for  pid=1297 comm="fsck"
name=".in_sysinit" dev=tmpfs ino=1063 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=file
audit(1140563214.611:7): avc:  denied  { getattr } for  pid=1297 comm="fsck"
name="initctl" dev=tmpfs ino=1018 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file
audit(1140563214.635:8): avc:  denied  { getattr } for  pid=1297 comm="fsck"
name="hpet" dev=tmpfs ino=3124 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
audit(1140563214.635:9): avc:  denied  { getattr } for  pid=1297 comm="fsck"
name="evtchn" dev=tmpfs ino=3077 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
audit(1140563214.635:10): avc:  denied  { getattr } for  pid=1297 comm="fsck"
name="kmsg" dev=tmpfs ino=2290 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
audit(1140563214.635:11): avc:  denied  { getattr } for  pid=1297 comm="fsck"
name="kcore" dev=proc ino=4026531861 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file
audit(1140563214.635:12): avc:  denied  { getattr } for  pid=1297 comm="fsck"
name=".in_sysinit" dev=tmpfs ino=1063 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=file
audit(1140563214.635:13): avc:  denied  { getattr } for  pid=1297 comm="fsck"
name="initctl" dev=tmpfs ino=1018 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file
audit(1140563215.111:14): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="sg0" dev=tmpfs ino=3953 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file
audit(1140563215.111:15): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="hpet" dev=tmpfs ino=3124 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
audit(1140563215.111:16): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="evtchn" dev=tmpfs ino=3077 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
audit(1140563215.115:17): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="urandom" dev=tmpfs ino=2293 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
audit(1140563215.115:18): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="kmsg" dev=tmpfs ino=2290 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
audit(1140563215.115:19): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="random" dev=tmpfs ino=2283 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file
audit(1140563215.115:20): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="ppp" dev=tmpfs ino=1182 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:ppp_device_t:s0 tclass=chr_file
audit(1140563215.115:21): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="parport3" dev=tmpfs ino=1179 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
audit(1140563215.115:22): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="parport2" dev=tmpfs ino=1178 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
audit(1140563215.115:23): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="parport1" dev=tmpfs ino=1177 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
audit(1140563215.115:24): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="parport0" dev=tmpfs ino=1176 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
audit(1140563215.115:25): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="kcore" dev=proc ino=4026531861 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file
audit(1140563215.115:26): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="initctl" dev=tmpfs ino=1018 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file
audit(1140563215.115:27): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="sg0" dev=tmpfs ino=3953 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file
audit(1140563215.115:28): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="hpet" dev=tmpfs ino=3124 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
audit(1140563215.115:29): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="evtchn" dev=tmpfs ino=3077 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
audit(1140563215.119:30): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="urandom" dev=tmpfs ino=2293 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
audit(1140563215.119:31): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="kmsg" dev=tmpfs ino=2290 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
audit(1140563215.119:32): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="random" dev=tmpfs ino=2283 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file
audit(1140563215.119:33): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="ppp" dev=tmpfs ino=1182 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:ppp_device_t:s0 tclass=chr_file
audit(1140563215.119:34): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="parport3" dev=tmpfs ino=1179 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
audit(1140563215.119:35): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="parport2" dev=tmpfs ino=1178 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
audit(1140563215.119:36): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="parport1" dev=tmpfs ino=1177 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
audit(1140563215.119:37): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="parport0" dev=tmpfs ino=1176 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
audit(1140563215.119:38): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="kcore" dev=proc ino=4026531861 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file
audit(1140563215.119:39): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="initctl" dev=tmpfs ino=1018 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file
Comment 1 Orion Poplawski 2006-02-22 16:00:02 UTC 
After updating to selinux-policy-targeted-2.2.17-2, I'm down to:

audit(1140624078.890:2): avc:  denied  { write } for  pid=1318 comm="mount"
name="blkid.tab" dev=dm-0 ino=10192280 scontext=system_u:system_r:mount_t:s0
tcontext=root:object_r:etc_t:s0 tclass=file
audit(1140624079.666:3): avc:  denied  { write } for  pid=1367 comm="swapon"
name="blkid.tab" dev=dm-0 ino=10192280 scontext=system_u:system_r:fsadm_t:s0
tcontext=root:object_r:etc_t:s0 tclass=file
Comment 2 Daniel Walsh 2006-02-22 17:50:22 UTC 
Yes this is a labeling problem.  There should be a fix in mkinitrd and the
initscripts to fix this problem  For now you can restorecon /etc/blkid.*
Comment 3 Orion Poplawski 2006-02-24 16:46:49 UTC 
Getting somewhat different ones now with today's rawhide:

audit(1140799735.426:2): avc:  denied  { relabelfrom } for  pid=1312
comm="mount" name="blkid.tab" dev=dm-0 ino=48370
scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
audit(1140799743.586:3): avc:  denied  { relabelfrom } for  pid=1387
comm="swapon" name="blkid.tab" dev=dm-0 ino=48367
scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
audit(1140799744.694:4): avc:  denied  { dac_override } for  pid=1419
comm="readahead" capability=1 scontext=system_u:system_r:readahead_t:s0
tcontext=system_u:system_r:readahead_t:s0 tclass=capability
audit(1140799744.694:5): avc:  denied  { dac_read_search } for  pid=1419
comm="readahead" capability=2 scontext=system_u:system_r:readahead_t:s0
tcontext=system_u:system_r:readahead_t:s0 tclass=capability
Comment 4 Russell Coker 2006-03-16 12:46:24 UTC 
Does the blkid.tab AVC message still occur? 
 
With the readahead AVC message, if it still occurs then please boot the 
machine with audit=1 on the kernel command line so we can get more information 
on what's happening.
Comment 5 Orion Poplawski 2006-03-16 16:34:49 UTC 
(In reply to comment #4)
> Does the blkid.tab AVC message still occur? 
>  

Not since Mar 9. Probably fixed by:

Mar 10 12:35:05 Updated: selinux-policy-targeted.noarch 2.2.23-15

> With the readahead AVC message, if it still occurs then please boot the 
> machine with audit=1 on the kernel command line so we can get more information 
> on what's happening. 

Do not see readahead messages either with latest rawhide.