Bug 217548

Summary: MLS policy doesn't allow a "telinit 1"
Product: Red Hat Enterprise Linux 5 Reporter: Bastien Nocera <bnocera>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.0CC: tao
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RC Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-02-08 00:58:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Bastien Nocera 2006-11-28 15:59:09 UTC 
selinux-policy-mls-2.4.5-3.fc7

When running "telinit 1" with the MLS policy on:

Telling INIT to go to single user mode
avc: denied { execute } for pid=2537 comm="S99single" name="init" dev=dm-0
ino=1998956 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:init_exec_t:s0 tclass=file
avc: denied { read } for pid=2537 comm="S99single" name="init" dev=dm-0
ino=1998956 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:init_exec_t:s0 tclass=file
avc: denied { execute_no_trans } for pid=2537 comm="S99single" name="init"
dev=dm-0 ino=1998956 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:init_exec_t:s0 tclass=file
INIT: Going single user
INIT: Sending processes the TERM signal
INIT: Sending processes the KILL signal
Comment 1 RHEL Program Management 2006-11-28 16:30:26 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.
Comment 2 Daniel Walsh 2006-11-28 16:38:08 UTC 
Fixed in selinux-policy-2.4.5-4.el5
Comment 4 Jay Turner 2007-01-11 03:48:31 UTC 
QE ack for RHEL5.  Please retest with the latest RHEL5 selinux-policy package.
Comment 6 RHEL Program Management 2007-02-08 00:58:53 UTC 
A package has been built which should help the problem described in 
this bug report. This report is therefore being closed with a resolution 
of CURRENTRELEASE. You may reopen this bug report if the solution does 
not work for you.