Bug 220598
Summary: | [lspp] unable to run 'ybin' while enforcing mls policy | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Klaus Kiwi (Old account no longer used) <klaus> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 5.0 | CC: | iboverma, krisw, sgrubb |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | ppc64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | RC | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-02-08 01:59:31 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Klaus Kiwi (Old account no longer used)
2006-12-22 13:44:22 UTC
forgot to add: [root@zaphod lspp-rpms]# rpm -qa | egrep policy checkpolicy-1.33.1-2.el5 selinux-policy-devel-2.4.6-15.el5 selinux-policy-mls-2.4.6-15.el5 policycoreutils-1.33.6-6.el5 selinux-policy-2.4.6-15.el5 policycoreutils-newrole-1.33.6-6.el5 selinux-policy-targeted-2.4.6-15.el5 [root@zaphod lspp-rpms]# using 1218 refresh on an IBM POWER (lpar) audit2allow yields: allow bootloader_t fixed_disk_device_t:blk_file write; This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux major release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Major release. This request is not yet committed for inclusion. SE linux policy has been updated since this was filed. We are wanting to know if this problem still exists with current selinux policy. Thanks. Seems to be working fine. There is one thing to notice, though - I tested the above by simply upgrading the kernel, kernel-dev packages to the latest lspp (.61) versions (it should run ybin while in %post - well, tested it standalone run as well). There were some AVC denials in the process. I don't really know if this is of any harm, but since it's a relatively common task, I'd like you to take a look and see for yourself (couldn't find any other symptom besides AVC messages) command: [root@zaphod klausk_rpms]# rpm -Uvh kernel-*.rpm Preparing... ########################################### [100%] 1:kernel ########################################### [ 50%] 2:kernel-devel ########################################### [100%] [root@zaphod klausk_rpms]# audit.log (covering the whole task above): type=AVC msg=audit(1168367356.552:222): avc: granted { setexec } for pid=1502 comm="rpm" scontext=root:sysadm_r:rpm_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:rpm_t:s0-s15:c0.c1023 tclass=process type=SYSCALL msg=audit(1168367356.552:222): arch=14 syscall=4 success=yes exit=43 a0=14 a1=10618c20 a2=2b a3=fffffffffefefeff items=0 ppid=1500 pid=1502 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=hvc0 comm="rpm" exe="/bin/rpm" subj=root:sysadm_r:rpm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1168367356.736:223): avc: denied { read write } for pid=1513 comm="depmod" name="hvc0" dev=tmpfs ino=2313 scontext=root:sysadm_r:depmod_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_tty_device_t:s0 tclass=chr_file type=AVC msg=audit(1168367356.736:223): avc: denied { read write } for pid=1513 comm="depmod" name="hvc0" dev=tmpfs ino=2313 scontext=root:sysadm_r:depmod_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_tty_device_t:s0 tclass=chr_file type=AVC msg=audit(1168367356.736:223): avc: denied { read write } for pid=1513 comm="depmod" name="hvc0" dev=tmpfs ino=2313 scontext=root:sysadm_r:depmod_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_tty_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1168367356.736:223): arch=14 syscall=11 success=yes exit=0 a0=1011f968 a1=10112860 a2=10115c88 a3=0 items=0 ppid=1505 pid=1513 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="depmod" exe="/sbin/depmod" subj=root:sysadm_r:depmod_t:s0-s15:c0.c1023 key=(null) type=AVC_PATH msg=audit(1168367356.736:223): path="/dev/hvc0" type=AVC_PATH msg=audit(1168367356.736:223): path="/dev/hvc0" type=AVC msg=audit(1168367423.044:224): avc: granted { setexec } for pid=2303 comm="rpm" scontext=root:sysadm_r:rpm_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:rpm_t:s0-s15:c0.c1023 tclass=process type=SYSCALL msg=audit(1168367423.044:224): arch=14 syscall=4 success=yes exit=43 a0=15 a1=10a34710 a2=2b a3=fffffffffefefeff items=0 ppid=1500 pid=2303 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=hvc0 comm="rpm" exe="/bin/rpm" subj=root:sysadm_r:rpm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1168367423.104:225): avc: granted { setexec } for pid=2304 comm="rpm" scontext=root:sysadm_r:rpm_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:rpm_t:s0-s15:c0.c1023 tclass=process type=SYSCALL msg=audit(1168367423.104:225): arch=14 syscall=4 success=yes exit=43 a0=14 a1=10a34710 a2=2b a3=fffffffffefefeff items=0 ppid=1500 pid=2304 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=hvc0 comm="rpm" exe="/bin/rpm" subj=root:sysadm_r:rpm_t:s0-s15:c0.c1023 key=(null) You may close the bug. Please contact me if you need a bug report for the above. Klaus Fixed in selinux-policy-2.4.6-25 A package has been built which should help the problem described in this bug report. This report is therefore being closed with a resolution of CURRENTRELEASE. You may reopen this bug report if the solution does not work for you. |