Bug 426195
| Summary: | avc: denied multiple instances | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Tim McConnell <timothy.mcconnell> | ||||
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 7 | Keywords: | Reopened | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | i686 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Current | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2008-01-30 19:19:10 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
You have a badly mislabeled file system touch /.autorelabel; reboot The file context of file_t indicates that you have booted a machine which was never labeled or running with selinux=0, When you turn on SELinux you have to setup the labeling for the entire machine. (In reply to comment #1) > You have a badly mislabeled file system Ok then why is SELinux not relabeling the system correctly after upgrading to newer policies? > touch /.autorelabel; reboot > > The file context of file_t indicates that you have booted a machine which was > never labeled or running with selinux=0, When you turn on SELinux you have to > setup the labeling for the entire machine. What I did is disable SELinux and reboot, then set SELinux to enforcing and rebooted. Upon rebooting SELinux relabeled the system. Thus I have two questions about your above statement: 1) If I have SELinux set to disabled or to zero, why is it still active? If someone disables it they are probably thinking SELinux is not protecting their system at all. If that is not true shouldn't the setting be called "minimal" instead of disabled? 2) Why is the FSCK command being blocked (especially if the statement you made about SELinux being disabled was correct)? If that is the only way for Linux to repair the file system if a problem is found during booting then there should be a way to allow FSCK to run without being a security hazard or being a possible source for hostile takeover by a malicious user. When selinux-policy is updated the scripts compare the previous installed
selinux-policy file_context mappings to the newly installed one and then fix the
contexts on the difference. It does not fully relabel as this would take too
long.
If SELinux is disabled, then nothing is happing. But the file context is still
on disk from when the machine was running with selinux enabled. So selinux
disabled means disabled. I guess fsck should be allowed to run even with bad
labeling.
I have no idea how you got to this labeling, as you have seen SELinux attempts
to protect itself by watching for the creation of a file with a bad label. If
you boot a machine with selinux disabled, it creates the /.autorelabel file
which it then uses the next time you boot to trigger a relabeling of the system.
From /etc/rc.sysnet
# Check to see if a full relabel is needed
if [ -n "$SELINUX_STATE" -a "$READONLY" != "yes" ]; then
if [ -f /.autorelabel ] || strstr "$cmdline" autorelabel ; then
relabel_selinux
fi
else
if [ -d /etc/selinux -a "$READONLY" != "yes" ]; then
[ -f /.autorelabel ] || touch /.autorelabel
fi
fi
So these AVC's look like you turned on SELinux and then rebooted. The system
went through and fixed the file context on disk, these avc messages were
generated in the process.
I will fix the fsck being allowed to read file_t problem. in the next F7 Update.
Fixed in selinux-policy-2.4.6-64 Created attachment 290215 [details]
blocked processes in dmesg output
Also found these lines in /var/log/messages: Dec 20 20:53:21 timmieland setroubleshoot: [rpc.ERROR] attempt to open server connection failed: (111, 'Connection refused') Dec 20 20:52:45 timmieland kernel: audit: *NO* daemon at audit_pid=2217Dec 20 20:52:45 timmieland kernel: audit: *NO* daemon at audit_pid=2217 Bulk closing all bugs in Fedora updates in the modified state. If you bug is not fixed, please reopen. |
Description of problem: dmesg shows multiple instances of access denied to various programs Version-Release number of selected component (if applicable): selinux-policy-targeted-2.6.4-61.fc7 selinux-policy-mls-2.6.4-61.fc7 selinux-policy-strict-2.6.4-61.fc7 selinux-doc-1.26-1.1 selinux-policy-devel-2.6.4-61.fc7 selinux-policy-2.6.4-61.fc7 How reproducible: Unsure Steps to Reproduce: 1. 2. 3. Actual results: audit(1197860776.191:4): avc: denied { read } for pid=1380 comm="rhgb" name="mtab" dev=dm-0 ino=9177615 scontext=system_u:system_r:rhgb_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file SELinux: initialized (dev ramfs, type ramfs), uses genfs_contexts NET: Registered protocol family 10 lo: Disabled Privacy Extensions device-mapper: multipath: version 1.0.5 loaded audit(1197860783.951:5): avc: denied { read } for pid=1463 comm="fsck" name="blkid.tab" dev=dm-0 ino=9177811 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file audit(1197860783.951:6): avc: denied { read } for pid=1463 comm="fsck" name="blkid.tab" dev=dm-0 ino=9177811 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file audit(1197860783.951:7): avc: denied { read } for pid=1463 comm="fsck" name="blkid.tab" dev=dm-0 ino=9177811 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file audit(1197860783.965:8): avc: denied { getattr } for pid=1463 comm="fsck" path="/etc/blkid/blkid.tab" dev=dm-0 ino=9177811 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file audit(1197860784.027:9): avc: denied { read } for pid=1464 comm="fsck.ext3" name="blkid.tab" dev=dm-0 ino=9177811 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file audit(1197860784.278:10): avc: denied { read } for pid=1465 comm="fsck.ext3" name="blkid.tab" dev=dm-0 ino=9177811 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file audit(1197860784.279:11): avc: denied { read } for pid=1465 comm="fsck.ext3" name="mtab" dev=dm-0 ino=9177615 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file EXT3 FS on dm-0, internal journal kjournald starting. Commit interval 5 seconds EXT3 FS on sda1, internal journal EXT3-fs: mounted filesystem with ordered data mode. SELinux: initialized (dev sda1, type ext3), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs audit(1197860784.663:12): avc: denied { unlink } for pid=1479 comm="mount" name="blkid.tab.old" dev=dm-0 ino=9176836 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file audit(1197860785.360:13): enforcing=0 old_enforcing=1 auid=4294967295 audit(1197860797.488:14): avc: denied { getattr } for pid=1498 comm="setfiles" path="/proc/mdstat" dev=proc ino=4026531930 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_mdstat_t:s0 tclass=file audit(1197860797.489:15): avc: denied { getattr } for pid=1498 comm="setfiles" path="/proc/irq" dev=proc ino=4026531877 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1197860797.489:16): avc: denied { read } for pid=1498 comm="setfiles" name="irq" dev=proc ino=4026531877 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1197860797.489:17): avc: denied { search } for pid=1498 comm="setfiles" name="irq" dev=proc ino=4026531877 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1197860797.489:18): avc: denied { getattr } for pid=1498 comm="setfiles" path="/proc/irq/21/smp_affinity" dev=proc ino=4026532081 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=file audit(1197860797.489:19): avc: denied { read } for pid=1498 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file audit(1197860797.490:20): avc: denied { search } for pid=1498 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir audit(1197860797.490:21): avc: denied { read } for pid=1498 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file audit(1197860797.490:22): avc: denied { search } for pid=1498 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=dir audit(1197860797.491:23): avc: denied { read } for pid=1498 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file audit(1197860797.491:24): avc: denied { search } for pid=1498 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir audit(1197860797.496:25): avc: denied { read } for pid=1498 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_net_unix_t:s0 tclass=file audit(1197860797.496:26): avc: denied { search } for pid=1498 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_net_unix_t:s0 tclass=dir audit(1197860797.503:27): avc: denied { read } for pid=1498 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_dev_t:s0 tclass=file audit(1197860797.503:28): avc: denied { search } for pid=1498 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_dev_t:s0 tclass=dir audit(1197860797.504:29): avc: denied { getattr } for pid=1498 comm="setfiles" path="/proc/net" dev=proc ino=4026531864 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=dir audit(1197860797.504:30): avc: denied { read } for pid=1498 comm="setfiles" name="net" dev=proc ino=4026531864 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=dir audit(1197860797.504:31): avc: denied { search } for pid=1498 comm="setfiles" name="net" dev=proc ino=4026531864 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=dir audit(1197860797.505:32): avc: denied { getattr } for pid=1498 comm="setfiles" path="/proc/net/ip6_flowlabel" dev=proc ino=4026532485 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file audit(1197860797.505:33): avc: denied { getattr } for pid=1498 comm="setfiles" path="/proc/kcore" dev=proc ino=4026531861 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file audit(1197860797.505:34): avc: denied { getattr } for pid=1498 comm="setfiles" path="/proc/kmsg" dev=proc ino=4026531849 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_kmsg_t:s0 tclass=file audit(1197860797.505:35): avc: denied { getattr } for pid=1498 comm="setfiles" path="/proc/1" dev=proc ino=1566 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir audit(1197860797.506:36): avc: denied { read } for pid=1498 comm="setfiles" name="1" dev=proc ino=1566 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir audit(1197860797.506:37): avc: denied { search } for pid=1498 comm="setfiles" name="1" dev=proc ino=1566 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir audit(1197860797.506:38): avc: denied { getattr } for pid=1498 comm="setfiles" path="/proc/1/task/1/fd/10" dev=proc ino=7854 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=lnk_file audit(1197860797.506:39): avc: denied { getattr } for pid=1498 comm="setfiles" path="/proc/1/task/1/fdinfo/10" dev=proc ino=7855 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file audit(1197860797.506:40): avc: denied { getattr } for pid=1498 comm="setfiles" path="/proc/2" dev=proc ino=1567 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir audit(1197860797.507:41): avc: denied { read } for pid=1498 comm="setfiles" name="2" dev=proc ino=1567 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir audit(1197860797.507:42): avc: denied { search } for pid=1498 comm="setfiles" name="2" dev=proc ino=1567 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir audit(1197860797.507:43): avc: denied { getattr } for pid=1498 comm="setfiles" path="/proc/2/task/2/environ" dev=proc ino=7898 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=file audit(1197860797.507:44): avc: denied { getattr } for pid=1498 comm="setfiles" path="/proc/2/task/2/cwd" dev=proc ino=7907 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=lnk_file audit(1197860797.517:45): avc: denied { getattr } for pid=1498 comm="setfiles" path="/proc/513" dev=proc ino=1473 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dir audit(1197860797.517:46): avc: denied { read } for pid=1498 comm="setfiles" name="513" dev=proc ino=1473 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dir audit(1197860797.517:47): avc: denied { search } for pid=1498 comm="setfiles" name="513" dev=proc ino=1473 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dir audit(1197860797.517:48): avc: denied { getattr } for pid=1498 comm="setfiles" path="/proc/513/task/513/fd/0" dev=proc ino=9675 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=lnk_file audit(1197860797.517:49): avc: denied { getattr } for pid=1498 comm="setfiles" path="/proc/513/task/513/fdinfo/0" dev=proc ino=9679 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=file audit(1197860797.518:50): avc: denied { getattr } for pid=1498 comm="setfiles" path="/proc/585" dev=proc ino=1859 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=dir audit(1197860797.518:51): avc: denied { read } for pid=1498 comm="setfiles" name="585" dev=proc ino=1859 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=dir audit(1197860797.518:52): avc: denied { search } for pid=1498 comm="setfiles" name="585" dev=proc ino=1859 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=dir audit(1197860797.519:53): avc: denied { getattr } for pid=1498 comm="setfiles" path="/proc/585/task/585/fd/0" dev=proc ino=9816 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=lnk_file audit(1197860797.519:54): avc: denied { getattr } for pid=1498 comm="setfiles" path="/proc/585/task/585/fdinfo/0" dev=proc ino=9824 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=file audit(1197860797.520:55): avc: denied { getattr } for pid=1498 comm="setfiles" path="/proc/1381" dev=proc ino=8986 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:rhgb_t:s0 tclass=dir audit(1197860797.520:56): avc: denied { read } for pid=1498 comm="setfiles" name="1381" dev=proc ino=8986 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:rhgb_t:s0 tclass=dir audit(1197860797.520:57): avc: denied { search } for pid=1498 comm="setfiles" name="1381" dev=proc ino=8986 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:rhgb_t:s0 tclass=dir audit(1197860797.520:58): avc: denied { getattr } for pid=1498 comm="setfiles" path="/proc/1381/task/1381/fd/0" dev=proc ino=9977 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:rhgb_t:s0 tclass=lnk_file audit(1197860797.520:59): avc: denied { getattr } for pid=1498 comm="setfiles" path="/proc/1381/task/1381/fdinfo/0" dev=proc ino=9990 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:rhgb_t:s0 tclass=file audit(1197860797.520:60): avc: denied { getattr } for pid=1498 comm="setfiles" path="/proc/1393" dev=proc ino=8987 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:xdm_xserver_t:s0 tclass=dir audit(1197860797.520:61): avc: denied { read } for pid=1498 comm="setfiles" name="1393" dev=proc ino=8987 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:xdm_xserver_t:s0 tclass=dir audit(1197860797.520:62): avc: denied { search } for pid=1498 comm="setfiles" name="1393" dev=proc ino=8987 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:xdm_xserver_t:s0 tclass=dir audit(1197860797.521:63): avc: denied { getattr } for pid=1498 comm="setfiles" path="/proc/1393/task/1393/fd/0" dev=proc ino=10094 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:xdm_xserver_t:s0 tclass=lnk_file audit(1197860797.522:64): avc: denied { getattr } for pid=1498 comm="setfiles" path="/proc/1393/task/1393/fdinfo/0" dev=proc ino=10102 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:xdm_xserver_t:s0 tclass=file audit(1197860798.762:65): avc: denied { getattr } for pid=1498 comm="setfiles" path="/etc/rhgb/temp/rhgb-console" dev=ramfs ino=6630 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:ramfs_t:s0 tclass=fifo_file audit(1197860798.763:66): avc: denied { getattr } for pid=1498 comm="setfiles" path="/etc/rhgb/temp/rhgb-socket" dev=ramfs ino=6579 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:ramfs_t:s0 tclass=sock_file audit(1197860798.763:67): avc: denied { getattr } for pid=1498 comm="setfiles" path="/etc/rhgb/temp/display" dev=ramfs ino=6577 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:ramfs_t:s0 tclass=file audit(1197861759.590:68): avc: denied { create } for pid=1497 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=netlink_audit_socket audit(1197861759.591:69): avc: denied { write } for pid=1497 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=netlink_audit_socket audit(1197861759.591:70): avc: denied { nlmsg_relay } for pid=1497 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=netlink_audit_socket audit(1197861759.591:71): avc: denied { audit_write } for pid=1497 comm="setfiles" capability=29 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=capability audit(1197861759.591:72): avc: denied { read } for pid=1497 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=netlink_audit_socket audit(1197861759.617:73): enforcing=1 old_enforcing=0 auid=4294967295 Adding 2031608k swap on /dev/VolGroup00/LogVol01. Priority:-1 extents:1 across:2031608k SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts Nothing is showing up in SETroubleshooter. Expected results: Programs to be allowed if legitamate Additional info: