Bug 440189

Summary: Current avc Denials during rawhide startup
Product: [Fedora] Fedora Reporter: dex <dex.mbox>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: jkubin
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-02 20:12:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
dmesg none

Description dex 2008-04-02 06:09:21 UTC 
Description of problem:
I'm Currently seeing these denials during startup on this rawhide system

Version-Release number of selected component (if applicable):
selinux-policy-3.3.1-26.fc9.noarch

How reproducible:
start system

Steps to Reproduce:
1. start system
2.
3.
  
Actual results:
denials

Expected results:
no denials

Additional info:

please see attached dmesg
Comment 1 dex 2008-04-02 06:09:21 UTC 
Created attachment 300013 [details]
dmesg
Comment 2 Daniel Walsh 2008-04-06 10:33:03 UTC 
This looks like /sbin/hwclock does not have the correct label on it?

ls -lZ /sbin/hwclock

I am also not seeing these errors in the latest -28 policy.  Please make sure
there is only one policy file in /etc/selinux/targeted/policy

Remove the lower.
Comment 3 dex 2008-04-06 17:30:41 UTC 
ls -lZ /sbin/hwclock
-rwxr-xr-x  root root system_u:object_r:hwclock_exec_t:s0 /sbin/hwclock

looks ok to my untrained eye.

Also no change with -28 same set of avc's after a relabel :-(
Comment 4 Daniel Walsh 2008-04-08 03:13:46 UTC 
udev is supposed to be transitioning to hwclock_t


Are you sure udev is executing /sbin/hwclock?

Is /usr/sbin/hwclock a symlink?
Comment 5 dex 2008-04-08 21:49:22 UTC 
(In reply to comment #4)
> udev is supposed to be transitioning to hwclock_t
> 
> 
> Are you sure udev is executing /sbin/hwclock?
How can I verify this, 

> Is /usr/sbin/hwclock a symlink?
yes 
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/sbin/hwclock
-> ../../sbin/hwclock

policy -29
Comment 6 Daniel Walsh 2008-04-09 12:33:56 UTC 
# yum install setools

# sesearch --allow | grep udev | grep hwclock
   allow udev_t hwclock_t : process transition ; 
   allow hwclock_t udev_t : process sigchld ; 
   allow hwclock_t udev_t : fd use ; 
   allow hwclock_t udev_t : fifo_file { ioctl read write getattr lock append }; 
   allow udev_t hwclock_exec_t : file { read getattr execute }; 
   allow hwclock_t udev_tbl_t : file { ioctl read getattr lock }; 


Also verify that there is only one policy file in
/etc/selinux/targeted/policy/policy*

If there are more then one, please delete all but the greatest.