Bug 483089
| Summary: | AVCs generated updating udev: complains about groupadd_t.... | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Tom London <selinux> |
| Component: | udev | Assignee: | Harald Hoyer <harald> |
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | rawhide | CC: | dwalsh, ffesti, harald, james.antill, katzj, pmatilai, tim.lauridsen |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-01-30 15:03:28 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
udev-127-2 .. moved "groupadd" to %pre udev-137-2 that is, of course Today's update: ownloading Packages: udev-137-2.fc11.x86_64.rpm | 325 kB 00:22 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Updating : udev 1/2 Cleanup : udev 2/2 Updated: udev.x86_64 0:137-2.fc11 Complete! No messages in /var/log/messages: Jan 30 06:57:06 tlondon ntpd[2588]: synchronized to 66.79.148.35, stratum 2 Jan 30 07:00:22 tlondon kernel: udev: starting version 137 Jan 30 07:00:23 tlondon yum: Updated: udev-137-2.fc11.x86_64 And, no AVC's: [root@tlondon ~]# audit2allow -al [root@tlondon ~]# Thanks! Closing.... |
Description of problem: Notice SELinux (targeted/enforcing) AVCs during update to udev-137-1.fc11.x86_64: [root@tlondon ~]# audit2allow -al #============= groupadd_t ============== allow groupadd_t rpm_t:tcp_socket { read write }; allow groupadd_t rpm_t:unix_dgram_socket { read write }; allow groupadd_t rpm_var_lib_t:file { read write }; allow groupadd_t var_t:file read; [root@tlondon ~]# Snippet from /var/log/messages: Jan 29 06:36:53 tlondon yum: Updated: bash-4.0-0.2.rc1.fc11.x86_64 Jan 29 06:36:55 tlondon yum: Updated: libvolume_id-137-1.fc11.x86_64 Jan 29 06:36:55 tlondon udevd[948]: specified group 'dialout' unknown Jan 29 06:36:55 tlondon udevd[948]: specified group 'dialout' unknown Jan 29 06:36:55 tlondon udevd[948]: specified group 'dialout' unknown Jan 29 06:36:55 tlondon udevd[948]: specified group 'dialout' unknown Jan 29 06:36:55 tlondon udevd[948]: specified group 'dialout' unknown Jan 29 06:36:55 tlondon udevd[948]: specified group 'dialout' unknown Jan 29 06:36:55 tlondon udevd[948]: specified group 'dialout' unknown Jan 29 06:36:55 tlondon udevd[948]: specified group 'dialout' unknown Jan 29 06:36:56 tlondon udevd[948]: specified group 'dialout' unknown Jan 29 06:36:57 tlondon udevd[4487]: specified group 'dialout' unknown Jan 29 06:36:57 tlondon kernel: udev: starting version 137 Jan 29 06:36:58 tlondon yum: Updated: udev-137-1.fc11.x86_64 Snippet from /var/log/messages: type=ADD_GROUP msg=audit(1233239818.356:23): user pid=4495 uid=0 auid=500 ses=1 subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 msg='op=adding group acct="dialout" exe="/usr/sbin/groupadd" (hostname=?, addr=?, terminal=pts/0 res=success)' type=AVC msg=audit(1233239829.939:24): avc: denied { read write } for pid=4513 comm="groupadd" path="socket:[67562]" dev=sockfs ino=67562 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=unix_dgram_socket type=AVC msg=audit(1233239829.939:24): avc: denied { read write } for pid=4513 comm="groupadd" path="socket:[68303]" dev=sockfs ino=68303 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=tcp_socket type=AVC msg=audit(1233239829.939:24): avc: denied { read } for pid=4513 comm="groupadd" path="/var/cache/yum/11koji32/packages/setup-2.7.7-2.fc11.noarch.rpm" dev=dm-1 ino=667029 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file type=AVC msg=audit(1233239829.939:24): avc: denied { read write } for pid=4513 comm="groupadd" path="/var/lib/rpm/__db.000" dev=dm-1 ino=66677 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1233239829.939:24): arch=c000003e syscall=59 success=yes exit=0 a0=16029a0 a1=1602a60 a2=16010f0 a3=7fff27b89150 items=0 ppid=4512 pid=4513 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null) type=ADD_GROUP msg=audit(1233239829.945:25): user pid=4513 uid=0 auid=500 ses=1 subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 msg='op=adding group acct="video" exe="/usr/sbin/groupadd" (hostname=?, addr=?, terminal=pts/0 res=failed)' type=AVC msg=audit(1233239829.962:26): avc: denied { read write } for pid=4515 comm="groupadd" path="socket:[67562]" dev=sockfs ino=67562 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=unix_dgram_socket type=AVC msg=audit(1233239829.962:26): avc: denied { read write } for pid=4515 comm="groupadd" path="socket:[68303]" dev=sockfs ino=68303 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=tcp_socket type=AVC msg=audit(1233239829.962:26): avc: denied { read } for pid=4515 comm="groupadd" path="/var/cache/yum/11koji32/packages/setup-2.7.7-2.fc11.noarch.rpm" dev=dm-1 ino=667029 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file type=AVC msg=audit(1233239829.962:26): avc: denied { read write } for pid=4515 comm="groupadd" path="/var/lib/rpm/__db.000" dev=dm-1 ino=66677 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1233239829.962:26): arch=c000003e syscall=59 success=yes exit=0 a0=fa29a0 a1=fa2a60 a2=fa10f0 a3=7fff2336dd20 items=0 ppid=4514 pid=4515 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null) type=ADD_GROUP msg=audit(1233239829.969:27): user pid=4515 uid=0 auid=500 ses=1 subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 msg='op=adding group acct="audio" exe="/usr/sbin/groupadd" (hostname=?, addr=?, terminal=pts/0 res=failed)' Version-Release number of selected component (if applicable): yum-3.2.21-6.fc11.noarch udev-137-1.fc11.x86_64 How reproducible: Suspect every time.... Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: