Bug 508099

Summary: Various selinuxfs mls denials
Product: [Fedora] Fedora Reporter: Orion Poplawski <orion>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 11CC: dwalsh, ejy712, geoff, gnu_andrew, lam, lsof, mgrepl, redhat2
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-10-23 23:07:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Orion Poplawski 2009-06-25 15:59:33 UTC
Description of problem:

See these on boot;

type=AVC msg=audit(1245909181.162:363): avc:  denied  { read } for  pid=15976 comm="find" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:sysstat_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file
Jun 24 16:53:18 aspen kernel: type=1400 audit(1245883993.694:5): avc:  denied  { read } for  pid=1277 comm="ifconfig" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
Jun 24 16:53:18 aspen kernel: type=1400 audit(1245883993.846:6): avc:  denied  { read } for  pid=1317 comm="mii-tool" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
Jun 24 16:53:18 aspen kernel: type=1400 audit(1245883998.062:13): avc:  denied  { read } for  pid=1441 comm="mv" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file

Version-Release number of selected component (if applicable):
selinux-policy-3.6.12-53.fc11.noarch

Comment 1 Ed Young 2009-06-25 20:51:20 UTC
See these on vpnc connect:

Source Context:  unconfined_u:unconfined_r:ifconfig_t:s0
Target Context:  system_u:object_r:security_t:s0
Target Objects:  mls [ file ]
Source:  ifconfig
Source Path:  /sbin/ifconfig
Port:  <Unknown>
Host:  dad
Source RPM Packages:  net-tools-1.60-92.fc11
Target RPM Packages:  
Policy RPM:  selinux-policy-3.6.12-50.fc11
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  catchall
Host Name:  dad
Platform:  Linux dad 2.6.29.5-191.fc11.i586 #1 SMP Tue Jun 16 23:11:39 EDT 2009 i686 i686
Alert Count:  6
First Seen:  Wed 24 Jun 2009 08:42:56 AM EDT
Last Seen:  Thu 25 Jun 2009 04:24:00 PM EDT
Local ID:  5b16de0c-7f9f-4337-990c-c637dfd970b9
Line Numbers:  
Raw Audit Messages :

node=dad type=AVC msg=audit(1245961440.664:30): avc: denied { read } for pid=2610 comm="ifconfig" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:unconfined_r:ifconfig_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file 

node=dad type=SYSCALL msg=audit(1245961440.664:30): arch=40000003 syscall=5 success=no exit=-13 a0=bfba8108 a1=8000 a2=0 a3=bfba8108 items=0 ppid=2594 pid=2610 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ifconfig" exe="/sbin/ifconfig" subj=unconfined_u:unconfined_r:ifconfig_t:s0 key=(null)

Comment 2 Miroslav Grepl 2009-06-26 07:44:40 UTC
You can add these rules now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.6.12-57.fc11

Comment 3 Miroslav Grepl 2009-06-29 08:45:53 UTC
*** Bug 508547 has been marked as a duplicate of this bug. ***

Comment 4 Miroslav Grepl 2009-06-29 09:58:15 UTC
*** Bug 508484 has been marked as a duplicate of this bug. ***

Comment 5 Daniel Walsh 2009-06-29 14:07:43 UTC
*** Bug 508447 has been marked as a duplicate of this bug. ***

Comment 6 Jiri Popelka 2009-07-01 12:20:44 UTC
*** Bug 508866 has been marked as a duplicate of this bug. ***

Comment 7 Jiri Popelka 2009-07-01 12:28:12 UTC
*** Bug 508627 has been marked as a duplicate of this bug. ***