Bug 528339
Summary: | SELinux is preventing /usr/sbin/mcelog "read" access on mem. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jim Meyering <meyering> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | dwalsh, jmalonzo, mgrepl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | setroubleshoot_trace_hash:15fb2d7ceb9a1f46281759ac74869593e822c63bcc821e918924587a6d8f5581 | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-10-13 15:37:29 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jim Meyering
2009-10-11 12:12:37 UTC
Hi Dan, I think I reported this one before, but since then I've updated policy, and in spite of that, today just saw the 100th and 101st instances of this AVC. Jim are you sure the policy upgrade succeeded? # rpm -q selinux-policy selinux-policy-3.6.32-24.fc12.noarch # audit2allow -wi /tmp/t node=(removed) type=AVC msg=audit(1255262461.936:2189): avc: denied { read } for pid=18677 comm="mcelog" name="mem" dev=tmpfs ino=3291 scontext=system_u:system_r:dmesg_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file Was caused by: Unknown - would be allowed by active policy Possible mismatch between this policy and the one under which the audit message was generated. Possible mismatch between current in-memory boolean settings vs. permanent ones. If I run it through audit2why it says it is allowed. And my reading of the policy looks good. Could you try yum reinstall selinux-policy-targeted ANd make sure it does not throw an error. Hi Dan, Thanks for the quick reply (and on a Sunday!). $ rpm -q selinux-policy selinux-policy-3.6.32-24.fc12.noarch Hmm...policy upgrade failed, as I suppose you guessed: $ yum -y reinstall selinux-policy-targeted Loaded plugins: fastestmirror, presto, refresh-packagekit Setting up Reinstall Process Loading mirror speeds from cached hostfile * rawhide: fr.rpmfind.net Resolving Dependencies --> Running transaction check ---> Package selinux-policy-targeted.noarch 0:3.6.32-24.fc12 set to be updated --> Finished Dependency Resolution Dependencies Resolved ================================================================================= Package Arch Version Repository Size ================================================================================= Reinstalling: selinux-policy-targeted noarch 3.6.32-24.fc12 rawhide 1.8 M Transaction Summary ================================================================================= Remove 0 Package(s) Reinstall 1 Package(s) Downgrade 0 Package(s) Total download size: 1.8 M Downloading Packages: Setting up and reading Presto delta metadata Processing delta metadata Package(s) data still to download: 1.8 M selinux-policy-targeted-3.6.32-24.fc12.noarch.rpm | 1.8 MB 00:02 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing : selinux-policy-targeted-3.6.32-24.fc12.noarch 1/1 libsepol.context_from_record: type unconfined_execmem_exec_t is not defined (No such file or directory). libsepol.context_from_record: could not create context structure (Invalid argument). libsemanage.validate_handler: invalid context system_u:object_r:unconfined_execmem_exec_t:s0 specified for /usr/lib64/ghc-6.10.4/ghc [all files] (Invalid argument). libsemanage.dbase_llist_iterate: could not iterate over records (Invalid argument). semodule: Failed! Installed: selinux-policy-targeted.noarch 0:3.6.32-24.fc12 Complete! Could you try to install selinux-policy-targeted.noarch 0:3.6.32-25.fc12? From koji http://koji.fedoraproject.org/koji/buildinfo?buildID=136306 If this works for you I will ask for this policy in beta. Dan, That installed fine, and with it, mcelog no longer provokes AVCs. Thanks! Fixed in selinux-policy-3.6.32-25.fc12.noarch |