Bug 537617
| Summary: | selinux logs AVCs on bootup - plymouth_t denied access for lvm/cryptsetup | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Bradley <bbaetz> | ||||
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 12 | CC: | dwalsh, mgrepl | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | 3.6.32-46.fc12 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2009-11-24 07:49:22 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 369564 [details]
dmesg
You can add these rules for now using # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Fixed in selinux-policy-3.6.32-46.fc12.noarch selinux-policy-3.6.32-46.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-46.fc12 selinux-policy-3.6.32-46.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-11672 selinux-policy-3.6.32-46.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: selinux AVCs appear on bootup. These are in dmesg only, and don't get captured anywhere else (/var/log/messages or /var/log/audit/audit.log). Despite the 'denied', and selinux in enforcing mode, everything appears to work, including my crypted /home, which is an lvm lv. type=1400 audit(1258260098.374:9272): avc: denied { execute } for pid=759 comm="plymouth" name="cryptsetup" dev=dm-0 ino=2146541 scontext=system_u:system_r:plymouth_t:s0 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file type=1400 audit(1258260098.374:9273): avc: denied { read open } for pid=759 comm="plymouth" name="cryptsetup" dev=dm-0 ino=2146541 scontext=system_u:system_r:plymouth_t:s0 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file type=1400 audit(1258260098.374:9274): avc: denied { execute_no_trans } for pid=759 comm="plymouth" path="/sbin/cryptsetup" dev=dm-0 ino=2146541 scontext=system_u:system_r:plymouth_t:s0 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file type=1400 audit(1258260098.375:9275): avc: denied { read } for pid=759 comm="cryptsetup" name="devices" dev=proc ino=4026531983 scontext=system_u:system_r:plymouth_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=1400 audit(1258260098.375:9276): avc: denied { open } for pid=759 comm="cryptsetup" name="devices" dev=proc ino=4026531983 scontext=system_u:system_r:plymouth_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=1400 audit(1258260098.375:9277): avc: denied { getattr } for pid=759 comm="cryptsetup" path="/proc/devices" dev=proc ino=4026531983 scontext=system_u:system_r:plymouth_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=1400 audit(1258260098.375:9278): avc: denied { getattr } for pid=759 comm="cryptsetup" path="/dev/mapper/control" dev=tmpfs ino=3040 scontext=system_u:system_r:plymouth_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file type=1400 audit(1258260098.375:9279): avc: denied { read write } for pid=759 comm="cryptsetup" name="control" dev=tmpfs ino=3040 scontext=system_u:system_r:plymouth_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file type=1400 audit(1258260098.376:9280): avc: denied { open } for pid=759 comm="cryptsetup" name="control" dev=tmpfs ino=3040 scontext=system_u:system_r:plymouth_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file type=1400 audit(1258260098.376:9281): avc: denied { ipc_lock } for pid=759 comm="cryptsetup" capability=14 scontext=system_u:system_r:plymouth_t:s0 tcontext=system_u:system_r:plymouth_t:s0 tclass=capability Version-Release number of selected component (if applicable): selinux-policy-3.6.32-41.fc12.noarch selinux-policy-targeted-3.6.32-41.fc12.noarch plymouth-0.8.0-0.2009.29.09.19.fc12.x86_64 (from updates-testing) lvm2-2.02.53-2.fc12.x86_64 How reproducible: Always Steps to Reproduce: 1. Boot 2. dmesg | grep avc 3. Actual results: Above messages Expected results: No error messages Additional info: Just before this I get: name_count maxed, losing inode data: dev=00:05, inode=9249 which google sugests is audit related - may be why its not showing up in the audit logs???