Bug 656290
| Summary: | udevmonitor cannot create socket if MLS policy is in enforcing mode | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Milos Malik <mmalik> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 5.6 | CC: | dwalsh |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-2.4.6-294.el5 | Doc Type: | Bug Fix |
| Doc Text: |
When SELinux was running in the enforcing mode, an SELinux MLS policy did not allow the udevmonitor to create a socket. As a result, an attempt to run this command in single user mode failed with the following error message:
error getting socket: Permission denied
With this update, the SELinux policy has been fixed to permit the creation of such socket, and udevmonitor can now be run as expected.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-01-13 21:51:25 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I forgot to mention that the machine is in single mode. We allow it in RHEL6. Yes we should allow it. Fixed in selinux-policy-2.4.6-294.el5.noarch
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
When SELinux was running in the enforcing mode, an SELinux MLS policy did not allow the udevmonitor to create a socket. As a result, an attempt to run this command in single user mode failed with the following error message:
error getting socket: Permission denied
With this update, the SELinux policy has been fixed to permit the creation of such socket, and udevmonitor can now be run as expected.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0026.html |
Description of problem: root cannot run udevmonitor on MLS machine in enforcing mode Version-Release number of selected component (if applicable): RHEL5.6-Server-20101119.0 selinux-policy-2.4.6-293.el5 selinux-policy-devel-2.4.6-293.el5 selinux-policy-mls-2.4.6-293.el5 selinux-policy-targeted-2.4.6-293.el5 How reproducible: always Steps to Reproduce ================== (root is logged in via console) sh-3.2# id -Z system_u:system_r:sysadm_t:s0-s15:c0.c1023 sh-3.2# setenforce 1 sh-3.2# udevmonitor error getting socket: Permission denied sh-3.2# setenforce 0 sh-3.2# udevmonitor udevmonitor prints the received event from the kernel [UEVENT] and the event which udev sends out after rule processing [UDEV] ^C Actual results: type=1400 audit(1290515858.409:49): avc: denied { create } for pid=3826 comm="udevmonitor" scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket type=1404 audit(1290515864.241:50): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 type=1400 audit(1290515867.913:51): avc: denied { create } for pid=3828 comm="udevmonitor" scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket type=1400 audit(1290515867.913:52): avc: denied { bind } for pid=3828 comm="udevmonitor" scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket Expected results: no AVCs