Bug 657571
| Summary: | MLS policy prevents modprobe from calling signull ... | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Milos Malik <mmalik> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 5.6 | CC: | dwalsh |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-2.4.6-296.el5 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-07-21 09:19:16 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
So it happens always after reboot into single mode? Yes. Always. Looks like something that should be allowed. Fixed in selinux-policy-2.4.6-296.el5 Another very similar AVC showed up:
type=1400 audit(1291287482.776:3): avc: denied { signull } for pid=1033 comm="modprobe" scontext=system_u:system_r:insmod_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pam_console_t:s0-s15:c0.c1023 tclass=process
Maybe modprobe is sending signull to all processes? This request was evaluated by Red Hat Product Management for inclusion in Red Hat Enterprise Linux 5.6 and Red Hat does not plan to fix this issue the currently developed update. Contact your manager or support representative in case you need to escalate this bug. This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. This request was erroneously denied for the current release of Red Hat Enterprise Linux. The error has been fixed and this request has been re-proposed for the current release. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1069.html An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1069.html |
Description of problem: Version-Release number of selected component (if applicable): selinux-policy-strict-2.4.6-295.el5 selinux-policy-minimum-2.4.6-295.el5 selinux-policy-devel-2.4.6-295.el5 selinux-policy-targeted-2.4.6-295.el5 selinux-policy-2.4.6-295.el5 selinux-policy-mls-2.4.6-295.el5 How reproducible: always Steps to Reproduce: 1. install MLS policy on a RHEL-5.6 machine, force filesystem auto-relabel 2. modify /etc/selinux/config so that the machine will start up with MLS policy in permissive mode 3. reboot into single mode 4. log in via console 5. run dmesg Actual results: type=1400 audit(1290781239.496:3): avc: denied { signull } for pid=923 comm="modprobe" scontext=system_u:system_r:insmod_t:s0-s15:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tclass=process Expected results: no AVCs