Bug 678044

Summary: avc: denied { module_request } for pid=... comm="console-kit-dae" ...
Product: Red Hat Enterprise Linux 6 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: dwalsh, eparis, ksrot, rstrode
Target Milestone: rc   
Target Release: ---   
Hardware: s390x   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-73.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 11:57:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Milos Malik 2011-02-16 15:49:49 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.7.19-70.el6.noarch
selinux-policy-3.7.19-70.el6.noarch

How reproducible:
sometimes

Steps to Reproduce:
1. get a RHEL6.1-20110211.n.0 machine
2. log in as root via ssh
3. run following automated test
/CoreOS/selinux-policy/Regression/bz543941-running-vhostmd
  
Actual results:
----
time->Wed Feb 16 10:42:06 2011
type=SYSCALL msg=audit(1297870926.580:587): arch=80000016 syscall=5 per=400000 success=no exit=-6 a0=8001f5fe a1=100 a2=8001882c a3=20000016b48 items=0 ppid=39840 pid=39841 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1297870926.580:587): avc:  denied  { module_request } for  pid=39841 comm="console-kit-dae" kmod="char-major-4-0" scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=system
----

Expected results:
no AVCs
Comment 2 Daniel Walsh 2011-02-16 19:27:28 UTC 
Seems strange that consolekit would be asking the kernel to load a kernel module?
Comment 5 Ray Strode [halfline] 2011-02-22 23:01:23 UTC 
well, char-major-4-0 is serial gunk according to google, which consolekit probably doesn't touch.

My guess is something dropped a script in 
/usr/lib/ConsoleKit/run-seat.d or /usr/lib/ConsoleKit/run-session.d

probably udev.
Comment 6 Miroslav Grepl 2011-02-23 21:57:28 UTC 
Milos,
does it happen always?
Comment 7 Miroslav Grepl 2011-02-24 09:40:44 UTC 
Fixed in selinux-policy-3.7.19-73.el6
Comment 10 errata-xmlrpc 2011-05-19 11:57:46 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html