| Summary: | MLS: lsblk works but AVCs appear | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Milos Malik <mmalik> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.1 | CC: | dwalsh |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-74.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-05-19 11:57:52 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Are you in permissive mode? Miroslav we might want to label this as fsadm_exec_t Or maybe better to just dontaudit the read since it seems to work fine. dontaudit sysadm_t fixed_disk_device_t:blk_file read; Not sure why it is opening the device. lsblk works from staff_t and we would loose this if we change the label. I don't think this command gives away any important data. Add storage_dontaudit_read_fixed_disk($1_t) to userdom_admin_user_template (In reply to comment #1) > Are you in permissive mode? Yes. permissive mode: 3 different AVCs enforcing mode: 1 "read" AVC multiple times Fixed in selinux-policy-3.7.19-74.el6 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0526.html |
Description of problem: Version-Release number of selected component (if applicable): selinux-policy-3.7.19-72.el6.noarch selinux-policy-targeted-3.7.19-72.el6.noarch selinux-policy-mls-3.7.19-72.el6.noarch How reproducible: always Steps to Reproduce: * get a RHEL-6 machine with active MLS policy * log in as root via console * run lsblk Actual results: ---- time->Fri Feb 25 09:31:54 2011 type=SYSCALL msg=audit(1298644314.517:60): arch=40000003 syscall=5 success=yes exit=9 a0=98a5c18 a1=8000 a2=0 a3=98a5c78 items=0 ppid=1660 pid=1687 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="lsblk" exe="/bin/lsblk" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1298644314.517:60): avc: denied { open } for pid=1687 comm="lsblk" name="dm-0" dev=devtmpfs ino=6035 scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 tclass=blk_file type=AVC msg=audit(1298644314.517:60): avc: denied { read } for pid=1687 comm="lsblk" name="dm-0" dev=devtmpfs ino=6035 scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 tclass=blk_file ---- time->Fri Feb 25 09:31:54 2011 type=SYSCALL msg=audit(1298644314.518:61): arch=40000003 syscall=54 success=yes exit=0 a0=9 a1=125e a2=bff99454 a3=98a5c78 items=0 ppid=1660 pid=1687 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="lsblk" exe="/bin/lsblk" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1298644314.518:61): avc: denied { ioctl } for pid=1687 comm="lsblk" path="/dev/dm-0" dev=devtmpfs ino=6035 scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 tclass=blk_file ---- Expected results: no AVCs