Bug 121323 - lots of policy errors
lots of policy errors
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: policy (Show other bugs)
rawhide
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-04-20 10:18 EDT by Tim Vismor
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-06-14 17:17:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
avc problems in dmesg (3.29 KB, text/plain)
2004-04-20 10:23 EDT, Tim Vismor
no flags Details
avc errors from system log (messages file). (48.08 KB, text/plain)
2004-04-20 10:29 EDT, Tim Vismor
no flags Details
AVC denials under enforcing mode (33.91 KB, text/plain)
2004-04-21 19:08 EDT, Tim Vismor
no flags Details

  None (edit)
Description Tim Vismor 2004-04-20 10:18:38 EDT
Description of problem:

I am running FC2T2 installed on a clean machine via CD. The system is
synched with rawhide (as of 4/19/04) via yum (e.g.
kernel-smp-2.6.5-1.327, policy-1.11.2-9). I am running selinux in
permissive mode. I ran "fixfiles relabel" after installing the most
recent policy upgrades. However, I am receiving persistent audit
errors (avc denied) in the system logs. Attached are samples of these
messages to help provide data for tweaking selinux policies. All avc
messages were logged during start up, shut down, or when running as root.

How reproducible:

Always.
Comment 1 Tim Vismor 2004-04-20 10:23:44 EDT
Created attachment 99561 [details]
avc problems in dmesg
Comment 2 Tim Vismor 2004-04-20 10:29:00 EDT
Created attachment 99562 [details]
avc errors from system log (messages file).
Comment 3 Colin Walters 2004-04-20 16:58:03 EDT
Actually we were discussing LVM problems on fedora-selinux-list. 
Could you read that discussion and try applying some of the patches there?

http://www.redhat.com/archives/fedora-selinux-list/2004-April/msg00257.html
Comment 4 Colin Walters 2004-04-20 17:00:50 EDT

*** This bug has been marked as a duplicate of 120595 ***
Comment 5 Tim Vismor 2004-04-21 12:37:49 EDT
I have loaded the 4/20 policy updates (which appear to have the
patches you described). All of my old LVM AVC denials are still there.
By the way, there are many more denial problems exhibited in my
original bug report than the LVM denials. Therefore, I disagree with
your classification of this bug as a duplicate of the problem that was
discussed on the selinux list. I have re-opened the bug. If you, don't
feel like looking into the other problems, you can close it again.
Comment 6 Colin Walters 2004-04-21 16:52:41 EDT
Ok, sorry about that, I hadn't realized there was more.

*** This bug has been marked as a duplicate of 120595 ***
Comment 7 Colin Walters 2004-04-21 17:33:57 EDT
Argh, I didn't mean to mark it as a duplicate again.  Sorry about that.
Comment 8 Colin Walters 2004-04-21 17:41:01 EDT
Ok.

First of all, you will almost always get AVC messages running in
permissive mode that you wouldn't in enforcing.  This is because in
enforcing mode, the process would be stopped by earlier (not audited)
denials.

Are you able to boot in enforcing mode?  Why are you running permissive?
Comment 9 Tim Vismor 2004-04-21 19:06:51 EDT
To answer your question:
When I initially installed FC2T2 I was unable to boot in enforcing
mode, so I switched to permissive mode. I never bothered to change it
back. 

At your prodding :), I have booted into enforcing mode (it didn't hang
this time) and gathered new data. The quantity of AVC denials did not
seem to go down. Several unexpected (at least to me) events occurred
within the first minute or two of running under enforcing mode:

1) Cyrus imap startup failed due to permission problems (this was
forecast by the AVC denials that occurred in permissive mode).

2) After logging in as root, I attempted to run system-logviewer. I
was prompted for the root password (as if I were a normal user).
Providing the root password allowed the log viewer to run.

3) I attempted to browse the /var/log directory with nautilus. I was
told that I did not have permission to to view the directory.

4) I attempted to browse the directory from the console with the
following results.

[root@redbud log]# cd /var/log
[root@redbud log]# ls
ls: .: Permission denied
[root@redbud log]# whoami
root
[root@redbud log]#

5) Sendmail generated AVC denials.

These and other events are chronicled by their AVC trail in the
following attachment.

Comment 10 Tim Vismor 2004-04-21 19:08:27 EDT
Created attachment 99615 [details]
AVC denials under enforcing mode
Comment 11 Daniel Walsh 2004-04-22 17:03:57 EDT
I fixed some of these errors in policy-1.11.2-18.  Some are legit, you
are not allowed to view /var/log/* as staff_r.

Dan

Note You need to log in before you can comment on or make changes to this bug.