Bug 156337 - SELinux strict policy denied messages on boot
SELinux strict policy denied messages on boot
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-strict (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-04-28 20:30 EDT by Che Gonzalez
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-06-08 14:09:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Che Gonzalez 2005-04-28 20:30:49 EDT
Description of problem:
A list of avc denied messages after a fresh install under the strict policy
(some fatal if enforcing). See Additional Info below.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.23.13-4
selinux-doc-1.19.5-1
selinux-policy-strict-1.23.13-4
selinux-policy-strict-sources-1.23.13-4

How reproducible:
After fresh install and all updates as of April 28, 2005.

Steps to Reproduce:
1. Install fc4test2
2. update the previously listed packages.
3. switch to policy strict and permissive
4. reboot
5. capture /var/log/messages for current boot
  
Actual results:
The log messages listed below under Additional Info.

Expected results:
A boot that would not be fatal or prevent booting into the gui.  

Additional info:

[audit2allow output]
allow dhcpc_t selinux_config_t:file { getattr read };
allow fsadm_t ramfs_t:fifo_file ioctl;
allow initrc_t ramfs_t:fifo_file write;
allow initrc_t root_t:file unlink;
allow insmod_t hotplug_etc_t:dir { getattr search };
allow insmod_t nscd_var_run_t:dir search;
allow lvm_t removable_device_t:blk_file { ioctl read };
allow xdm_xserver_t self:process execmem;

# The following entry errors when testing in a policy, but it is logged in under
another bug
allow rhgb_t etc_t:dir mounton; 

[/var/log/messages]
Apr 28 19:32:54 xix kernel: audit(1114716744.637:0): avc:  denied  { search }
for  name=nscd dev=dm-0 ino=20250719 scontext=system_u:system_r:insmod_t
tcontext=system_u:object_r:nscd_var_run_t tclass=dir

Apr 28 19:32:54 xix kernel: audit(1114716754.618:0): avc:  denied  { getattr }
for  path=/etc/hotplug dev=dm-0 ino=17465355 scontext=system_u:system_r:insmod_t
tcontext=system_u:object_r:hotplug_etc_t tclass=dir

Apr 28 19:32:54 xix kernel: audit(1114716754.618:0): avc:  denied  { search }
for  name=hotplug dev=dm-0 ino=17465355 scontext=system_u:system_r:insmod_t
tcontext=system_u:object_r:hotplug_etc_t tclass=dir

Apr 28 19:32:54 xix kernel: audit(1114716755.277:0): avc:  denied  { mounton }
for  path=/etc/rhgb/temp dev=dm-0 ino=17467378 scontext=system_u:system_r:rhgb_t
tcontext=system_u:object_r:etc_t tclass=dir

Apr 28 19:32:54 xix kernel: audit(1114716756.459:0): avc:  denied  { execmem }
for  scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:system_r:xdm_xserver_t tclass=process

Apr 28 19:32:54 xix kernel: audit(1114731158.024:0): avc:  denied  { write } for
 name=rhgb-console dev=ramfs ino=5990 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:ramfs_t tclass=fifo_file

Apr 28 19:32:54 xix kernel: audit(1114731158.978:0): avc:  denied  { read } for
 name=hdc dev=tmpfs ino=672 scontext=system_u:system_r:lvm_t
tcontext=system_u:object_r:removable_device_t tclass=blk_file

Apr 28 19:32:54 xix kernel: audit(1114731159.017:0): avc:  denied  { ioctl } for
 path=/dev/hdc dev=tmpfs ino=672 scontext=system_u:system_r:lvm_t
tcontext=system_u:object_r:removable_device_t tclass=blk_file

Apr 28 19:32:54 xix kernel: audit(1114731159.852:0): avc:  denied  { write } for
 name=rhgb-console dev=ramfs ino=5990 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:ramfs_t tclass=fifo_file

Apr 28 19:32:54 xix kernel: audit(1114731160.535:0): avc:  denied  { ioctl } for
 path=/etc/rhgb/temp/rhgb-console dev=ramfs ino=5990
scontext=system_u:system_r:fsadm_t tcontext=system_u:object_r:ramfs_t
tclass=fifo_file

Apr 28 19:32:54 xix kernel: audit(1114731161.265:0): avc:  denied  { unlink }
for  name=halt dev=dm-0 ino=13 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:root_t tclass=file

Apr 28 19:32:54 xix kernel: audit(1114731166.113:0): avc:  denied  { read } for
 name=config dev=dm-0 ino=17465776 scontext=system_u:system_r:dhcpc_t
tcontext=user_u:object_r:selinux_config_t tclass=file

Apr 28 19:32:54 xix kernel: audit(1114731166.113:0): avc:  denied  { getattr }
for  path=/etc/selinux/config dev=dm-0 ino=17465776
scontext=system_u:system_r:dhcpc_t tcontext=user_u:object_r:selinux_config_t
tclass=file
Comment 1 Daniel Walsh 2005-04-29 13:48:25 EDT
Please only report bugs in enforcing mode.  (At least on the first pass.)
A lot of these avc messages disappear in enforcing mode.

/halt is mislabeled.  restorecon /halt

/etc/rhgb is mislabeled.

Did you relabel?

Also clear the log files after you switch and reboot, in enforcing mode.  Then
report the errors.

Thanks.
Comment 2 Che Gonzalez 2005-04-29 17:39:39 EDT
Relabel was performed before reboot, and /var/log/messages was cleared. I
relabeled twice from system-config-securitylevel and /etc/rhgb was not relabeled
correctly.  I checked /etc/rhgb and resolved the problem with fixfiles. For
/halt I had to mkdir then restorecon it.  The rest is set to allow in my
custom.te file.

I unchecked my custom.te in sepcut, shutdown in permissive, and restarted with
enforcing.  I was unable to boot into X server.  A blue ncurses X configuration
screen came up so I set it back to permissive and rebooted.  The following log
entries occurred.

[Strict - Boot - Enforcing]

Apr 29 17:15:36 xix kernel: audit(1114794926.175:0): avc:  denied  { getattr }
for  path=/etc/hotplug dev=dm-0 ino=17465355 scontext=system_u:system_r:insmod_t
tcontext=system_u:object_r:hotplug_etc_t tclass=dir

Apr 29 17:15:36 xix kernel: audit(1114794926.175:0): avc:  denied  { search }
for  name=hotplug dev=dm-0 ino=17465355 scontext=system_u:system_r:insmod_t
tcontext=system_u:object_r:hotplug_etc_t tclass=dir

Apr 29 17:15:36 xix kernel: audit(1114794927.858:0): avc:  denied  { execmem }
for  scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:system_r:xdm_xserver_t tclass=process

Apr 29 17:15:36 xix kernel: audit(1114794927.859:0): avc:  denied  { execmem }
for  scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:system_r:xdm_xserver_t tclass=process

Apr 29 17:15:36 xix kernel: audit(1114794927.860:0): avc:  denied  { execmem }
for  scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:system_r:xdm_xserver_t tclass=process

Apr 29 17:15:36 xix kernel: audit(1114794927.861:0): avc:  denied  { execmem }
for  scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:system_r:xdm_xserver_t tclass=process
Comment 3 Daniel Walsh 2005-04-30 19:53:58 EDT
setsebool -P allow_execmem=1

Note You need to log in before you can comment on or make changes to this bug.