Bug 157373 - avc warnings de jour.
avc warnings de jour.
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-05-10 19:59 EDT by Dave Jones
Modified: 2015-01-04 17:19 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-05-19 10:10:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dave Jones 2005-05-10 19:59:49 EDT
Description of problem:

todays rawhide (May 10th), with tomorrows kernel (1290)..

usb-storage: device scan complete
audit(1115769281.997:0): avc:  denied  { ioctl } for  path=/proc/2520/mounts
dev=proc ino=165150737 scontext=system_u:system_r:hotplug_t
tcontext=system_u:system_r:hotplug_t tclass=file
audit(1115769281.999:0): avc:  denied  { ioctl } for  path=/proc/2521/mounts
dev=proc ino=165216273 scontext=system_u:system_r:hotplug_t
tcontext=system_u:system_r:hotplug_t tclass=file
audit(1115769281.999:0): avc:  denied  { ioctl } for  path=/proc/2522/mounts
dev=proc ino=165281809 scontext=system_u:system_r:hotplug_t
tcontext=system_u:system_r:hotplug_t tclass=file
audit(1115769282.000:0): avc:  denied  { ioctl } for  path=/proc/2519/mounts
dev=proc ino=165085201 scontext=system_u:system_r:hotplug_t
tcontext=system_u:system_r:hotplug_t tclass=file
audit(1115769283.019:0): avc:  denied  { write } for  name=2:0:0:0 dev=sysfs
ino=7471 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:sysfs_t
tclass=dir
audit(1115769283.019:0): avc:  denied  { write } for  name=sdc1 dev=sysfs
ino=7468 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:sysfs_t
tclass=dir
audit(1115769283.019:0): avc:  denied  { write } for  name=sdc dev=sysfs
ino=7465 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:sysfs_t
tclass=dir
audit(1115769283.019:0): avc:  denied  { write } for  name=2:0:0:0 dev=sysfs
ino=7463 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:sysfs_t
tclass=dir
audit(1115769285.916:0): avc:  denied  { read } for  name=loginuid dev=proc
ino=174194713 scontext=system_u:system_r:auditd_t
tcontext=system_u:system_r:auditd_t tclass=file
SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts


also later..

SELinux: initialized (dev autofs, type autofs), uses genfs_contexts
SELinux: initialized (dev autofs, type autofs), uses genfs_contexts

Is it normal for that to happen twice ?
Comment 1 Dave Jones 2005-05-10 20:00:17 EDT
using selinux-policy-targeted-1.23.14-2 btw.
Comment 2 Daniel Walsh 2005-05-11 06:46:43 EDT
Fixed in selinux-policy-targeted-1.23.15-4

Policy contains the following
grep autofs genfs_contexts
# autofs
genfscon autofs /                       system_u:object_r:autofs_t
genfscon automount /                    system_u:object_r:autofs_t

So I guess that is why you get the genfs_contexts line twice.
Comment 3 Dave Jones 2005-05-19 01:20:28 EDT
FYI: whilst installing this I got..

(01:19:41:davej@nwo:~)$ sudo rpm -Uvh selinux-policy-targeted-1.23.16-1.noarch.rpm
Preparing...                ########################################### [100%]
   1:selinux-policy-targeted########################################### [100%]
sepol_genbools_array:  unknown boolean use_syslogng
/usr/sbin/load_policy:  Warning!  Error while setting booleans:  Invalid argument
/sbin/restorecon reset /boot/lost+found context ->system_u:object_r:lost_found_t
/sbin/restorecon reset /etc/sysconfig/network-scripts/ifcfg-eth0 context
system_u:object_r:etc_t->system_u:object_r:net_conf_t
/sbin/restorecon reset /etc/sysconfig/network-scripts/ifcfg-lo context
system_u:object_r:etc_t->system_u:object_r:net_conf_t
/sbin/restorecon reset /lost+found context ->system_u:object_r:lost_found_t
/sbin/restorecon reset /usr/sbin/hid2hci context
system_u:object_r:sbin_t->system_u:object_r:bluetooth_exec_t
(01:19:47:davej@nwo:~)$
Comment 4 Daniel Walsh 2005-05-19 10:10:21 EDT
Dave these are all expected.  We removed use_syslogng boolean from policy.  When
you update policy in the kernel, we attempt to get the current setting of
booleans and maintain it, so since the boolean existed in the old policy and not
in the new one, it puts out a warning.  The restorecon is caused by changes in
file context.  

Basically when policy is updatede we run a diff between the old file context and
the new and then run restorecon on the diff. 


Note You need to log in before you can comment on or make changes to this bug.