162831 – FC3 testing kernel blocking on an update to policy.

Bug 162831 - FC3 testing kernel blocking on an update to policy.

Summary: FC3 testing kernel blocking on an update to policy.

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	3
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-07-09 01:01 UTC by Dave Jones
Modified:	2015-01-04 22:20 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-07-11 20:42:09 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Dave Jones 2005-07-09 01:01:53 UTC

The current version of policy in fc3-updates-testing (1.17.30-3.14) seems to
have quite a few issues with the 2.6.12 update for FC3.

a number of daemons fail to start.. here's what I got in dmesg after a boot..

inode_doinit_with_dentry: 
context_to_sid(system_u:object_r:named_checkconf_exec_t) returned 22 for
dev=dm-0 ino=102367
inode_doinit_with_dentry:  context_to_sid(system_u:object_r:dnssec_t) returned
22 for dev=dm-0 i no=167169
audit(1120870460.773:2): avc:  denied  { read } for  pid=2549 comm="named"
name="rndc.key" dev=d m-0 ino=167169 scontext=user_u:system_r:named_t
tcontext=system_u:object_r:unlabeled_t tclass=fi le
i2c /dev entries driver
inode_doinit_with_dentry:  context_to_sid(system_u:object_r:sendmail_exec_t)
returned 22 for dev =dm-0 ino=106040
inode_doinit_with_dentry:  context_to_sid(system_u:object_r:etc_mail_t) returned
22 for dev=dm-0  ino=181526
inode_doinit_with_dentry:  context_to_sid(system_u:object_r:etc_mail_t) returned
22 for dev=dm-0  ino=181527
inode_doinit_with_dentry:  context_to_sid(root:object_r:etc_mail_t) returned 22
for dev=dm-0 ino =181041
inode_doinit_with_dentry:  context_to_sid(system_u:object_r:etc_mail_t) returned
22 for dev=dm-0  ino=181035
inode_doinit_with_dentry:  context_to_sid(root:object_r:etc_mail_t) returned 22
for dev=dm-0 ino =181042
inode_doinit_with_dentry:  context_to_sid(system_u:object_r:etc_mail_t) returned
22 for dev=dm-0  ino=181536
inode_doinit_with_dentry:  context_to_sid(root:object_r:etc_mail_t) returned 22
for dev=dm-0 ino =181034
inode_doinit_with_dentry:  context_to_sid(system_u:object_r:etc_mail_t) returned
22 for dev=dm-0  ino=181538
inode_doinit_with_dentry:  context_to_sid(root:object_r:etc_mail_t) returned 22
for dev=dm-0 ino =181036
inode_doinit_with_dentry:  context_to_sid(system_u:object_r:etc_mail_t) returned
22 for dev=dm-0  ino=181528
inode_doinit_with_dentry:  context_to_sid(root:object_r:etc_mail_t) returned 22
for dev=dm-0 ino =181037
inode_doinit_with_dentry:  context_to_sid(system_u:object_r:etc_mail_t) returned
22 for dev=dm-0  ino=181529
inode_doinit_with_dentry:  context_to_sid(root:object_r:etc_mail_t) returned 22
for dev=dm-0 ino =181038
inode_doinit_with_dentry:  context_to_sid(system_u:object_r:etc_mail_t) returned
22 for dev=dm-0  ino=181532
inode_doinit_with_dentry:  context_to_sid(system_u:object_r:etc_mail_t) returned
22 for dev=dm-0  ino=181044
inode_doinit_with_dentry:  context_to_sid(system_u:object_r:etc_mail_t) returned
22 for dev=dm-0  ino=181537


As an experiment, I upgraded the policy to 1.25.1-7 from FC4. Things went a lot
smoother.  Daemons started up as normal, though there were still a number of avc
warnings in dmesg.

audit(1120856907.787:2): avc:  denied  { use } for  pid=770 comm="minilogd"
name="init" dev=rootfs ino=7 scontext=system_u:system_r:syslogd_t
tcontext=system_u:system_r:kernel_t tclass=fd
audit(1120871345.334:3): avc:  denied  { use } for  pid=2536
comm="named-checkconf" name="init" dev=rootfs ino=7
scontext=system_u:system_r:named_t tcontext=system_u:system_r:kernel_t tclass=fd
audit(1120871352.977:4): avc:  denied  { use } for  pid=2777 comm="mingetty"
name="init" dev=rootfs ino=7 scontext=system_u:system_r:getty_t
tcontext=system_u:system_r:kernel_t tclass=fd
audit(1120871352.988:5): avc:  denied  { use } for  pid=2778 comm="mingetty"
name="init" dev=rootfs ino=7 scontext=system_u:system_r:getty_t
tcontext=system_u:system_r:kernel_t tclass=fd
audit(1120871352.999:6): avc:  denied  { use } for  pid=2779 comm="mingetty"
name="init" dev=rootfs ino=7 scontext=system_u:system_r:getty_t
tcontext=system_u:system_r:kernel_t tclass=fd
audit(1120871353.299:7): avc:  denied  { use } for  pid=2780 comm="mingetty"
name="init" dev=rootfs ino=7 scontext=system_u:system_r:getty_t
tcontext=system_u:system_r:kernel_t tclass=fd
audit(1120871353.887:8): avc:  denied  { use } for  pid=2767 comm="mingetty"
name="init" dev=rootfs ino=7 scontext=system_u:system_r:getty_t
tcontext=system_u:system_r:kernel_t tclass=fd
audit(1120871354.189:9): avc:  denied  { use } for  pid=2781 comm="mingetty"
name="init" dev=rootfs ino=7 scontext=system_u:system_r:getty_t
tcontext=system_u:system_r:kernel_t tclass=fd

Comment 1 Daniel Walsh 2005-07-09 01:37:26 UTC

selinux-policy-targeted-1.17.30-3.16  is the released version of policy for fc3.

Looks like your kernel is leaking a fd also.

Comment 2 Dave Jones 2005-07-11 20:42:09 UTC

whoops. 3.16 seems to work just fine in my testing so far.  Thanks.

Note You need to log in before you can comment on or make changes to this bug.