Description of problem: During startup, 2.6.15 FC4 kernels produce a number of SELinux audit failures related to hotplug. Version-Release number of selected component (if applicable): kernel-2.6.15-1.1830_FC4 How reproducible: Aways Steps to Reproduce: 1. Install kernel-2.6.15-1.1830_FC4 2. Boot 3. Watch startup log messages or view dmesg Actual results: The following audit messages: audit(1139187977.980:2): avc: denied { search } for pid=579 comm="hotplug" name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:unlabeled_t tclass=dir audit(1139187977.988:3): avc: denied { search } for pid=580 comm="hotplug" name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:unlabeled_t tclass=dir audit(1139187977.996:4): avc: denied { search } for pid=571 comm="hotplug" name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:unlabeled_t tclass=dir audit(1139187978.004:5): avc: denied { search } for pid=581 comm="hotplug" name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:unlabeled_t tclass=dir audit(1139187978.012:6): avc: denied { search } for pid=582 comm="hotplug" name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:unlabeled_t tclass=dir audit(1139187978.020:7): avc: denied { search } for pid=583 comm="hotplug" name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:unlabeled_t tclass=dir audit(1139187978.028:8): avc: denied { search } for pid=584 comm="hotplug" name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:unlabeled_t tclass=dir audit(1139187978.036:9): avc: denied { search } for pid=567 comm="hotplug" name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:unlabeled_t tclass=dir audit(1139187978.048:10): avc: denied { search } for pid=568 comm="hotplug" name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:unlabeled_t tclass=dir audit(1139187978.056:11): avc: denied { search } for pid=569 comm="hotplug" name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:unlabeled_t tclass=dir audit(1139187978.068:12): avc: denied { search } for pid=573 comm="hotplug" name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:unlabeled_t tclass=dir audit(1139187978.076:13): avc: denied { search } for pid=574 comm="hotplug" name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:unlabeled_t tclass=dir audit(1139187978.088:14): avc: denied { search } for pid=575 comm="hotplug" name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:unlabeled_t tclass=dir audit(1139187978.100:15): avc: denied { search } for pid=577 comm="hotplug" name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:unlabeled_t tclass=dir audit(1139187978.112:16): avc: denied { search } for pid=578 comm="hotplug" name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:unlabeled_t tclass=dir audit(1139187978.124:17): avc: denied { search } for pid=586 comm="hotplug" name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:unlabeled_t tclass=dir audit(1139187978.136:18): avc: denied { search } for pid=587 comm="hotplug" name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:unlabeled_t tclass=dir audit(1139187978.148:19): avc: denied { search } for pid=572 comm="hotplug" name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:unlabeled_t tclass=dir audit(1139187978.160:20): avc: denied { search } for pid=570 comm="hotplug" name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:unlabeled_t tclass=dir audit(1139187978.176:21): avc: denied { search } for pid=576 comm="hotplug" name="proc" dev=dm-0 ino=851969 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:unlabeled_t tclass=dir Expected results: No audit messages Additional info: Started appearing with FC4 2.6.15 kernels. 2.6.14 kernels did not display this message. It might be that these messages don't appear in 2.6.14 because they are suppressed in quiet mode (broken in this kernel at least, as in bug #179919), but I think they still are problematic. I'm having issues with USB key drives, but I haven't tried to isolate that issue yet--seems like it might be related to this.
Have verified that these messages are supressed in quiet mode, but in non-quiet mode, they appear with FC4 2.6.14 kernels also.
Likely an interleaving of device detection / hotplug execution with the initial setup of SELinux upon the initial policy load by init. Not certain as to the best solution here.
Stephen, would your patch from bug 180296 suppress this ?
No, different issue. In this case (IIUC), the inodes are labeled correctly on disk, but we are hitting a race between the initial setup of SELinux upon first policy load by /sbin/init and a hotplug execution, so that hotplug is accessing inodes before SELinux gets done setting up their incore labels. This is tricky, as we have to allow execution of usermode helpers prior to initial policy load for any setup prior to /sbin/init (e.g. from initrd), but we want to essentially block them once we initiate a policy load until the entire SELinux setup is finished.
[This comment added as part of a mass-update to all open FC4 kernel bugs] FC4 has now transitioned to the Fedora legacy project, which will continue to release security related updates for the kernel. As this bug is not security related, it is unlikely to be fixed in an update for FC4, and has been migrated to FC5. Please retest with Fedora Core 5. Thank you.
A new kernel update has been released (Version: 2.6.18-1.2200.fc5) based upon a new upstream kernel release. Please retest against this new kernel, as a large number of patches go into each upstream release, possibly including changes that may address this problem. This bug has been placed in NEEDINFO state. Due to the large volume of inactive bugs in bugzilla, if this bug is still in this state in two weeks time, it will be closed. Should this bug still be relevant after this period, the reporter can reopen the bug at any time. Any other users on the Cc: list of this bug can request that the bug be reopened by adding a comment to the bug. In the last few updates, some users upgrading from FC4->FC5 have reported that installing a kernel update has left their systems unbootable. If you have been affected by this problem please check you only have one version of device-mapper & lvm2 installed. See bug 207474 for further details. If this bug is a problem preventing you from installing the release this version is filed against, please see bug 169613. If this bug has been fixed, but you are now experiencing a different problem, please file a separate bug for the new problem. Thank you.