Bug 182435 - Denials on fresh install
Denials on fresh install
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-02-22 10:54 EST by Orion Poplawski
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: fc5-updates
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-09 16:19:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2006-02-22 10:54:23 EST
Description of problem:
Freshly installed FC5T3 x86_64 with Xen and Software Development installed.

audit(1140563214.611:2): avc:  denied  { getattr } for  pid=1297 comm="fsck"
name="hpet" dev=tmpfs ino=3124 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
audit(1140563214.611:3): avc:  denied  { getattr } for  pid=1297 comm="fsck"
name="evtchn" dev=tmpfs ino=3077 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
audit(1140563214.611:4): avc:  denied  { getattr } for  pid=1297 comm="fsck"
name="kmsg" dev=tmpfs ino=2290 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
audit(1140563214.611:5): avc:  denied  { getattr } for  pid=1297 comm="fsck"
name="kcore" dev=proc ino=4026531861 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file
audit(1140563214.611:6): avc:  denied  { getattr } for  pid=1297 comm="fsck"
name=".in_sysinit" dev=tmpfs ino=1063 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=file
audit(1140563214.611:7): avc:  denied  { getattr } for  pid=1297 comm="fsck"
name="initctl" dev=tmpfs ino=1018 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file
audit(1140563214.635:8): avc:  denied  { getattr } for  pid=1297 comm="fsck"
name="hpet" dev=tmpfs ino=3124 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
audit(1140563214.635:9): avc:  denied  { getattr } for  pid=1297 comm="fsck"
name="evtchn" dev=tmpfs ino=3077 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
audit(1140563214.635:10): avc:  denied  { getattr } for  pid=1297 comm="fsck"
name="kmsg" dev=tmpfs ino=2290 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
audit(1140563214.635:11): avc:  denied  { getattr } for  pid=1297 comm="fsck"
name="kcore" dev=proc ino=4026531861 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file
audit(1140563214.635:12): avc:  denied  { getattr } for  pid=1297 comm="fsck"
name=".in_sysinit" dev=tmpfs ino=1063 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=file
audit(1140563214.635:13): avc:  denied  { getattr } for  pid=1297 comm="fsck"
name="initctl" dev=tmpfs ino=1018 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file
audit(1140563215.111:14): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="sg0" dev=tmpfs ino=3953 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file
audit(1140563215.111:15): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="hpet" dev=tmpfs ino=3124 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
audit(1140563215.111:16): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="evtchn" dev=tmpfs ino=3077 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
audit(1140563215.115:17): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="urandom" dev=tmpfs ino=2293 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
audit(1140563215.115:18): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="kmsg" dev=tmpfs ino=2290 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
audit(1140563215.115:19): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="random" dev=tmpfs ino=2283 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file
audit(1140563215.115:20): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="ppp" dev=tmpfs ino=1182 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:ppp_device_t:s0 tclass=chr_file
audit(1140563215.115:21): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="parport3" dev=tmpfs ino=1179 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
audit(1140563215.115:22): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="parport2" dev=tmpfs ino=1178 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
audit(1140563215.115:23): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="parport1" dev=tmpfs ino=1177 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
audit(1140563215.115:24): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="parport0" dev=tmpfs ino=1176 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
audit(1140563215.115:25): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="kcore" dev=proc ino=4026531861 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file
audit(1140563215.115:26): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="initctl" dev=tmpfs ino=1018 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file
audit(1140563215.115:27): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="sg0" dev=tmpfs ino=3953 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file
audit(1140563215.115:28): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="hpet" dev=tmpfs ino=3124 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
audit(1140563215.115:29): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="evtchn" dev=tmpfs ino=3077 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
audit(1140563215.119:30): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="urandom" dev=tmpfs ino=2293 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
audit(1140563215.119:31): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="kmsg" dev=tmpfs ino=2290 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
audit(1140563215.119:32): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="random" dev=tmpfs ino=2283 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file
audit(1140563215.119:33): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="ppp" dev=tmpfs ino=1182 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:ppp_device_t:s0 tclass=chr_file
audit(1140563215.119:34): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="parport3" dev=tmpfs ino=1179 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
audit(1140563215.119:35): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="parport2" dev=tmpfs ino=1178 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
audit(1140563215.119:36): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="parport1" dev=tmpfs ino=1177 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
audit(1140563215.119:37): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="parport0" dev=tmpfs ino=1176 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
audit(1140563215.119:38): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="kcore" dev=proc ino=4026531861 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file
audit(1140563215.119:39): avc:  denied  { getattr } for  pid=1313 comm="mount"
name="initctl" dev=tmpfs ino=1018 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file
Comment 1 Orion Poplawski 2006-02-22 11:00:02 EST
After updating to selinux-policy-targeted-2.2.17-2, I'm down to:

audit(1140624078.890:2): avc:  denied  { write } for  pid=1318 comm="mount"
name="blkid.tab" dev=dm-0 ino=10192280 scontext=system_u:system_r:mount_t:s0
tcontext=root:object_r:etc_t:s0 tclass=file
audit(1140624079.666:3): avc:  denied  { write } for  pid=1367 comm="swapon"
name="blkid.tab" dev=dm-0 ino=10192280 scontext=system_u:system_r:fsadm_t:s0
tcontext=root:object_r:etc_t:s0 tclass=file
Comment 2 Daniel Walsh 2006-02-22 12:50:22 EST
Yes this is a labeling problem.  There should be a fix in mkinitrd and the
initscripts to fix this problem  For now you can restorecon /etc/blkid.*
Comment 3 Orion Poplawski 2006-02-24 11:46:49 EST
Getting somewhat different ones now with today's rawhide:

audit(1140799735.426:2): avc:  denied  { relabelfrom } for  pid=1312
comm="mount" name="blkid.tab" dev=dm-0 ino=48370
scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
audit(1140799743.586:3): avc:  denied  { relabelfrom } for  pid=1387
comm="swapon" name="blkid.tab" dev=dm-0 ino=48367
scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
audit(1140799744.694:4): avc:  denied  { dac_override } for  pid=1419
comm="readahead" capability=1 scontext=system_u:system_r:readahead_t:s0
tcontext=system_u:system_r:readahead_t:s0 tclass=capability
audit(1140799744.694:5): avc:  denied  { dac_read_search } for  pid=1419
comm="readahead" capability=2 scontext=system_u:system_r:readahead_t:s0
tcontext=system_u:system_r:readahead_t:s0 tclass=capability
Comment 4 Russell Coker 2006-03-16 07:46:24 EST
Does the blkid.tab AVC message still occur? 
 
With the readahead AVC message, if it still occurs then please boot the 
machine with audit=1 on the kernel command line so we can get more information 
on what's happening. 
Comment 5 Orion Poplawski 2006-03-16 11:34:49 EST
(In reply to comment #4)
> Does the blkid.tab AVC message still occur? 
>  

Not since Mar 9. Probably fixed by:

Mar 10 12:35:05 Updated: selinux-policy-targeted.noarch 2.2.23-15

> With the readahead AVC message, if it still occurs then please boot the 
> machine with audit=1 on the kernel command line so we can get more information 
> on what's happening. 

Do not see readahead messages either with latest rawhide.

Note You need to log in before you can comment on or make changes to this bug.