Description of problem: [root@zaphod lspp-rpms]# rpm -ivh kernel-* warning: kernel-2.6.18-1.2910.el5.ppc64.rpm: Header V3 DSA signature: NOKEY, key ID 897da07a Preparing... ########################################### [100%] 1:kernel-devel ########################################### [ 50%] 2:kernel ########################################### [100%] ybin: /dev/sda1: Permission denied later: [root@zaphod lspp-rpms]# ybin ybin: /dev/sda1: Permission denied security context: [root@zaphod lspp-rpms]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=staff_u:sysadm_r:sysadm_t:SystemLow-SystemHigh Version-Release number of selected component (if applicable): How reproducible: try to run ybin while in enforcing mode Steps to Reproduce: 1.boot RHEL5 with mls policy, enforcing SELinux 2.log-in as root:sysadm_r 3.run 'ybin' Actual results: ybin: /dev/sda1: Permission denied Expected results: to work Additional info: ==AVCs==== type=AVC msg=audit(1166794030.846:472): avc: denied { search } for pid=2496 comm="ybin" name="lspp-rpms" dev=dm-0 ino=1998858 scontext=staff_u:sysadm_r:bootloader_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_t:s0 tclass=dir type=SYSCALL msg=audit(1166794030.846:472): arch=14 syscall=195 success=no exit=-13 a0=100b0b10 a1=ff1adcf0 a2=ff1adcf0 a3=fffffffffefefeff items=0 ppid=2493 pid=2496 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="ybin" exe="/bin/bash" subj=staff_u:sysadm_r:bootloader_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1166794030.847:473): avc: denied { search } for pid=2495 comm="ybin" name="lspp-rpms" dev=dm-0 ino=1998858 scontext=staff_u:sysadm_r:bootloader_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_t:s0 tclass=dir type=SYSCALL msg=audit(1166794030.847:473): arch=14 syscall=195 success=no exit=-13 a0=100b0b10 a1=ff1adcf0 a2=ff1adcf0 a3=fffffffffefefeff items=0 ppid=2493 pid=2495 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="ybin" exe="/bin/bash" subj=staff_u:sysadm_r:bootloader_t:s0-s15:c0.c1023 key=(null) ================ current workaround is to run ybin while in permissive mode
forgot to add: [root@zaphod lspp-rpms]# rpm -qa | egrep policy checkpolicy-1.33.1-2.el5 selinux-policy-devel-2.4.6-15.el5 selinux-policy-mls-2.4.6-15.el5 policycoreutils-1.33.6-6.el5 selinux-policy-2.4.6-15.el5 policycoreutils-newrole-1.33.6-6.el5 selinux-policy-targeted-2.4.6-15.el5 [root@zaphod lspp-rpms]# using 1218 refresh on an IBM POWER (lpar)
audit2allow yields: allow bootloader_t fixed_disk_device_t:blk_file write;
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux major release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Major release. This request is not yet committed for inclusion.
SE linux policy has been updated since this was filed. We are wanting to know if this problem still exists with current selinux policy. Thanks.
Seems to be working fine. There is one thing to notice, though - I tested the above by simply upgrading the kernel, kernel-dev packages to the latest lspp (.61) versions (it should run ybin while in %post - well, tested it standalone run as well). There were some AVC denials in the process. I don't really know if this is of any harm, but since it's a relatively common task, I'd like you to take a look and see for yourself (couldn't find any other symptom besides AVC messages) command: [root@zaphod klausk_rpms]# rpm -Uvh kernel-*.rpm Preparing... ########################################### [100%] 1:kernel ########################################### [ 50%] 2:kernel-devel ########################################### [100%] [root@zaphod klausk_rpms]# audit.log (covering the whole task above): type=AVC msg=audit(1168367356.552:222): avc: granted { setexec } for pid=1502 comm="rpm" scontext=root:sysadm_r:rpm_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:rpm_t:s0-s15:c0.c1023 tclass=process type=SYSCALL msg=audit(1168367356.552:222): arch=14 syscall=4 success=yes exit=43 a0=14 a1=10618c20 a2=2b a3=fffffffffefefeff items=0 ppid=1500 pid=1502 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=hvc0 comm="rpm" exe="/bin/rpm" subj=root:sysadm_r:rpm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1168367356.736:223): avc: denied { read write } for pid=1513 comm="depmod" name="hvc0" dev=tmpfs ino=2313 scontext=root:sysadm_r:depmod_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_tty_device_t:s0 tclass=chr_file type=AVC msg=audit(1168367356.736:223): avc: denied { read write } for pid=1513 comm="depmod" name="hvc0" dev=tmpfs ino=2313 scontext=root:sysadm_r:depmod_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_tty_device_t:s0 tclass=chr_file type=AVC msg=audit(1168367356.736:223): avc: denied { read write } for pid=1513 comm="depmod" name="hvc0" dev=tmpfs ino=2313 scontext=root:sysadm_r:depmod_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_tty_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1168367356.736:223): arch=14 syscall=11 success=yes exit=0 a0=1011f968 a1=10112860 a2=10115c88 a3=0 items=0 ppid=1505 pid=1513 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="depmod" exe="/sbin/depmod" subj=root:sysadm_r:depmod_t:s0-s15:c0.c1023 key=(null) type=AVC_PATH msg=audit(1168367356.736:223): path="/dev/hvc0" type=AVC_PATH msg=audit(1168367356.736:223): path="/dev/hvc0" type=AVC msg=audit(1168367423.044:224): avc: granted { setexec } for pid=2303 comm="rpm" scontext=root:sysadm_r:rpm_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:rpm_t:s0-s15:c0.c1023 tclass=process type=SYSCALL msg=audit(1168367423.044:224): arch=14 syscall=4 success=yes exit=43 a0=15 a1=10a34710 a2=2b a3=fffffffffefefeff items=0 ppid=1500 pid=2303 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=hvc0 comm="rpm" exe="/bin/rpm" subj=root:sysadm_r:rpm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1168367423.104:225): avc: granted { setexec } for pid=2304 comm="rpm" scontext=root:sysadm_r:rpm_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:rpm_t:s0-s15:c0.c1023 tclass=process type=SYSCALL msg=audit(1168367423.104:225): arch=14 syscall=4 success=yes exit=43 a0=14 a1=10a34710 a2=2b a3=fffffffffefefeff items=0 ppid=1500 pid=2304 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=hvc0 comm="rpm" exe="/bin/rpm" subj=root:sysadm_r:rpm_t:s0-s15:c0.c1023 key=(null) You may close the bug. Please contact me if you need a bug report for the above. Klaus
Fixed in selinux-policy-2.4.6-25
A package has been built which should help the problem described in this bug report. This report is therefore being closed with a resolution of CURRENTRELEASE. You may reopen this bug report if the solution does not work for you.