Description of problem: After installing RHEL5rcs6 on ia64 the /boot/efi partition is labeled dosfs_t and is not accessible to the administrator Version-Release number of selected component (if applicable): selinux-policy-mls-2.4.6-22.el5 How reproducible: Everytime Steps to Reproduce: 1. Install RHEL5 beta 2. Login as user / su / newrole -r sysadm_r 3. ls /boot/efi Actual results: Permission Denied Expected results: The administrator needs access to this directory. Additional info: Here are the AVCs from running in permissive mode and editing elilo.conf type=AVC msg=audit(1168546168.321:127): avc: denied { read } for pid=2768 comm="ls" name="/" dev=sdb1 ino=1 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir type=SYSCALL msg=audit(1168546168.321:127): arch=c0000032 syscall=1028 success=yes exit=3 a0=6000000000012740 a1=10800 a2=c000000000000205 a3=280 items=0 ppid=2481 pid=2768 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 comm="ls" exe="/bin/ls" subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1168546177.900:128): avc: denied { write } for pid=2771 comm="vi" name="elilo.conf" dev=sdb1 ino=3927 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:dosfs_t:s0 tclass=file type=SYSCALL msg=audit(1168546177.900:128): arch=c0000032 syscall=1049 success=yes exit=0 a0=6000000000027880 a1=2 a2=6000000000027880 a3=c000000000002651 items=0 ppid=2481 pid=2771 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 comm="vi" exe="/bin/vi" subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1168546177.901:129): avc: denied { write } for pid=2771 comm="vi" name="redhat" dev=sdb1 ino=3919 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir type=AVC msg=audit(1168546177.901:129): avc: denied { add_name } for pid=2771 comm="vi" name=".elilo.conf.swp" scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir type=AVC msg=audit(1168546177.901:129): avc: denied { create } for pid=2771 comm="vi" name=".elilo.conf.swp" scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=staff_u:object_r:dosfs_t:s0 tclass=file type=SYSCALL msg=audit(1168546177.901:129): arch=c0000032 syscall=1028 success=yes exit=4 a0=60000000000283e0 a1=c2 a2=180 a3=200000000033d4f8 items=0 ppid=2481 pid=2771 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 comm="vi" exe="/bin/vi" subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1168546177.901:130): avc: denied { remove_name } for pid=2771 comm="vi" name=".elilo.conf.swx" dev=sdb1 ino=3929 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir type=AVC msg=audit(1168546177.901:130): avc: denied { unlink } for pid=2771 comm="vi" name=".elilo.conf.swx" dev=sdb1 ino=3929 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:dosfs_t:s0 tclass=file type=SYSCALL msg=audit(1168546177.901:130): arch=c0000032 syscall=1032 success=yes exit=0 a0=6000000000026870 a1=5 a2=60000fffff60f0a0 a3=c000000000000b1a items=0 ppid=2481 pid=2771 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 comm="vi" exe="/bin/vi" subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1168546177.903:131): avc: denied { setattr } for pid=2771 comm="vi" name=".elilo.conf.swp" dev=sdb1 ino=3930 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:dosfs_t:s0 tclass=file type=SYSCALL msg=audit(1168546177.903:131): arch=c0000032 syscall=1038 success=yes exit=0 a0=60000000000283e0 a1=180 a2=0 a3=1 items=0 ppid=2481 pid=2771 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 comm="vi" exe="/bin/vi" subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1168546180.511:132): avc: denied { rename } for pid=2771 comm="vi" name="elilo.conf" dev=sdb1 ino=3927 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:dosfs_t:s0 tclass=file type=SYSCALL msg=audit(1168546180.511:132): arch=c0000032 syscall=1054 success=yes exit=0 a0=6000000000027880 a1=6000000000036a10 a2=60000fffff60f1b0 a3=b8 items=0 ppid=2481 pid=2771 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 comm="vi" exe="/bin/vi" subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) Which translates to this: module bootefi 1.0; require { class dir { add_name read remove_name write }; class file { create rename setattr unlink write }; type dosfs_t; type sysadm_t; role sysadm_r; }; allow sysadm_t dosfs_t:dir { add_name read remove_name write }; allow sysadm_t dosfs_t:file { create rename setattr unlink write };
Fixed in selinux-policy-2.4.6-25
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
A fix for this issue has been included in the packages contained in the beta (RHN channel) or most recent snapshot (partners.redhat.com) for RHEL5.1. Please verify that your issue is fixed. After you (Red Hat Partner) have verified that this issue has been addressed, please perform the following: 1) Change the *status* of this bug to VERIFIED. 2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified) If you cannot access bugzilla, please reply with a message to Issue Tracker and I will change the status for you. If this issue is not fixed, please add a comment describing the most recent symptoms of the problem you are having and change the status of the bug to ASSIGNED.
I tried this on the u1 beta and it seems to work fine.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0544.html