Bug 224441 - AVC while updating machine
AVC while updating machine
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2007-01-25 13:45 EST by Steve Grubb
Modified: 2007-11-30 17:07 EST (History)
3 users (show)

See Also:
Fixed In Version: RHBA-2007-0544
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-11-07 11:38:09 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Steve Grubb 2007-01-25 13:45:51 EST
Description of problem:
avc: denied { sys_resource } for comm="semodule" egid=0 euid=0
exe="/usr/sbin/semodule" exit=32 fsgid=0 fsuid=0 gid=0 items=0 pid=4002
scontext=system_u:system_r:semanage_t:s0 sgid=0
subj=system_u:system_r:semanage_t:s0 suid=0 tclass=capability
tcontext=system_u:system_r:semanage_t:s0 tty=(none) uid=0 

Version-Release number of selected component (if applicable):

Steps to Reproduce:
1. Updated via pup
Comment 1 Daniel Walsh 2007-01-25 14:25:45 EST
Fixed in selinux-policy-2.4.6-31.el5
Comment 2 RHEL Product and Program Management 2007-01-25 14:40:46 EST
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
Comment 3 Daniel Walsh 2007-01-25 15:15:14 EST
I have been asked to hold off til after release.  So pushing it back so we can
build it for Day 0 Release.
Comment 4 James Laska 2007-01-25 15:43:10 EST
I'm trying to inspect the fix for this issue, as well as get a sense for what
selinux prevented in this case.  Any thoughts?
Comment 5 Daniel Walsh 2007-01-25 16:09:56 EST
One of the libraries used in semodule requested CAP_SYS_RESOURCE capability. 
Probably to override a resource limit.  The kernel denied it, and the app seemed
to continue running fine.

The following defines what CAP_SYS_RESOURCE is:

· Override resource limits. Set resource limits; 
· Override quota limits; 
· Override reserved space on ext2 filesystem; 
· Modify data journaling mode on ext3 filesystem (uses journaling resources); 
  NOTE: ext2 honors fsuid when checking for resource overrides, 
  so you can override using fsuid too; 
· Override size restrictions on IPC message queues; 
· Allow more than 64hz interrupts from the real?time clock; 
· Override max number of consoles on console allocation; 
· Override max number of keymaps.
Comment 6 James Laska 2007-01-25 16:54:57 EST
Sounds like the app was able to successfully recover ... thank you for that
analysis.  QA_ACK for 5.1
Comment 11 errata-xmlrpc 2007-11-07 11:38:09 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.