Bug 229543
| Summary: | LSPP: odd avc message | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Kylene J Hall <kylene> |
| Component: | kernel | Assignee: | Eric Paris <eparis> |
| Status: | CLOSED NOTABUG | QA Contact: | Brian Brock <bbrock> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 5.0 | CC: | eparis, iboverma, linda.knippers, sdsmall, sgrubb |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-03-05 22:39:18 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 224041 | ||
Not a bug. SELinux avc messages are only about the permission check itself, not the full operation (syscall audit records are for the latter), and only show you whether the permission was granted by policy or denied by policy. setcurrent is just a check to see whether the task is allowed to change its current context at all, not a check against the new context (the latter is covered by the later dyntransition check, but we never reach that since the context wasn't valid at all). ----- Additional Comments From krisw.com 2007-02-22 15:25 EDT ------- The interface shouldn't report success for invalid operations. I don't think this should be closed but perhaps deferred for a future fix. Internal Status set to 'Waiting on Support' Status set to: Waiting on Tech This event sent from IssueTracker by jwest issue 114371 We should address this against the new development work and not RHEL5. Will close the bug. |
Description of problem: Kernel problem specifically with SELinux. When attempting to write garbage (i.e. "invalid context") to /proc/self/attr/current or /proc/self/attr/exec I get an AVC message that says granted {setcurrent} or granted {setexec} even though the write fails as expected. If I had to guess I'd say the SELinux check is probably passing thus the AVC granted; however, an admin looking for who changed there process context would probably want to know the operation ultimately failed, no? Version-Release number of selected component (if applicable): kernel-2.6.18-8.el5.lspp.65 selinux-policy-mls-2.4.6-37.el5 How reproducible: Always Steps to Reproduce: 1. echo "invalid context" > /proc/self/attr/current 2. tail /var/log/audit/audit.log Actual results: type=AVC msg=audit(1172085945.393:64052): avc: granted { setcurrent } for pid=21353 comm="bash" scontext=abat_u:abat_r:abat_t:s0-s15:c0.c1023 tcontext=abat_u:abat_r:abat_t:s0-s15:c0.c1023 tclass=process Expected results: Thought it would be an avc: denied { setcurrent } message. Additional info: