Description of problem: Kernel problem specifically with SELinux. When attempting to write garbage (i.e. "invalid context") to /proc/self/attr/current or /proc/self/attr/exec I get an AVC message that says granted {setcurrent} or granted {setexec} even though the write fails as expected. If I had to guess I'd say the SELinux check is probably passing thus the AVC granted; however, an admin looking for who changed there process context would probably want to know the operation ultimately failed, no? Version-Release number of selected component (if applicable): kernel-2.6.18-8.el5.lspp.65 selinux-policy-mls-2.4.6-37.el5 How reproducible: Always Steps to Reproduce: 1. echo "invalid context" > /proc/self/attr/current 2. tail /var/log/audit/audit.log Actual results: type=AVC msg=audit(1172085945.393:64052): avc: granted { setcurrent } for pid=21353 comm="bash" scontext=abat_u:abat_r:abat_t:s0-s15:c0.c1023 tcontext=abat_u:abat_r:abat_t:s0-s15:c0.c1023 tclass=process Expected results: Thought it would be an avc: denied { setcurrent } message. Additional info:
Not a bug. SELinux avc messages are only about the permission check itself, not the full operation (syscall audit records are for the latter), and only show you whether the permission was granted by policy or denied by policy. setcurrent is just a check to see whether the task is allowed to change its current context at all, not a check against the new context (the latter is covered by the later dyntransition check, but we never reach that since the context wasn't valid at all).
----- Additional Comments From krisw.com 2007-02-22 15:25 EDT ------- The interface shouldn't report success for invalid operations. I don't think this should be closed but perhaps deferred for a future fix. Internal Status set to 'Waiting on Support' Status set to: Waiting on Tech This event sent from IssueTracker by jwest issue 114371
We should address this against the new development work and not RHEL5. Will close the bug.