Bug 244957 - selinuxfs avc denials
selinuxfs avc denials
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-19 23:50 EDT by Deji Akingunola
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version: selinux-policy-3.0.1-3.fc8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-06-29 10:39:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Deji Akingunola 2007-06-19 23:50:49 EDT
Description of problem: I get these every time I boot-up the system (and
variants of it while rebooting or when I plug in a removable drive and is being
mounted by hal);

>>
....
Jun 19 23:29:45 agape kernel: audit(1182310170.673:5): avc:  denied  { getattr }
for  pid=1609 comm="fsck" name="/" dev=selinuxfs ino=1
scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:security_t:s0
tclass=filesystem
Jun 19 23:29:45 agape kernel: audit(1182310170.947:6): avc:  denied  { getattr }
for  pid=1615 comm="mount" name="/" dev=selinuxfs ino=1
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:security_t:s0
tclass=filesystem
...

Jun 19 23:29:45 agape kernel: audit(1182310171.896:7): avc:  denied  { getattr }
for  pid=1675 comm="swapon" name="/" dev=selinuxfs ino=1
scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:security_t:s0
tclass=filesystem
Jun 19 23:29:45 agape kernel: Adding 2031608k swap on /dev/VolGroup00/LogVol01.
 Priority:-1 extents:1 across:2031608k
Jun 19 23:29:45 agape kernel: audit(1182310174.389:8): avc:  denied  { getattr }
for  pid=1727 comm="ip6tables-resto" name="/" dev=selinuxfs ino=1
scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=filesystem
...

Jun 19 23:29:45 agape kernel: audit(1182310179.363:9): avc:  denied  { getattr }
for  pid=1924 comm="ifconfig" name="/" dev=selinuxfs ino=1
scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=filesystem
>>>

Also

Jun 19 17:54:58 agape setroubleshoot:      SELinux is preventing /bin/umount
(mount_t) "getattr" to / (security_t).      For complete SELinux messages. run
sealert -l 6011d13b-f5c5-43ba-ba35-28cb7e203ac2

[deji@agape ~]$ sealert -l 6011d13b-f5c5-43ba-ba35-28cb7e203ac2

***MEMORY-WARNING***: [3230]: GSlice: g_thread_init() must be called before all
other GLib functions; memory corruption due to late invocation of
g_thread_init() has been detected; this program is likely to crash, leak or
unexpectedly abort soon...
Summary
    SELinux is preventing /bin/umount (mount_t) "getattr" to / (security_t).

Detailed Description
    SELinux denied access requested by /bin/umount. It is not expected that this
    access is required by /bin/umount and this access may signal an intrusion
    attempt. It is also possible that the specific version or configuration of
    the application is causing it to require additional access.

Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:mount_t
Target Context                system_u:object_r:security_t
Target Objects                / [ filesystem ]
Affected RPM Packages         util-linux-2.13-0.51.fc7
                              [application]filesystem-2.4.9-1.fc8 [target]
Policy RPM                    selinux-policy-2.6.5-2.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall
Host Name                     agape
Platform                      Linux agape 2.6.21-1.3225.fc8 #1 SMP Sun Jun 17
                              19:52:00 EDT 2007 x86_64 x86_64
Alert Count                   40
First Seen                    Fri Jun  8 00:43:32 2007
Last Seen                     Tue Jun 19 17:54:56 2007
Local ID                      6011d13b-f5c5-43ba-ba35-28cb7e203ac2
Line Numbers                  

Raw Audit Messages            

avc: denied { getattr } for comm="umount" dev=selinuxfs egid=0 euid=0
exe="/bin/umount" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=900
scontext=system_u:system_r:mount_t:s0 sgid=0 subj=system_u:system_r:mount_t:s0
suid=0 tclass=filesystem tcontext=system_u:object_r:security_t:s0 tty=(none)
uid=0

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Deji Akingunola 2007-06-29 10:39:57 EDT
These are now fixed in the current release, selinux-policy-3.0.1-3.fc8.

Note You need to log in before you can comment on or make changes to this bug.