Bug 323631 - tmpfs denials
tmpfs denials
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-08 15:37 EDT by Orion Poplawski
Modified: 2008-01-23 16:43 EST (History)
0 users

See Also:
Fixed In Version: 3.0.8-76.fc8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-23 16:43:10 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2007-10-08 15:37:58 EDT
Description of problem:

We run /tmp as a tmpfs filesystem here.  I'm seeing the following denials at boot:

audit(1191871115.846:4): avc:  denied  { getattr } for  pid=1036 comm="mdadm"
path="/dev/initctl" dev=tmpfs ino=1587
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file
audit(1191871117.557:5): avc:  denied  { read } for  pid=1140 comm="mdadm"
name="rtc" dev=tmpfs ino=249 scontext=system_u:system_r:mdadm_t:s0
tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file
audit(1191871117.737:6): avc:  denied  { getattr } for  pid=1152 comm="mdadm"
path="/dev/initctl" dev=tmpfs ino=1587
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file

audit(1191871133.455:15): avc:  denied  { use } for  pid=1916 comm="setsebool"
path="/dev/console" dev=tmpfs ino=247 scontext=system_u:system_r:setsebool_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=fd
audit(1191871133.456:16): avc:  denied  { use } for  pid=1916 comm="setsebool"
path="/dev/console" dev=tmpfs ino=247 scontext=system_u:system_r:setsebool_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=fd
audit(1191871133.456:17): avc:  denied  { use } for  pid=1916 comm="setsebool"
path="/dev/console" dev=tmpfs ino=247 scontext=system_u:system_r:setsebool_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=fd

Version-Release number of selected component (if applicable):
selinux-policy-3.0.8-18.fc8
Comment 1 Daniel Walsh 2007-10-09 16:08:08 EDT
Fixed in selinux-policy-3.0.8-20.fc8
Comment 2 Orion Poplawski 2007-10-17 13:40:24 EDT
Also seeing some on F7 with selinux-policy-2.6.4-48.fc7:

audit(1192641270.351:4): avc:  denied  { getattr } for  pid=1167 comm="mdadm"
path="/dev/initctl" dev=tmpfs ino=1514
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file

Lots of these:

audit(1192641978.956:108): avc:  denied  { getattr } for  pid=4349
comm="rpc.mountd" path="/dev/bsg/0:0:0:0" dev=tmpfs ino=2329
scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=chr_file

Comment 3 Daniel Walsh 2007-10-18 17:23:55 EDT
Fixed in selinux-policy-2.6.4-49.fc7
Comment 4 Orion Poplawski 2007-10-25 11:43:33 EDT
Update on F7 with selinux-policy-2.6.4-49.fc7:

audit(1193325968.653:5): avc:  denied  { read } for  pid=1484 comm="mdadm"
name=".tmp-9-1" dev=tmpfs ino=6454
scontext=system_u:system_r:mdadm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=blk_file

Doesn't appear to have caused any problems.
Comment 5 Orion Poplawski 2007-11-12 12:53:26 EST
And with selinux-policy-3.0.8-47.fc8 too:

audit(1194892826.923:5): avc:  denied  { read } for  pid=1128 comm="mdadm"
name=".tmp-9-0" dev=tmpfs ino=5460
scontext=system_u:system_r:mdadm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=blk_file
audit(1194892827.062:6): avc:  denied  { read } for  pid=1123 comm="mdadm"
name="fd0" dev=tmpfs ino=259 scontext=system_u:system_r:mdadm_t:s0
tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file
Comment 6 Orion Poplawski 2008-01-22 18:50:18 EST
Current message seems to be:

Jan 17 14:11:22 saga kernel: audit(1200604282.159:5): avc:  granted  null for 
pid=4576 comm="mdadm" name="null" dev=tmpfs ino=221
scontext=system_u:system_r:mdadm_t:s0
tcontext=system_u:object_r:null_device_t:s0 tclass=chr_file

selinux-policy-3.0.8-76.fc8
Comment 7 Daniel Walsh 2008-01-23 16:18:24 EST
That message is not an avc denied message.
Comment 8 Orion Poplawski 2008-01-23 16:43:10 EST
Indeed :)

Note You need to log in before you can comment on or make changes to this bug.