375841 – audit messages during boot of F8

Bug 375841 - audit messages during boot of F8

Summary: audit messages during boot of F8

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	8
Hardware:	i386
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-11-11 11:57 UTC by Bernd Bartmann
Modified:	2008-01-30 19:19 UTC (History)
CC List:	0 users
Fixed In Version:	Current
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-01-30 19:19:52 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Bernd Bartmann 2007-11-11 11:57:05 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; de; rv:1.8.1.8) Gecko/20071030 Fedora/2.0.0.8-2.fc8 Firefox/2.0.0.8

Description of problem:
I'm seeing the following audit messages during boot of F8:

Nov 11 11:02:17 beverly kernel: audit: initializing netlink socket (disabled)
Nov 11 11:02:17 beverly kernel: audit(1194778895.447:1): initialized
Nov 11 11:02:17 beverly kernel: audit(1194778915.057:2): policy loaded auid=4294967295
Nov 11 11:02:17 beverly kernel: audit(1194775319.677:3): avc:  denied  { read } for  pid=922 comm="mdadm" name=".tmp-9-0" dev=tmpfs ino=5157 scontext=system_u:system_r:mdadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=blk_file
Nov 11 11:02:17 beverly kernel: audit(1194775319.678:4): avc:  denied  { ioctl } for  pid=922 comm="mdadm" path="/dev/.tmp-9-0" dev=tmpfs ino=5157 scontext=system_u:system_r:mdadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=blk_file
Nov 11 11:02:17 beverly kernel: audit(1194775337.201:5): audit_pid=1569 old=0 by auid=4294967295 subj=system_u:system_r:auditd_t:s0


Version-Release number of selected component (if applicable):


How reproducible:
Always


Steps to Reproduce:
1. look for audit messages in /var/log/messages
2.
3.

Actual Results:


Expected Results:


Additional info:

Comment 1 Bernd Bartmann 2007-11-11 12:02:28 UTC

And even more messages from another F8 system:

audit(1194773843.793:4): avc:  denied  { read write } for  pid=1895
comm="consoletype" path="/dev/pts/0" dev=devpts ino=2
scontext=system_u:system_r:consoletype_t:s0
tcontext=system_u:object_r:rhgb_devpts_t:s0 tclass=chr_file
audit(1194773843.793:5): avc:  denied  { read write } for  pid=1895
comm="consoletype" path="/dev/pts/0" dev=devpts ino=2
scontext=system_u:system_r:consoletype_t:s0
tcontext=system_u:object_r:rhgb_devpts_t:s0 tclass=chr_file
audit(1194773843.797:6): avc:  denied  { read write } for  pid=1897
comm="consoletype" path="/dev/pts/0" dev=devpts ino=2
scontext=system_u:system_r:consoletype_t:s0
tcontext=system_u:object_r:rhgb_devpts_t:s0 tclass=chr_file
audit(1194773843.797:7): avc:  denied  { read write } for  pid=1897
comm="consoletype" path="/dev/pts/0" dev=devpts ino=2
scontext=system_u:system_r:consoletype_t:s0
tcontext=system_u:object_r:rhgb_devpts_t:s0 tclass=chr_file
audit(1194773843.810:8): avc:  denied  { read write } for  pid=1899
comm="consoletype" path="/dev/pts/0" dev=devpts ino=2
scontext=system_u:system_r:consoletype_t:s0
tcontext=system_u:object_r:rhgb_devpts_t:s0 tclass=chr_file
audit(1194773843.810:9): avc:  denied  { read write } for  pid=1899
comm="consoletype" path="/dev/pts/0" dev=devpts ino=2
scontext=system_u:system_r:consoletype_t:s0
tcontext=system_u:object_r:rhgb_devpts_t:s0 tclass=chr_file
audit(1194773843.879:10): avc:  denied  { read write } for  pid=1930
comm="consoletype" path="/dev/pts/0" dev=devpts ino=2
scontext=system_u:system_r:consoletype_t:s0
tcontext=system_u:object_r:rhgb_devpts_t:s0 tclass=chr_file
audit(1194773843.879:11): avc:  denied  { read write } for  pid=1930
comm="consoletype" path="/dev/pts/0" dev=devpts ino=2
scontext=system_u:system_r:consoletype_t:s0
tcontext=system_u:object_r:rhgb_devpts_t:s0 tclass=chr_file
audit(1194773843.883:12): avc:  denied  { read write } for  pid=1932
comm="consoletype" path="/dev/pts/0" dev=devpts ino=2
scontext=system_u:system_r:consoletype_t:s0
tcontext=system_u:object_r:rhgb_devpts_t:s0 tclass=chr_file
audit(1194773843.883:13): avc:  denied  { read write } for  pid=1932
comm="consoletype" path="/dev/pts/0" dev=devpts ino=2
scontext=system_u:system_r:consoletype_t:s0
tcontext=system_u:object_r:rhgb_devpts_t:s0 tclass=chr_file
audit(1194773843.897:14): avc:  denied  { read write } for  pid=1934
comm="consoletype" path="/dev/pts/0" dev=devpts ino=2
scontext=system_u:system_r:consoletype_t:s0
tcontext=system_u:object_r:rhgb_devpts_t:s0 tclass=chr_file
audit(1194773843.897:15): avc:  denied  { read write } for  pid=1934
comm="consoletype" path="/dev/pts/0" dev=devpts ino=2
scontext=system_u:system_r:consoletype_t:s0
tcontext=system_u:object_r:rhgb_devpts_t:s0 tclass=chr_file
audit(1194773844.570:16): audit_pid=2059 old=0 by auid=4294967295
subj=system_u:system_r:auditd_t:s0

Comment 2 Steve Grubb 2007-11-11 14:55:56 UTC

The audit system just records events for other kernel subsystem much the same
way syslog records messages for programs. This is a selinux-policy problem,
transferring.

Comment 3 Daniel Walsh 2007-11-12 15:36:10 UTC

The first avc's are refering to a device named .tmp-9.0 which is unexpected. 
Perhaps mdadm is creating them and using them.  I am changing mdadm to be
allowed to use them.  The other audit messages should also be fixed in the
latest policy upgrade.

Fixed in selinux-policy-3.0.8-52.fc8

Comment 4 Daniel Walsh 2008-01-30 19:19:52 UTC

Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.

Note You need to log in before you can comment on or make changes to this bug.