Bug 408931 - Multiple AVC denials with "mock init"
Multiple AVC denials with "mock init"
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-03 12:35 EST by Jerry James
Modified: 2008-01-30 14:19 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-30 14:19:13 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jerry James 2007-12-03 12:35:28 EST
Description of problem:
Running "mock -r /etc/mock/fedora-8-x86_64.cfg init" resulted in 5 AVC denials.
 They are (briefly):

1) /usr/sbin/groupadd (groupadd_t) cannot "write" to /dev/null (var_lib_t).
2) /usr/sbin/groupadd (groupadd_t) cannot "ioctl" to /dev/null (var_lib_t).
3) /usr/sbin/useradd (useradd_t) cannot "ioctl" to /dev/null (var_lib_t).
4) /usr/sbin/useradd (useradd_t) cannot "read write" to (var_log_t).
5) /usr/sbin/useradd (useradd_t) cannot "write" to /dev/null (var_lib_t).

Detailed information:
avc: denied { write } for comm=groupadd dev=dm-0 egid=0 euid=0
exe=/usr/sbin/groupadd exit=0 fsgid=0 fsuid=0 gid=0 items=0 path=/dev/null
pid=1706 scontext=system_u:system_r:groupadd_t:s0 sgid=0
subj=system_u:system_r:groupadd_t:s0 suid=0 tclass=chr_file
tcontext=system_u:object_r:var_lib_t:s0 tty=pts3 uid=0 

avc: denied { ioctl } for comm=groupadd dev=dm-0 path=/dev/null pid=1706
scontext=system_u:system_r:groupadd_t:s0 tclass=chr_file
tcontext=system_u:object_r:var_lib_t:s0 

avc: denied { ioctl } for comm=useradd dev=dm-0 path=/dev/null pid=1947
scontext=system_u:system_r:useradd_t:s0 tclass=chr_file
tcontext=system_u:object_r:var_lib_t:s0 

avc: denied { read write } for comm=useradd dev=dm-0 name=faillog pid=1947
scontext=system_u:system_r:useradd_t:s0 tclass=file
tcontext=system_u:object_r:var_log_t:s0 

avc: denied { write } for comm=useradd dev=dm-0 egid=0 euid=0
exe=/usr/sbin/useradd exit=0 fsgid=0 fsuid=0 gid=0 items=0 path=/dev/null
pid=1947 scontext=system_u:system_r:useradd_t:s0 sgid=0
subj=system_u:system_r:useradd_t:s0 suid=0 tclass=chr_file
tcontext=system_u:object_r:var_lib_t:s0 tty=pts3 uid=0 

Version-Release number of selected component (if applicable):
selinux-policy-3.0.8-58.fc8

How reproducible:
Always

Steps to Reproduce:
1. mock -r /etc/mock/fedora-8-x86_64.cfg init
  
Actual results:
The AVC denials list above are issued.

Expected results:
There should be no AVC denials.

Additional info:
mock-0.8.9-1.fc8
Comment 1 Daniel Walsh 2007-12-10 15:08:54 EST
Fixed in selinux-policy-3.0.8-68.fc8
Comment 2 Daniel Walsh 2008-01-30 14:19:13 EST
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.

Note You need to log in before you can comment on or make changes to this bug.