Bug 426195 - avc: denied multiple instances
avc: denied multiple instances
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
7
i686 Linux
low Severity high
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-19 01:41 EST by Tim McConnell
Modified: 2008-01-30 14:19 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-30 14:19:10 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
blocked processes in dmesg output (17.82 KB, text/plain)
2007-12-20 23:20 EST, Tim McConnell
no flags Details

  None (edit)
Description Tim McConnell 2007-12-19 01:41:13 EST
Description of problem:
dmesg shows multiple instances of access denied to various programs

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.6.4-61.fc7
selinux-policy-mls-2.6.4-61.fc7
selinux-policy-strict-2.6.4-61.fc7
selinux-doc-1.26-1.1
selinux-policy-devel-2.6.4-61.fc7
selinux-policy-2.6.4-61.fc7


How reproducible:
Unsure 

Steps to Reproduce:
1.
2.
3.
  
Actual results:
audit(1197860776.191:4): avc:  denied  { read } for  pid=1380 comm="rhgb"
name="mtab" dev=dm-0 ino=9177615 scontext=system_u:system_r:rhgb_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file
SELinux: initialized (dev ramfs, type ramfs), uses genfs_contexts
NET: Registered protocol family 10
lo: Disabled Privacy Extensions
device-mapper: multipath: version 1.0.5 loaded
audit(1197860783.951:5): avc:  denied  { read } for  pid=1463 comm="fsck"
name="blkid.tab" dev=dm-0 ino=9177811 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file
audit(1197860783.951:6): avc:  denied  { read } for  pid=1463 comm="fsck"
name="blkid.tab" dev=dm-0 ino=9177811 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file
audit(1197860783.951:7): avc:  denied  { read } for  pid=1463 comm="fsck"
name="blkid.tab" dev=dm-0 ino=9177811 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file
audit(1197860783.965:8): avc:  denied  { getattr } for  pid=1463 comm="fsck"
path="/etc/blkid/blkid.tab" dev=dm-0 ino=9177811
scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file
audit(1197860784.027:9): avc:  denied  { read } for  pid=1464 comm="fsck.ext3"
name="blkid.tab" dev=dm-0 ino=9177811 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file
audit(1197860784.278:10): avc:  denied  { read } for  pid=1465 comm="fsck.ext3"
name="blkid.tab" dev=dm-0 ino=9177811 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file
audit(1197860784.279:11): avc:  denied  { read } for  pid=1465 comm="fsck.ext3"
name="mtab" dev=dm-0 ino=9177615 scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file
EXT3 FS on dm-0, internal journal
kjournald starting.  Commit interval 5 seconds
EXT3 FS on sda1, internal journal
EXT3-fs: mounted filesystem with ordered data mode.
SELinux: initialized (dev sda1, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
audit(1197860784.663:12): avc:  denied  { unlink } for  pid=1479 comm="mount"
name="blkid.tab.old" dev=dm-0 ino=9176836 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file
audit(1197860785.360:13): enforcing=0 old_enforcing=1 auid=4294967295
audit(1197860797.488:14): avc:  denied  { getattr } for  pid=1498
comm="setfiles" path="/proc/mdstat" dev=proc ino=4026531930
scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:object_r:proc_mdstat_t:s0 tclass=file
audit(1197860797.489:15): avc:  denied  { getattr } for  pid=1498
comm="setfiles" path="/proc/irq" dev=proc ino=4026531877
scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir
audit(1197860797.489:16): avc:  denied  { read } for  pid=1498 comm="setfiles"
name="irq" dev=proc ino=4026531877 scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir
audit(1197860797.489:17): avc:  denied  { search } for  pid=1498 comm="setfiles"
name="irq" dev=proc ino=4026531877 scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir
audit(1197860797.489:18): avc:  denied  { getattr } for  pid=1498
comm="setfiles" path="/proc/irq/21/smp_affinity" dev=proc ino=4026532081
scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=file
audit(1197860797.489:19): avc:  denied  { read } for  pid=1498 comm="setfiles"
scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file
audit(1197860797.490:20): avc:  denied  { search } for  pid=1498 comm="setfiles"
scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
audit(1197860797.490:21): avc:  denied  { read } for  pid=1498 comm="setfiles"
scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file
audit(1197860797.490:22): avc:  denied  { search } for  pid=1498 comm="setfiles"
scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=dir
audit(1197860797.491:23): avc:  denied  { read } for  pid=1498 comm="setfiles"
scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
audit(1197860797.491:24): avc:  denied  { search } for  pid=1498 comm="setfiles"
scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
audit(1197860797.496:25): avc:  denied  { read } for  pid=1498 comm="setfiles"
scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:object_r:sysctl_net_unix_t:s0 tclass=file
audit(1197860797.496:26): avc:  denied  { search } for  pid=1498 comm="setfiles"
scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:object_r:sysctl_net_unix_t:s0 tclass=dir
audit(1197860797.503:27): avc:  denied  { read } for  pid=1498 comm="setfiles"
scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:object_r:sysctl_dev_t:s0 tclass=file
audit(1197860797.503:28): avc:  denied  { search } for  pid=1498 comm="setfiles"
scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:object_r:sysctl_dev_t:s0 tclass=dir
audit(1197860797.504:29): avc:  denied  { getattr } for  pid=1498
comm="setfiles" path="/proc/net" dev=proc ino=4026531864
scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=dir
audit(1197860797.504:30): avc:  denied  { read } for  pid=1498 comm="setfiles"
name="net" dev=proc ino=4026531864 scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=dir
audit(1197860797.504:31): avc:  denied  { search } for  pid=1498 comm="setfiles"
name="net" dev=proc ino=4026531864 scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=dir
audit(1197860797.505:32): avc:  denied  { getattr } for  pid=1498
comm="setfiles" path="/proc/net/ip6_flowlabel" dev=proc ino=4026532485
scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
audit(1197860797.505:33): avc:  denied  { getattr } for  pid=1498
comm="setfiles" path="/proc/kcore" dev=proc ino=4026531861
scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file
audit(1197860797.505:34): avc:  denied  { getattr } for  pid=1498
comm="setfiles" path="/proc/kmsg" dev=proc ino=4026531849
scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:object_r:proc_kmsg_t:s0 tclass=file
audit(1197860797.505:35): avc:  denied  { getattr } for  pid=1498
comm="setfiles" path="/proc/1" dev=proc ino=1566
scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0
tclass=dir
audit(1197860797.506:36): avc:  denied  { read } for  pid=1498 comm="setfiles"
name="1" dev=proc ino=1566 scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=dir
audit(1197860797.506:37): avc:  denied  { search } for  pid=1498 comm="setfiles"
name="1" dev=proc ino=1566 scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=dir
audit(1197860797.506:38): avc:  denied  { getattr } for  pid=1498
comm="setfiles" path="/proc/1/task/1/fd/10" dev=proc ino=7854
scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0
tclass=lnk_file
audit(1197860797.506:39): avc:  denied  { getattr } for  pid=1498
comm="setfiles" path="/proc/1/task/1/fdinfo/10" dev=proc ino=7855
scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0
tclass=file
audit(1197860797.506:40): avc:  denied  { getattr } for  pid=1498
comm="setfiles" path="/proc/2" dev=proc ino=1567
scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0
tclass=dir
audit(1197860797.507:41): avc:  denied  { read } for  pid=1498 comm="setfiles"
name="2" dev=proc ino=1567 scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:system_r:kernel_t:s0 tclass=dir
audit(1197860797.507:42): avc:  denied  { search } for  pid=1498 comm="setfiles"
name="2" dev=proc ino=1567 scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:system_r:kernel_t:s0 tclass=dir
audit(1197860797.507:43): avc:  denied  { getattr } for  pid=1498
comm="setfiles" path="/proc/2/task/2/environ" dev=proc ino=7898
scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0
tclass=file
audit(1197860797.507:44): avc:  denied  { getattr } for  pid=1498
comm="setfiles" path="/proc/2/task/2/cwd" dev=proc ino=7907
scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0
tclass=lnk_file
audit(1197860797.517:45): avc:  denied  { getattr } for  pid=1498
comm="setfiles" path="/proc/513" dev=proc ino=1473
scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0
tclass=dir
audit(1197860797.517:46): avc:  denied  { read } for  pid=1498 comm="setfiles"
name="513" dev=proc ino=1473 scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=dir
audit(1197860797.517:47): avc:  denied  { search } for  pid=1498 comm="setfiles"
name="513" dev=proc ino=1473 scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=dir
audit(1197860797.517:48): avc:  denied  { getattr } for  pid=1498
comm="setfiles" path="/proc/513/task/513/fd/0" dev=proc ino=9675
scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0
tclass=lnk_file
audit(1197860797.517:49): avc:  denied  { getattr } for  pid=1498
comm="setfiles" path="/proc/513/task/513/fdinfo/0" dev=proc ino=9679
scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0
tclass=file
audit(1197860797.518:50): avc:  denied  { getattr } for  pid=1498
comm="setfiles" path="/proc/585" dev=proc ino=1859
scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=dir
audit(1197860797.518:51): avc:  denied  { read } for  pid=1498 comm="setfiles"
name="585" dev=proc ino=1859 scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=dir
audit(1197860797.518:52): avc:  denied  { search } for  pid=1498 comm="setfiles"
name="585" dev=proc ino=1859 scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=dir
audit(1197860797.519:53): avc:  denied  { getattr } for  pid=1498
comm="setfiles" path="/proc/585/task/585/fd/0" dev=proc ino=9816
scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=lnk_file
audit(1197860797.519:54): avc:  denied  { getattr } for  pid=1498
comm="setfiles" path="/proc/585/task/585/fdinfo/0" dev=proc ino=9824
scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=file
audit(1197860797.520:55): avc:  denied  { getattr } for  pid=1498
comm="setfiles" path="/proc/1381" dev=proc ino=8986
scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:rhgb_t:s0
tclass=dir
audit(1197860797.520:56): avc:  denied  { read } for  pid=1498 comm="setfiles"
name="1381" dev=proc ino=8986 scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:system_r:rhgb_t:s0 tclass=dir
audit(1197860797.520:57): avc:  denied  { search } for  pid=1498 comm="setfiles"
name="1381" dev=proc ino=8986 scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:system_r:rhgb_t:s0 tclass=dir
audit(1197860797.520:58): avc:  denied  { getattr } for  pid=1498
comm="setfiles" path="/proc/1381/task/1381/fd/0" dev=proc ino=9977
scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:rhgb_t:s0
tclass=lnk_file
audit(1197860797.520:59): avc:  denied  { getattr } for  pid=1498
comm="setfiles" path="/proc/1381/task/1381/fdinfo/0" dev=proc ino=9990
scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:rhgb_t:s0
tclass=file
audit(1197860797.520:60): avc:  denied  { getattr } for  pid=1498
comm="setfiles" path="/proc/1393" dev=proc ino=8987
scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:system_r:xdm_xserver_t:s0 tclass=dir
audit(1197860797.520:61): avc:  denied  { read } for  pid=1498 comm="setfiles"
name="1393" dev=proc ino=8987 scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:system_r:xdm_xserver_t:s0 tclass=dir
audit(1197860797.520:62): avc:  denied  { search } for  pid=1498 comm="setfiles"
name="1393" dev=proc ino=8987 scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:system_r:xdm_xserver_t:s0 tclass=dir
audit(1197860797.521:63): avc:  denied  { getattr } for  pid=1498
comm="setfiles" path="/proc/1393/task/1393/fd/0" dev=proc ino=10094
scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:system_r:xdm_xserver_t:s0 tclass=lnk_file
audit(1197860797.522:64): avc:  denied  { getattr } for  pid=1498
comm="setfiles" path="/proc/1393/task/1393/fdinfo/0" dev=proc ino=10102
scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:system_r:xdm_xserver_t:s0 tclass=file
audit(1197860798.762:65): avc:  denied  { getattr } for  pid=1498
comm="setfiles" path="/etc/rhgb/temp/rhgb-console" dev=ramfs ino=6630
scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:ramfs_t:s0
tclass=fifo_file
audit(1197860798.763:66): avc:  denied  { getattr } for  pid=1498
comm="setfiles" path="/etc/rhgb/temp/rhgb-socket" dev=ramfs ino=6579
scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:ramfs_t:s0
tclass=sock_file
audit(1197860798.763:67): avc:  denied  { getattr } for  pid=1498
comm="setfiles" path="/etc/rhgb/temp/display" dev=ramfs ino=6577
scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:ramfs_t:s0
tclass=file
audit(1197861759.590:68): avc:  denied  { create } for  pid=1497 comm="setfiles"
scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:system_r:setfiles_t:s0 tclass=netlink_audit_socket
audit(1197861759.591:69): avc:  denied  { write } for  pid=1497 comm="setfiles"
scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:system_r:setfiles_t:s0 tclass=netlink_audit_socket
audit(1197861759.591:70): avc:  denied  { nlmsg_relay } for  pid=1497
comm="setfiles" scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:system_r:setfiles_t:s0 tclass=netlink_audit_socket
audit(1197861759.591:71): avc:  denied  { audit_write } for  pid=1497
comm="setfiles" capability=29 scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:system_r:setfiles_t:s0 tclass=capability
audit(1197861759.591:72): avc:  denied  { read } for  pid=1497 comm="setfiles"
scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:system_r:setfiles_t:s0 tclass=netlink_audit_socket
audit(1197861759.617:73): enforcing=1 old_enforcing=0 auid=4294967295
Adding 2031608k swap on /dev/VolGroup00/LogVol01.  Priority:-1 extents:1
across:2031608k
SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts

Nothing is showing up in SETroubleshooter.

Expected results:
Programs to be allowed if legitamate

Additional info:
Comment 1 Daniel Walsh 2007-12-19 12:10:30 EST
You have a badly mislabeled file system

touch /.autorelabel; reboot

The file context of file_t indicates that you have booted a machine which was
never labeled or running with selinux=0,  When you turn on SELinux you have to
setup the labeling for the entire machine.
Comment 2 Tim McConnell 2007-12-19 20:40:39 EST
(In reply to comment #1)
> You have a badly mislabeled file system
Ok then why is SELinux not relabeling the system correctly after upgrading to
newer policies? 

> touch /.autorelabel; reboot
> 
> The file context of file_t indicates that you have booted a machine which was
> never labeled or running with selinux=0,  When you turn on SELinux you have to
> setup the labeling for the entire machine.

What I did is disable SELinux and reboot, then set SELinux to enforcing and
rebooted. Upon rebooting SELinux relabeled the system. Thus I have two questions
about your above statement:

1) If I have SELinux set to disabled or to zero, why is it still active?
If someone disables it they are probably thinking SELinux is not protecting
their system at all. If that is not true shouldn't the setting be called
"minimal" instead of disabled? 

2) Why is the FSCK command being blocked (especially if the statement you made
about SELinux being disabled was correct)? If that is the only way for Linux to
repair the file system if a problem is found during booting then there should be
a way to allow FSCK to run without being a security hazard or being a possible
source for hostile takeover by a malicious user. 
Comment 3 Daniel Walsh 2007-12-20 16:13:47 EST
When selinux-policy is updated the scripts compare the previous installed
selinux-policy file_context mappings to the newly installed one and then fix the
contexts on the difference.  It does not fully relabel as this would take too
long.  

If SELinux is disabled, then nothing is happing.  But the file context is still
on  disk from when the machine was running with selinux enabled.  So selinux
disabled means disabled.  I guess fsck should be allowed to run even with bad
labeling. 

I have no idea how you got to this labeling, as you have seen SELinux attempts
to protect itself by watching for the creation of a file with a bad label.  If
you boot a machine with selinux disabled, it creates the /.autorelabel file
which it then uses the next time you boot to trigger a relabeling of the system.

From /etc/rc.sysnet

# Check to see if a full relabel is needed
if [ -n "$SELINUX_STATE" -a "$READONLY" != "yes" ]; then
    if [ -f /.autorelabel ] || strstr "$cmdline" autorelabel ; then
        relabel_selinux
    fi
else
    if [ -d /etc/selinux -a "$READONLY" != "yes" ]; then
        [ -f /.autorelabel ] || touch /.autorelabel
    fi
fi

So these AVC's look like you turned on SELinux and then rebooted.  The system
went through and fixed the file context on disk, these avc messages were
generated in the process.

I will fix the fsck being allowed to read file_t problem. in the next F7 Update.
Comment 4 Daniel Walsh 2007-12-20 16:24:57 EST
Fixed in selinux-policy-2.4.6-64
Comment 5 Tim McConnell 2007-12-20 23:20:17 EST
Created attachment 290215 [details]
blocked processes in dmesg output
Comment 6 Tim McConnell 2007-12-20 23:23:16 EST
Also found these lines in /var/log/messages:
Dec 20 20:53:21 timmieland setroubleshoot: [rpc.ERROR] attempt to open server
connection failed: (111, 'Connection refused')

Dec 20 20:52:45 timmieland kernel: audit: *NO* daemon at audit_pid=2217Dec 20
20:52:45 timmieland kernel: audit: *NO* daemon at audit_pid=2217
Comment 7 Daniel Walsh 2008-01-30 14:19:10 EST
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.

Note You need to log in before you can comment on or make changes to this bug.