This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 434888 - AVC against "init"....
AVC against "init"....
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Casey Dahlin
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-25 20:37 EST by Tom London
Modified: 2014-06-18 04:46 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-26 10:38:30 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tom London 2008-02-25 20:37:29 EST
Description of problem:
After booting successfully to runlevel 5, gdm login, and fiddling for a while, I
got the following AVC:

type=AVC msg=audit(1203989344.513:28): avc:  denied  { read } for  pid=1
comm="init" path="inotify" dev=inotifyfs ino=1
scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0
tclass=dir

I haven't been able to reproduce it yet.

Version-Release number of selected component (if applicable):
upstart-0.3.9-5.fc9.i386

How reproducible:
Don't know....

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Bill Nottingham 2008-02-25 20:47:04 EST
A simple:

fs_list_inotifyfs(init_t)

in the policy should do the trick.
Comment 2 Casey Dahlin 2008-02-25 20:59:20 EST
Likely caused by inotify monitoring of /etc/event.d for config changes. Dunno
why it would be so sporadic to reproduce.
Comment 3 Tom London 2008-02-25 21:03:32 EST
That makes sense....  I was "looking around" in /etc/event.d; perhaps I did
something that caused a file (or the directory) to be "touched".
Comment 4 Tom London 2008-02-25 21:13:55 EST
BTW, here is another.  Thrown when "shutdown" is selectect from "System" menu:

type=AVC msg=audit(1203991627.013:56): avc:  denied  { sendto } for  pid=9898
comm="shutdown" path=002F636F6D2F7562756E74752F75707374617274
scontext=system_u:system_r:consolekit_t:s0 tcontext=system_u:system_r:init_t:s0
tclass=unix_dgram_socket
type=SYSCALL msg=audit(1203991627.013:56): arch=40000003 syscall=102 success=yes
exit=34 a0=10 a1=bfcff1e0 a2=808c218 a3=808c090 items=0 ppid=9897 pid=9898
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="shutdown" exe="/sbin/shutdown"
subj=system_u:system_r:consolekit_t:s0 key=(null)

Not sure if that belongs here or against ConsoleKit....
Comment 5 Casey Dahlin 2008-02-25 21:29:20 EST
Hmm, might have to do with the new /sbin/shutdown command
Comment 6 Bill Nottingham 2008-02-25 22:00:09 EST
OK, the consolekit policy needs:

init_chat(consolekit_t)
Comment 7 Daniel Walsh 2008-02-26 10:38:30 EST
Fixed in selinux-policy-3.3.1-2.fc9

Note You need to log in before you can comment on or make changes to this bug.