Bug 437000 - Multiple rhgb avcs during mls/Permissive boot
Multiple rhgb avcs during mls/Permissive boot
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy-mls (Show other bugs)
9
noarch Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-11 12:16 EDT by Joe Nall
Modified: 2008-07-02 15:42 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-02 15:42:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Joe Nall 2008-03-11 12:16:45 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-us) AppleWebKit/523.15.1 (KHTML, like Gecko) Version/3.0.4 Safari/523.15

Description of problem:
rhgb avs

[root@rawhide ~]# grep initrc_t /var/log/messages | grep rhgb
Mar 11 10:44:04 rawhide kernel: type=1400 audit(1205250229.431:3): avc:  denied  { mounton } for  pid=1286 comm="rhgb" path="/etc/rhgb/temp" dev=sda2 ino=13337674 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:mnt_t:s0 tclass=dir
Mar 11 10:44:04 rawhide kernel: type=1400 audit(1205250229.432:4): avc:  denied  { setattr } for  pid=1286 comm="rhgb" name="/" dev=ramfs ino=5387 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:ramfs_t:s0 tclass=dir
Mar 11 10:44:04 rawhide kernel: type=1400 audit(1205250231.962:7): avc:  denied  { write } for  pid=1287 comm="rhgb" name="/" dev=ramfs ino=5387 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:ramfs_t:s0 tclass=dir
Mar 11 10:44:04 rawhide kernel: type=1400 audit(1205250231.962:8): avc:  denied  { add_name } for  pid=1287 comm="rhgb" name="display" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:ramfs_t:s0 tclass=dir
Mar 11 10:44:04 rawhide kernel: type=1400 audit(1205250231.962:9): avc:  denied  { create } for  pid=1287 comm="rhgb" name="display" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:ramfs_t:s0 tclass=file
Mar 11 10:44:04 rawhide kernel: type=1400 audit(1205250231.962:10): avc:  denied  { write } for  pid=1287 comm="rhgb" name="display" dev=ramfs ino=5582 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:ramfs_t:s0 tclass=file
Mar 11 10:44:04 rawhide kernel: type=1400 audit(1205250231.963:11): avc:  denied  { create } for  pid=1287 comm="rhgb" name="rhgb-socket" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:ramfs_t:s0 tclass=sock_file
Mar 11 10:44:04 rawhide kernel: type=1400 audit(1205250231.964:12): avc:  denied  { setattr } for  pid=1287 comm="rhgb" name="rhgb-socket" dev=ramfs ino=5584 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:ramfs_t:s0 tclass=sock_file



Version-Release number of selected component (if applicable):
selinux-policy-mls-3.3.1-12

How reproducible:
Always


Steps to Reproduce:
Boot mls/Permissive

Actual Results:
avcs

Expected Results:


Additional info:
No patch this time. I just disabled rhgb :)
Comment 1 Joe Nall 2008-03-11 12:41:06 EDT
Should rhgb have a type policy and a ranged transition to s0 or is this a type constraint issue that is 
shared with the targeted policy?
Comment 2 Daniel Walsh 2008-03-11 19:17:47 EDT
Well we either can turn off rhgb from MLS boots. (Remove rhgb from kernel line.
 Or add rhgb to mls policy.
Comment 3 Daniel Walsh 2008-03-17 15:40:49 EDT
I think we should just turn off rhgb in MLS environments.  We need a lot of work
to get it to work with XSelinux.
Comment 4 Bug Zapper 2008-05-14 01:56:49 EDT
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 5 Daniel Walsh 2008-07-02 15:42:47 EDT
rhgb is removed from rawhide, so I am closing.

Note You need to log in before you can comment on or make changes to this bug.