Bug 440189 – Current avc Denials during rawhide startup

Bug 440189 - Current avc Denials during rawhide startup

Summary:	Current avc Denials during rawhide startup

Status:	CLOSED NOTABUG

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	selinux-policy (Show other bugs)
Sub Component:
Version:	rawhide
Hardware:	i686 Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2008-04-02 02:09 EDT by dex
Modified:	2008-05-02 16:12 EDT (History)
CC List:	1 user (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2008-05-02 16:12:38 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
dmesg (44.96 KB, text/plain) 2008-04-02 02:09 EDT, dex	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description dex 2008-04-02 02:09:21 EDT

Description of problem:
I'm Currently seeing these denials during startup on this rawhide system

Version-Release number of selected component (if applicable):
selinux-policy-3.3.1-26.fc9.noarch

How reproducible:
start system

Steps to Reproduce:
1. start system
2.
3.
  
Actual results:
denials

Expected results:
no denials

Additional info:

please see attached dmesg

Comment 1 dex 2008-04-02 02:09:21 EDT

Created attachment 300013 [details]
dmesg

Comment 2 Daniel Walsh 2008-04-06 06:33:03 EDT

This looks like /sbin/hwclock does not have the correct label on it?

ls -lZ /sbin/hwclock

I am also not seeing these errors in the latest -28 policy.  Please make sure
there is only one policy file in /etc/selinux/targeted/policy

Remove the lower.

Comment 3 dex 2008-04-06 13:30:41 EDT

ls -lZ /sbin/hwclock
-rwxr-xr-x  root root system_u:object_r:hwclock_exec_t:s0 /sbin/hwclock

looks ok to my untrained eye.

Also no change with -28 same set of avc's after a relabel :-(

Comment 4 Daniel Walsh 2008-04-07 23:13:46 EDT

udev is supposed to be transitioning to hwclock_t


Are you sure udev is executing /sbin/hwclock?

Is /usr/sbin/hwclock a symlink?

Comment 5 dex 2008-04-08 17:49:22 EDT

(In reply to comment #4)
> udev is supposed to be transitioning to hwclock_t
> 
> 
> Are you sure udev is executing /sbin/hwclock?
How can I verify this, 

> Is /usr/sbin/hwclock a symlink?
yes 
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/sbin/hwclock
-> ../../sbin/hwclock

policy -29

Comment 6 Daniel Walsh 2008-04-09 08:33:56 EDT

# yum install setools

# sesearch --allow | grep udev | grep hwclock
   allow udev_t hwclock_t : process transition ; 
   allow hwclock_t udev_t : process sigchld ; 
   allow hwclock_t udev_t : fd use ; 
   allow hwclock_t udev_t : fifo_file { ioctl read write getattr lock append }; 
   allow udev_t hwclock_exec_t : file { read getattr execute }; 
   allow hwclock_t udev_tbl_t : file { ioctl read getattr lock }; 


Also verify that there is only one policy file in
/etc/selinux/targeted/policy/policy*

If there are more then one, please delete all but the greatest.

Note You need to log in before you can comment on or make changes to this bug.