446555 – SELinux is preventing /sbin/losetup (fsadm_t) "append" to /var/run/xen-hotplug/block (udev_var_run_t).

Bug 446555 - SELinux is preventing /sbin/losetup (fsadm_t) "append" to /var/run/xen-hotplug/block (udev_var_run_t).

Summary: SELinux is preventing /sbin/losetup (fsadm_t) "append" to /var/run/xen-hotplu...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	5.1
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-05-15 02:39 UTC by Rahadi Kurniawan
Modified:	2008-05-22 18:46 UTC (History)
CC List:	0 users
Fixed In Version:	u2
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-05-22 18:46:14 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Rahadi Kurniawan 2008-05-15 02:39:30 UTC

Description of problem:
SummarySELinux is preventing /sbin/losetup (fsadm_t) "append" to
/var/run/xen-hotplug/block (udev_var_run_t).Detailed DescriptionSELinux denied
access requested by /sbin/losetup. It is not expected that this access is
required by /sbin/losetup and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.Allowing AccessSometimes labeling
problems can cause SELinux denials. You could try to restore the default system
file context for /var/run/xen-hotplug/block, restorecon -v
/var/run/xen-hotplug/block If this does not work, there is currently no
automatic way to allow this access. Instead, you can generate a local policy
module to allow this access - see FAQ Or you can disable SELinux protection
altogether. Disabling SELinux protection is not recommended. Please file a bug
report against this package.Additional InformationSource
Context:  system_u:system_r:fsadm_t:SystemLow-SystemHighTarget
Context:  system_u:object_r:udev_var_run_tTarget
Objects:  /var/run/xen-hotplug/block [ file ]Affected RPM
Packages:  util-linux-2.13-0.45.el5 [application]Policy
RPM:  selinux-policy-2.4.6-104.el5Selinux Enabled:  TruePolicy
Type:  targetedMLS Enabled:  TrueEnforcing Mode:  EnforcingPlugin
Name:  plugins.catchall_fileHost
Name:  tsks01.tsklogistics.lokalPlatform:  Linux tsks01.tsklogistics.lokal
2.6.18-53.el5xen #1 SMP Mon Nov 12 02:46:57 EST 2007 x86_64 x86_64Alert
Count:  279Line Numbers:   Raw Audit Messages :avc: denied { append } for
comm="losetup" dev=sda3 egid=0 euid=0 exe="/sbin/losetup" exit=0 fsgid=0 fsuid=0
gid=0 items=0 path="/var/run/xen-hotplug/block" pid=11663
scontext=system_u:system_r:fsadm_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:fsadm_t:s0-s0:c0.c1023 suid=0 tclass=file
tcontext=system_u:object_r:udev_var_run_t:s0 tty=(none) uid=0

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. after my previous bug report, I run audit2allow -m local -l -i
/var/log/messages > local.te as root
2. then I run centos 5.1 again
3. se linux warning appear
  
Actual results:


Expected results:


Additional info:

Comment 1 Daniel Walsh 2008-05-22 18:46:14 UTC

Should be fixed by the U2 policy.

selinux-policy-2.4.6-136

Note You need to log in before you can comment on or make changes to this bug.