Bug 492733 - dmesg denied read/open/getattr for /etc/ld.so.cache on boot
dmesg denied read/open/getattr for /etc/ld.so.cache on boot
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-28 18:44 EDT by Allen Kistler
Modified: 2009-03-30 10:16 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-03-30 10:16:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Allen Kistler 2009-03-28 18:44:12 EDT
Description of problem:
During boot, 3 AVC denials occur (in permissive mode) for dmesg.
Presumably dmesg needs access to ld.so.cache.

Version-Release number of selected component (if applicable):
selinux-policy-3.6.10-4.fc11.noarch

How reproducible:
Always

Steps to Reproduce:
1. boot & watch the messages
2. alternatively, read /var/log/messages, since they occur before auditd starts
  
Actual results:
AVC denials (see below)

Expected results:
No AVC denials

Additional info:
From /var/log/messages ...

vtest kernel: type=1400 audit(1238277800.038:6): avc:  denied  { read } for pid=1467 comm="dmesg" name="ld.so.cache" dev=dm-0 ino=49672 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file

vtest kernel: type=1400 audit(1238277800.038:7): avc:  denied  { open } for  pid=1467 comm="dmesg" name="ld.so.cache" dev=dm-0 ino=49672 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file

vtest kernel: type=1400 audit(1238277800.038:8): avc:  denied  { getattr } for  pid=1467 comm="dmesg" path="/etc/ld.so.cache" dev=dm-0 ino=49672 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
Comment 1 Daniel Walsh 2009-03-30 10:16:48 EDT
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.6.10-5.fc11.noarch

Note You need to log in before you can comment on or make changes to this bug.