Bug 508099 - Various selinuxfs mls denials
Various selinuxfs mls denials
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
11
All Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
: 508447 508484 508547 508627 508866 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-25 11:59 EDT by Orion Poplawski
Modified: 2009-10-23 19:07 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-10-23 19:07:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2009-06-25 11:59:33 EDT
Description of problem:

See these on boot;

type=AVC msg=audit(1245909181.162:363): avc:  denied  { read } for  pid=15976 comm="find" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:sysstat_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file
Jun 24 16:53:18 aspen kernel: type=1400 audit(1245883993.694:5): avc:  denied  { read } for  pid=1277 comm="ifconfig" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
Jun 24 16:53:18 aspen kernel: type=1400 audit(1245883993.846:6): avc:  denied  { read } for  pid=1317 comm="mii-tool" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
Jun 24 16:53:18 aspen kernel: type=1400 audit(1245883998.062:13): avc:  denied  { read } for  pid=1441 comm="mv" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file

Version-Release number of selected component (if applicable):
selinux-policy-3.6.12-53.fc11.noarch
Comment 1 Ed Young 2009-06-25 16:51:20 EDT
See these on vpnc connect:

Source Context:  unconfined_u:unconfined_r:ifconfig_t:s0
Target Context:  system_u:object_r:security_t:s0
Target Objects:  mls [ file ]
Source:  ifconfig
Source Path:  /sbin/ifconfig
Port:  <Unknown>
Host:  dad
Source RPM Packages:  net-tools-1.60-92.fc11
Target RPM Packages:  
Policy RPM:  selinux-policy-3.6.12-50.fc11
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  catchall
Host Name:  dad
Platform:  Linux dad 2.6.29.5-191.fc11.i586 #1 SMP Tue Jun 16 23:11:39 EDT 2009 i686 i686
Alert Count:  6
First Seen:  Wed 24 Jun 2009 08:42:56 AM EDT
Last Seen:  Thu 25 Jun 2009 04:24:00 PM EDT
Local ID:  5b16de0c-7f9f-4337-990c-c637dfd970b9
Line Numbers:  
Raw Audit Messages :

node=dad type=AVC msg=audit(1245961440.664:30): avc: denied { read } for pid=2610 comm="ifconfig" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:unconfined_r:ifconfig_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file 

node=dad type=SYSCALL msg=audit(1245961440.664:30): arch=40000003 syscall=5 success=no exit=-13 a0=bfba8108 a1=8000 a2=0 a3=bfba8108 items=0 ppid=2594 pid=2610 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ifconfig" exe="/sbin/ifconfig" subj=unconfined_u:unconfined_r:ifconfig_t:s0 key=(null)
Comment 2 Miroslav Grepl 2009-06-26 03:44:40 EDT
You can add these rules now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.6.12-57.fc11
Comment 3 Miroslav Grepl 2009-06-29 04:45:53 EDT
*** Bug 508547 has been marked as a duplicate of this bug. ***
Comment 4 Miroslav Grepl 2009-06-29 05:58:15 EDT
*** Bug 508484 has been marked as a duplicate of this bug. ***
Comment 5 Daniel Walsh 2009-06-29 10:07:43 EDT
*** Bug 508447 has been marked as a duplicate of this bug. ***
Comment 6 Jiri Popelka 2009-07-01 08:20:44 EDT
*** Bug 508866 has been marked as a duplicate of this bug. ***
Comment 7 Jiri Popelka 2009-07-01 08:28:12 EDT
*** Bug 508627 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.