Bug 528339 - SELinux is preventing /usr/sbin/mcelog "read" access on mem.
Summary: SELinux is preventing /usr/sbin/mcelog "read" access on mem.
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:15fb2d7ceb9...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-10-11 12:12 UTC by Jim Meyering
Modified: 2016-04-26 15:43 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-10-13 15:37:29 UTC
Type: ---


Attachments (Terms of Use)

Description Jim Meyering 2009-10-11 12:12:37 UTC
Summary:

SELinux is preventing /usr/sbin/mcelog "read" access on mem.

Detailed Description:

[mcelog has a permissive type (dmesg_t). This access was not denied.]

SELinux denied access requested by mcelog. It is not expected that this access
is required by mcelog and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:dmesg_t:s0-s0:c0.c1023
Target Context                system_u:object_r:memory_device_t:s0
Target Objects                mem [ chr_file ]
Source                        mcelog
Source Path                   /usr/sbin/mcelog
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           mcelog-0.9pre1-0.1.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-24.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31.1-56.fc12.x86_64 #1
                              SMP Tue Sep 29 16:16:22 EDT 2009 x86_64 x86_64
Alert Count                   102
First Seen                    Wed 07 Oct 2009 09:01:01 AM CEST
Last Seen                     Sun 11 Oct 2009 02:01:01 PM CEST
Local ID                      63bb9831-db59-4b8e-9836-078c923b0800
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1255262461.936:2189): avc:  denied  { read } for  pid=18677 comm="mcelog" name="mem" dev=tmpfs ino=3291 scontext=system_u:system_r:dmesg_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file

node=(removed) type=SYSCALL msg=audit(1255262461.936:2189): arch=c000003e syscall=2 success=yes exit=0 a0=409e28 a1=0 a2=1000 a3=a items=0 ppid=18675 pid=18677 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=275 comm="mcelog" exe="/usr/sbin/mcelog" subj=system_u:system_r:dmesg_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-24.fc12,catchall,mcelog,dmesg_t,memory_device_t,chr_file,read
audit2allow suggests:

#============= dmesg_t ==============
allow dmesg_t memory_device_t:chr_file read;

Comment 1 Jim Meyering 2009-10-11 12:16:01 UTC
Hi Dan,

I think I reported this one before, but since then I've updated policy, and in spite of that, today just saw the 100th and 101st instances of this AVC.

Comment 2 Daniel Walsh 2009-10-11 12:23:20 UTC
Jim are you sure the policy upgrade succeeded?

# rpm -q selinux-policy
selinux-policy-3.6.32-24.fc12.noarch


# audit2allow -wi  /tmp/t
node=(removed) type=AVC msg=audit(1255262461.936:2189): avc:  denied  { read } for  pid=18677 comm="mcelog" name="mem" dev=tmpfs ino=3291 scontext=system_u:system_r:dmesg_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file

	Was caused by:
		Unknown - would be allowed by active policy
		Possible mismatch between this policy and the one under which the audit message was generated.

		Possible mismatch between current in-memory boolean settings vs. permanent ones.

If I run it through audit2why it says it is allowed.  And my reading of the policy looks good.

Could you try

yum reinstall selinux-policy-targeted

ANd make sure it does not throw an error.

Comment 3 Jim Meyering 2009-10-11 13:06:19 UTC
Hi Dan,
Thanks for the quick reply (and on a Sunday!).

$ rpm -q selinux-policy
selinux-policy-3.6.32-24.fc12.noarch

Hmm...policy upgrade failed, as I suppose you guessed:

$ yum -y reinstall selinux-policy-targeted
Loaded plugins: fastestmirror, presto, refresh-packagekit
Setting up Reinstall Process
Loading mirror speeds from cached hostfile
 * rawhide: fr.rpmfind.net
Resolving Dependencies
--> Running transaction check
---> Package selinux-policy-targeted.noarch 0:3.6.32-24.fc12 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

=================================================================================
 Package                      Arch        Version             Repository    Size
=================================================================================
Reinstalling:
 selinux-policy-targeted      noarch      3.6.32-24.fc12      rawhide      1.8 M

Transaction Summary
=================================================================================
Remove        0 Package(s)
Reinstall     1 Package(s)
Downgrade     0 Package(s)

Total download size: 1.8 M
Downloading Packages:
Setting up and reading Presto delta metadata
Processing delta metadata
Package(s) data still to download: 1.8 M
selinux-policy-targeted-3.6.32-24.fc12.noarch.rpm         | 1.8 MB     00:02     
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : selinux-policy-targeted-3.6.32-24.fc12.noarch             1/1 
libsepol.context_from_record: type unconfined_execmem_exec_t is not defined (No such file or directory).
libsepol.context_from_record: could not create context structure (Invalid argument).
libsemanage.validate_handler: invalid context system_u:object_r:unconfined_execmem_exec_t:s0 specified for /usr/lib64/ghc-6.10.4/ghc [all files] (Invalid argument).
libsemanage.dbase_llist_iterate: could not iterate over records (Invalid argument).
semodule:  Failed!

Installed:
  selinux-policy-targeted.noarch 0:3.6.32-24.fc12                                

Complete!

Comment 4 Daniel Walsh 2009-10-13 13:42:12 UTC
Could you try to install   selinux-policy-targeted.noarch 0:3.6.32-25.fc12?

From koji

http://koji.fedoraproject.org/koji/buildinfo?buildID=136306

If this works for you I will ask for this policy in beta.

Comment 5 Jim Meyering 2009-10-13 14:10:28 UTC
Dan,
That installed fine, and with it, mcelog no longer provokes AVCs.

Thanks!

Comment 6 Daniel Walsh 2009-10-13 15:37:29 UTC
Fixed in selinux-policy-3.6.32-25.fc12.noarch


Note You need to log in before you can comment on or make changes to this bug.