Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 531228

Summary: Real Time Kernel supports SELinux options not available in policy
Product: Red Hat Enterprise Linux 5 Reporter: Daniel Walsh <dwalsh>
Component: libsepolAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: low    
Version: 5.5CC: omoris
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 531229 (view as bug list) Environment:
Last Closed: 2010-03-30 07:51:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 531229    

Description Daniel Walsh 2009-10-27 12:18:54 UTC
Description of problem:

Since we are pulling in a newer kernel for the real time kernel, it includes access that is not defined in the RHEL5 policy.  These access checks are denied by default, including open.  This means a RHEL5 box can not run with SELinux in enforcing mode with the Real Time Kernel.  In Fedora we have the ability to tell the kernel to "allow" all access that it knows about and the policy does not.  

In order to get this to work in RHEL5 we need to back port changes to the checkpolicy, libsepol and selinux-policy packages.

The test to see if these backports work is to develop a policy on RHEL5 that a Real Time Kernel can boot in enforcing mode.

Comment 2 Daniel Walsh 2009-10-27 14:31:12 UTC
Fixed in libsepol-1.15.2-3.el5

Comment 4 Ondrej Moriš 2010-03-03 14:06:13 UTC
It's quite complicated to reproduce this problem. Even MRG guys do not hit it on RHEL5.3/5.4... 

* I've tried two RT kernels and both booted successfully without AVCs. 
* I've tried both new and old version of: checkpolicy & libsepol & selinux-policy
* I've recompiled selinux-policy several times (including many changes)

RT kernel booted successfully in all cases (with no complaints).

Since I did not reproduce the issue I'm not switching this bug to VERIFIED, however after two days of testing I'm pretty sure that it's fixed. Patch is obviously applied correctly. 

Setting verified to SanityOnly.

Comment 6 errata-xmlrpc 2010-03-30 07:51:12 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0183.html