Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 531230

Summary: Real Time Kernel supports SELinux options not available in policy
Product: Red Hat Enterprise Linux 5 Reporter: Daniel Walsh <dwalsh>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: low    
Version: 5.5CC: mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 531229 Environment:
Last Closed: 2010-03-30 07:50:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 531229    
Bug Blocks:    

Description Daniel Walsh 2009-10-27 12:22:43 UTC 
+++ This bug was initially created as a clone of Bug #531229 +++

+++ This bug was initially created as a clone of Bug #531228 +++

Description of problem:

Since we are pulling in a newer kernel for the real time kernel, it includes access that is not defined in the RHEL5 policy.  These access checks are denied by default, including open.  This means a RHEL5 box can not run with SELinux in enforcing mode with the Real Time Kernel.  In Fedora we have the ability to tell the kernel to "allow" all access that it knows about and the policy does not.  

In order to get this to work in RHEL5 we need to back port changes to the checkpolicy, libsepol and selinux-policy packages.

The test to see if these backports work is to develop a policy on RHEL5 that a Real Time Kernel can boot in enforcing mode.
Comment 2 Miroslav Grepl 2010-01-05 14:19:21 UTC 
Fixed in selinux-policy-2.4.6-263.el5
Comment 10 errata-xmlrpc 2010-03-30 07:50:35 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0182.html