Bug 537617 - selinux logs AVCs on bootup - plymouth_t denied access for lvm/cryptsetup
Summary: selinux logs AVCs on bootup - plymouth_t denied access for lvm/cryptsetup
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-11-15 05:00 UTC by Bradley
Modified: 2009-11-24 07:49 UTC (History)
2 users (show)

Fixed In Version: 3.6.32-46.fc12
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-11-24 07:49:22 UTC
Type: ---


Attachments (Terms of Use)
dmesg (44.19 KB, text/plain)
2009-11-15 05:01 UTC, Bradley
no flags Details

Description Bradley 2009-11-15 05:00:59 UTC
Description of problem:

selinux AVCs appear on bootup. These are in dmesg only, and don't get captured anywhere else (/var/log/messages or /var/log/audit/audit.log). Despite the 'denied', and selinux in enforcing mode, everything appears to work, including my crypted /home, which is an lvm lv.

type=1400 audit(1258260098.374:9272): avc:  denied  { execute } for  pid=759 comm="plymouth" name="cryptsetup" dev=dm-0 ino=2146541 scontext=system_u:system_r:plymouth_t:s0 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file
type=1400 audit(1258260098.374:9273): avc:  denied  { read open } for  pid=759 comm="plymouth" name="cryptsetup" dev=dm-0 ino=2146541 scontext=system_u:system_r:plymouth_t:s0 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file
type=1400 audit(1258260098.374:9274): avc:  denied  { execute_no_trans } for  pid=759 comm="plymouth" path="/sbin/cryptsetup" dev=dm-0 ino=2146541 scontext=system_u:system_r:plymouth_t:s0 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file
type=1400 audit(1258260098.375:9275): avc:  denied  { read } for  pid=759 comm="cryptsetup" name="devices" dev=proc ino=4026531983 scontext=system_u:system_r:plymouth_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=1400 audit(1258260098.375:9276): avc:  denied  { open } for  pid=759 comm="cryptsetup" name="devices" dev=proc ino=4026531983 scontext=system_u:system_r:plymouth_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=1400 audit(1258260098.375:9277): avc:  denied  { getattr } for  pid=759 comm="cryptsetup" path="/proc/devices" dev=proc ino=4026531983 scontext=system_u:system_r:plymouth_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=1400 audit(1258260098.375:9278): avc:  denied  { getattr } for  pid=759 comm="cryptsetup" path="/dev/mapper/control" dev=tmpfs ino=3040 scontext=system_u:system_r:plymouth_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=1400 audit(1258260098.375:9279): avc:  denied  { read write } for  pid=759 comm="cryptsetup" name="control" dev=tmpfs ino=3040 scontext=system_u:system_r:plymouth_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=1400 audit(1258260098.376:9280): avc:  denied  { open } for  pid=759 comm="cryptsetup" name="control" dev=tmpfs ino=3040 scontext=system_u:system_r:plymouth_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=1400 audit(1258260098.376:9281): avc:  denied  { ipc_lock } for  pid=759 comm="cryptsetup" capability=14 scontext=system_u:system_r:plymouth_t:s0 tcontext=system_u:system_r:plymouth_t:s0 tclass=capability


Version-Release number of selected component (if applicable):


selinux-policy-3.6.32-41.fc12.noarch
selinux-policy-targeted-3.6.32-41.fc12.noarch
plymouth-0.8.0-0.2009.29.09.19.fc12.x86_64 (from updates-testing)
lvm2-2.02.53-2.fc12.x86_64

How reproducible:

Always

Steps to Reproduce:
1. Boot
2. dmesg | grep avc
3.
  
Actual results:

Above messages

Expected results:

No error messages

Additional info:

Just before this I get:

name_count maxed, losing inode data: dev=00:05, inode=9249 which google sugests is audit related - may be why its not showing up in the audit logs???

Comment 1 Bradley 2009-11-15 05:01:45 UTC
Created attachment 369564 [details]
dmesg

Comment 2 Daniel Walsh 2009-11-16 15:36:36 UTC
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.6.32-46.fc12.noarch

Comment 3 Fedora Update System 2009-11-16 19:38:29 UTC
selinux-policy-3.6.32-46.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-46.fc12

Comment 4 Fedora Update System 2009-11-18 14:12:29 UTC
selinux-policy-3.6.32-46.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-11672

Comment 5 Fedora Update System 2009-11-24 07:47:25 UTC
selinux-policy-3.6.32-46.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.