Here are 4 AVC denials found after reboot of a system in MLS policy. # ausearch -m avc -ts recent -sv no ---- time->Fri Dec 11 16:43:51 2009 type=SYSCALL msg=audit(1260546231.239:27): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfbeeda0 a2=0 a3=81a5548 items=0 ppid=1 pid=2241 auid=4294967295 uid=43 gid=43 euid=43 suid=43 fsuid=43 egid=43 sgid=43 fsgid=43 tty=(none) ses=4294967295 comm="xfs" exe="/usr/bin/xfs" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1260546231.239:27): avc: denied { create } for pid=2241 comm="xfs" name="fs7100" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=sock_file ---- time->Fri Dec 11 16:43:51 2009 type=SYSCALL msg=audit(1260546231.431:28): arch=40000003 syscall=5 success=no exit=-13 a0=9cd3690 a1=42 a2=180 a3=9cd3658 items=0 ppid=1 pid=2254 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="anacron" exe="/usr/sbin/anacron" subj=system_u:system_r:crond_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1260546231.431:28): avc: denied { write } for pid=2254 comm="anacron" name="cron.daily" dev=dm-0 ino=1116699 scontext=system_u:system_r:crond_t:s0-s15:c0.c1023 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file ---- time->Fri Dec 11 16:43:56 2009 type=SYSCALL msg=audit(1260546236.053:29): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfaacdd0 a2=809e5e0 a3=2b67 items=0 ppid=2435 pid=2436 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ricci" exe="/usr/sbin/ricci" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1260546236.053:29): avc: denied { name_bind } for pid=2436 comm="ricci" src=11111 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:ricci_port_t:s0 tclass=tcp_socket ---- time->Fri Dec 11 16:44:32 2009 type=SYSCALL msg=audit(1260546272.924:30): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=b6fa37e0 a2=359118 a3=0 items=0 ppid=1 pid=2022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1260546272.924:30): avc: denied { write } for pid=2022 comm="setroubleshootd" name="audispd_events" dev=dm-0 ino=1116623 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:audisp_var_run_t:s15:c0.c1023 tclass=sock_file ---- # ausearch -m avc -ts recent | audit2allow #============= crond_t ============== allow crond_t system_cron_spool_t:file write; #============= initrc_t ============== allow initrc_t audisp_var_run_t:sock_file write; allow initrc_t initrc_tmp_t:sock_file create; allow initrc_t ricci_port_t:tcp_socket name_bind; # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: mls # rpm -q selinux-policy-mls selinux-policy-mls-2.4.6-255.el5_4.2
Did you install the MLS approved packages? You seem to have some app running as initrc_t which needs policy written for it.
Well, all are regular 5.4 packages. How should I check whether it is MLS approved pkg? # rpm -qf /usr/sbin/ricci /usr/bin/xfs /usr/sbin/anacron ricci-0.12.2-6.el5 xorg-x11-xfs-1.0.2-4 anacron-2.3-45.el5
xorg/ricci are definitely not. Steve do you have the list?
The list is in the cert rpm. ftp://ftp.redhat.com/pub/redhat/linux/eal/EAL4_RHEL5. Anything in X is not part of the CC evaluation. However, is MLS limited to only the rpms from LSPP or is it reasonable to expect other applications to work in MLS?
MLS was only designed and tested to work with LSPP. In RHEL6 I think we should broaden this. But we simply did not include all of the policy modules in the mls policy to make this work.
As per comments above I am closing it as NOTABUG.
(In reply to comment #4) > The list is in the cert rpm. > ftp://ftp.redhat.com/pub/redhat/linux/eal/EAL4_RHEL5. Anything in X is not part > of the CC evaluation. However, is MLS limited to only the rpms from LSPP or is > it reasonable to expect other applications to work in MLS? I think the lists you are referring to can be found in the tarball from the RPM [1] in directory kickstart/src. So anything else not listed there is not expected to work in MLS on RHEL5. What do we plan for RHEL6? Is there going to be a list of supported/expected to work packages in MLS? [1] - ftp://ftp.redhat.com/pub/redhat/linux/eal/EAL4_RHEL5/IBM/RPMS/lspp-eal4-config-ibm-0.65-2.el5.noarch.rpm