Description of problem: root cannot run udevmonitor on MLS machine in enforcing mode Version-Release number of selected component (if applicable): RHEL5.6-Server-20101119.0 selinux-policy-2.4.6-293.el5 selinux-policy-devel-2.4.6-293.el5 selinux-policy-mls-2.4.6-293.el5 selinux-policy-targeted-2.4.6-293.el5 How reproducible: always Steps to Reproduce ================== (root is logged in via console) sh-3.2# id -Z system_u:system_r:sysadm_t:s0-s15:c0.c1023 sh-3.2# setenforce 1 sh-3.2# udevmonitor error getting socket: Permission denied sh-3.2# setenforce 0 sh-3.2# udevmonitor udevmonitor prints the received event from the kernel [UEVENT] and the event which udev sends out after rule processing [UDEV] ^C Actual results: type=1400 audit(1290515858.409:49): avc: denied { create } for pid=3826 comm="udevmonitor" scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket type=1404 audit(1290515864.241:50): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 type=1400 audit(1290515867.913:51): avc: denied { create } for pid=3828 comm="udevmonitor" scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket type=1400 audit(1290515867.913:52): avc: denied { bind } for pid=3828 comm="udevmonitor" scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket Expected results: no AVCs
I forgot to mention that the machine is in single mode.
We allow it in RHEL6.
Yes we should allow it.
Fixed in selinux-policy-2.4.6-294.el5.noarch
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: When SELinux was running in the enforcing mode, an SELinux MLS policy did not allow the udevmonitor to create a socket. As a result, an attempt to run this command in single user mode failed with the following error message: error getting socket: Permission denied With this update, the SELinux policy has been fixed to permit the creation of such socket, and udevmonitor can now be run as expected.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0026.html