First Last Prev Next    This bug is not in your last search results.
Bug 657262 - udevinfo does not work when MLS policy is in enforcing mode
udevinfo does not work when MLS policy is in enforcing mode
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.6
All Linux
low Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-11-25 05:47 EST by Milos Malik
Modified: 2012-10-15 10:26 EDT (History)
1 user (show)

See Also:
Fixed In Version: selinux-policy-2.4.6-296.el5
Doc Type: Bug Fix
Doc Text:
Previously, the SELinux MLS policy prevented the udevinfo command from producing the expected results. This update fixes the relevant policy, so that the command no longer fails.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-01-13 16:51:30 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Milos Malik 2010-11-25 05:47:46 EST 
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-295.el5
selinux-policy-targeted-2.4.6-295.el5
selinux-policy-minimum-2.4.6-295.el5
selinux-policy-mls-2.4.6-295.el5
selinux-policy-strict-2.4.6-295.el5
selinux-policy-devel-2.4.6-295.el5

How reproducible:
always

Steps to Reproduce:
(machine is in runlevel 1, root is logged in via console)
# id -Z
system_u:system_r:sysadm_t:s0-s15:c0.c1023
# setenforce 1
# udevinfo
sh: /usr/bin/udevinfo: Permission denied
# setenforce 0
# udevinfo
Usage: udevinfo [-anpqrVh]
  -q TYPE  query database for the specified value:
             'name'    name of device node
             'symlink' pointing to node
             'path'    sysfs device path
             'env'     the device related imported environment
             'all'     all values

  -p PATH  sysfs device path used for query or chain
  -n NAME  node/symlink name used for query

  -r       prepend to query result or print udev_root
  -a       print all SYSFS_attributes along the device chain
  -e       export the content of the udev database
  -V       print udev version
  -h       print this help text

# 

  
Actual results:
type=1400 audit(1290681765.540:16): avc:  denied  { execute_no_trans } for  pid=2466 comm="sh" path="/usr/bin/udevinfo" dev=dm-0 ino=3258295 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file

Expected results:
no AVCs
Comment 1 Milos Malik 2010-11-25 09:11:00 EST 
Seen in permissive mode:

type=1400 audit(1290694105.387:201): avc:  denied  { execute_no_trans } for  pid=8414 comm="sh" path="/usr/bin/udevinfo" dev=dm-0 ino=1717210 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file
type=1300 audit(1290694105.387:201): arch=c000003e syscall=59 success=yes exit=0 a0=1a968ec0 a1=1a968f40 a2=1a969db0 a3=8 items=0 ppid=8385 pid=8414 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS1 ses=4294967295 comm="udevinfo" exe="/usr/bin/udevinfo" subj=system_u:system_r:sysadm_t:s0-s15:c0.c1023 key=(null)
Comment 6 Miroslav Grepl 2010-11-30 04:31:46 EST 
Fixed in selinux-policy-2.4.6-296.el5
Comment 9 Jaromir Hradilek 2011-01-05 11:28:38 EST 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Previously, the SELinux MLS policy prevented the udevinfo command from producing the expected results. This update fixes the relevant policy, so that the command no longer fails.
Comment 11 errata-xmlrpc 2011-01-13 16:51:30 EST 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.