Description of problem: Version-Release number of selected component (if applicable): selinux-policy-2.4.6-295.el5 selinux-policy-targeted-2.4.6-295.el5 selinux-policy-minimum-2.4.6-295.el5 selinux-policy-mls-2.4.6-295.el5 selinux-policy-strict-2.4.6-295.el5 selinux-policy-devel-2.4.6-295.el5 How reproducible: always Steps to Reproduce: (machine is in runlevel 1, root is logged in via console) # id -Z system_u:system_r:sysadm_t:s0-s15:c0.c1023 # setenforce 1 # udevinfo sh: /usr/bin/udevinfo: Permission denied # setenforce 0 # udevinfo Usage: udevinfo [-anpqrVh] -q TYPE query database for the specified value: 'name' name of device node 'symlink' pointing to node 'path' sysfs device path 'env' the device related imported environment 'all' all values -p PATH sysfs device path used for query or chain -n NAME node/symlink name used for query -r prepend to query result or print udev_root -a print all SYSFS_attributes along the device chain -e export the content of the udev database -V print udev version -h print this help text # Actual results: type=1400 audit(1290681765.540:16): avc: denied { execute_no_trans } for pid=2466 comm="sh" path="/usr/bin/udevinfo" dev=dm-0 ino=3258295 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file Expected results: no AVCs
Seen in permissive mode: type=1400 audit(1290694105.387:201): avc: denied { execute_no_trans } for pid=8414 comm="sh" path="/usr/bin/udevinfo" dev=dm-0 ino=1717210 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file type=1300 audit(1290694105.387:201): arch=c000003e syscall=59 success=yes exit=0 a0=1a968ec0 a1=1a968f40 a2=1a969db0 a3=8 items=0 ppid=8385 pid=8414 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS1 ses=4294967295 comm="udevinfo" exe="/usr/bin/udevinfo" subj=system_u:system_r:sysadm_t:s0-s15:c0.c1023 key=(null)
Fixed in selinux-policy-2.4.6-296.el5
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Previously, the SELinux MLS policy prevented the udevinfo command from producing the expected results. This update fixes the relevant policy, so that the command no longer fails.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0026.html