Description of problem: Version-Release number of selected component (if applicable): selinux-policy-2.4.6-295.el5 selinux-policy-targeted-2.4.6-295.el5 selinux-policy-minimum-2.4.6-295.el5 selinux-policy-mls-2.4.6-295.el5 selinux-policy-strict-2.4.6-295.el5 selinux-policy-devel-2.4.6-295.el5 How reproducible: always Steps to Reproduce: (machine is in runlevel 1, root is logged in via console) # id -Z system_u:system_r:sysadm_t:s0-s15:c0.c1023 # setenforce 0 # udevcontrol reload_rules # echo $? 0 # setenforce 1 # udevcontrol reload_rules # echo $? 1 # Actual results: type=1400 audit(1290682404.975:14): avc: denied { sendto } for pid=3280 comm="udevcontrol" path=002F6F72672F6B65726E656C2F756465762F7564657664 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tclass=unix_dgram_socket Expected results: no AVCs
Seen in permissive mode: type=1400 audit(1290694297.572:202): avc: denied { sendto } for pid=8422 comm="udevcontrol" path=002F6F72672F6B65726E656C2F756465762F7564657664 scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tclass=unix_dgram_socket type=1300 audit(1290694297.572:202): arch=c000003e syscall=44 success=yes exit=2596 a0=3 a1=2adc6a62c380 a2=a24 a3=0 items=0 ppid=8385 pid=8422 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS1 ses=4294967295 comm="udevcontrol" exe="/sbin/udevcontrol" subj=system_u:system_r:sysadm_t:s0-s15:c0.c1023 key=(null)
Fixed in selinux-policy-2.4.6-296.el5
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Due to the SELinux MLS policy, the udevcontrol command failed to run, and a denial message was written to the audit log. With this update, this issue has been resolved, and SELinux no longer prevents udevcontrol from running.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0026.html