Bug 657571 - MLS policy prevents modprobe from calling signull ...
MLS policy prevents modprobe from calling signull ...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.6
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-11-26 09:32 EST by Milos Malik
Modified: 2013-04-10 03:16 EDT (History)
1 user (show)

See Also:
Fixed In Version: selinux-policy-2.4.6-296.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-07-21 05:19:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Milos Malik 2010-11-26 09:32:31 EST
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-strict-2.4.6-295.el5
selinux-policy-minimum-2.4.6-295.el5
selinux-policy-devel-2.4.6-295.el5
selinux-policy-targeted-2.4.6-295.el5
selinux-policy-2.4.6-295.el5
selinux-policy-mls-2.4.6-295.el5

How reproducible:
always

Steps to Reproduce:
1. install MLS policy on a RHEL-5.6 machine, force filesystem auto-relabel
2. modify /etc/selinux/config so that the machine will start up with MLS policy
in permissive mode
3. reboot into single mode
4. log in via console
5. run dmesg
  
Actual results:
type=1400 audit(1290781239.496:3): avc:  denied  { signull } for  pid=923 comm="modprobe" scontext=system_u:system_r:insmod_t:s0-s15:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tclass=process

Expected results:
no AVCs
Comment 1 Miroslav Grepl 2010-11-29 07:13:15 EST
So it happens always after reboot into single mode?
Comment 2 Milos Malik 2010-11-29 07:43:56 EST
Yes. Always.
Comment 3 Daniel Walsh 2010-11-29 10:33:26 EST
Looks like something that should be allowed.
Comment 4 Miroslav Grepl 2010-11-30 04:32:34 EST
Fixed in selinux-policy-2.4.6-296.el5
Comment 6 Milos Malik 2010-12-02 06:33:35 EST
Another very similar AVC showed up:

type=1400 audit(1291287482.776:3): avc:  denied  { signull } for  pid=1033 comm="modprobe" scontext=system_u:system_r:insmod_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pam_console_t:s0-s15:c0.c1023 tclass=process
Comment 7 Daniel Walsh 2010-12-02 09:32:32 EST
Maybe modprobe is sending signull to all processes?
Comment 11 RHEL Product and Program Management 2010-12-07 05:30:42 EST
This request was evaluated by Red Hat Product Management for inclusion in Red Hat Enterprise Linux 5.6 and Red Hat does not plan to fix this issue the currently developed update.

Contact your manager or support representative in case you need to escalate this bug.
Comment 13 RHEL Product and Program Management 2011-01-11 16:12:57 EST
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 14 RHEL Product and Program Management 2011-01-12 10:08:50 EST
This request was erroneously denied for the current release of
Red Hat Enterprise Linux.  The error has been fixed and this
request has been re-proposed for the current release.
Comment 18 errata-xmlrpc 2011-07-21 05:19:16 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html
Comment 19 errata-xmlrpc 2011-07-21 07:49:58 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html

Note You need to log in before you can comment on or make changes to this bug.