Bug 657571 - MLS policy prevents modprobe from calling signull ...
Summary: MLS policy prevents modprobe from calling signull ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.6
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-11-26 14:32 UTC by Milos Malik
Modified: 2013-04-10 07:16 UTC (History)
1 user (show)

Fixed In Version: selinux-policy-2.4.6-296.el5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-07-21 09:19:16 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1069 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-07-21 09:18:27 UTC

Description Milos Malik 2010-11-26 14:32:31 UTC
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-strict-2.4.6-295.el5
selinux-policy-minimum-2.4.6-295.el5
selinux-policy-devel-2.4.6-295.el5
selinux-policy-targeted-2.4.6-295.el5
selinux-policy-2.4.6-295.el5
selinux-policy-mls-2.4.6-295.el5

How reproducible:
always

Steps to Reproduce:
1. install MLS policy on a RHEL-5.6 machine, force filesystem auto-relabel
2. modify /etc/selinux/config so that the machine will start up with MLS policy
in permissive mode
3. reboot into single mode
4. log in via console
5. run dmesg
  
Actual results:
type=1400 audit(1290781239.496:3): avc:  denied  { signull } for  pid=923 comm="modprobe" scontext=system_u:system_r:insmod_t:s0-s15:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tclass=process

Expected results:
no AVCs

Comment 1 Miroslav Grepl 2010-11-29 12:13:15 UTC
So it happens always after reboot into single mode?

Comment 2 Milos Malik 2010-11-29 12:43:56 UTC
Yes. Always.

Comment 3 Daniel Walsh 2010-11-29 15:33:26 UTC
Looks like something that should be allowed.

Comment 4 Miroslav Grepl 2010-11-30 09:32:34 UTC
Fixed in selinux-policy-2.4.6-296.el5

Comment 6 Milos Malik 2010-12-02 11:33:35 UTC
Another very similar AVC showed up:

type=1400 audit(1291287482.776:3): avc:  denied  { signull } for  pid=1033 comm="modprobe" scontext=system_u:system_r:insmod_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pam_console_t:s0-s15:c0.c1023 tclass=process

Comment 7 Daniel Walsh 2010-12-02 14:32:32 UTC
Maybe modprobe is sending signull to all processes?

Comment 11 RHEL Program Management 2010-12-07 10:30:42 UTC
This request was evaluated by Red Hat Product Management for inclusion in Red Hat Enterprise Linux 5.6 and Red Hat does not plan to fix this issue the currently developed update.

Contact your manager or support representative in case you need to escalate this bug.

Comment 13 RHEL Program Management 2011-01-11 21:12:57 UTC
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.

Comment 14 RHEL Program Management 2011-01-12 15:08:50 UTC
This request was erroneously denied for the current release of
Red Hat Enterprise Linux.  The error has been fixed and this
request has been re-proposed for the current release.

Comment 18 errata-xmlrpc 2011-07-21 09:19:16 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html

Comment 19 errata-xmlrpc 2011-07-21 11:49:58 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html


Note You need to log in before you can comment on or make changes to this bug.