657571 – MLS policy prevents modprobe from calling signull ...

Bug 657571 - MLS policy prevents modprobe from calling signull ...

Summary: MLS policy prevents modprobe from calling signull ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	5.6
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-11-26 14:32 UTC by Milos Malik
Modified:	2013-04-10 07:16 UTC (History)
CC List:	1 user (show)
Fixed In Version:	selinux-policy-2.4.6-296.el5
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-07-21 09:19:16 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:1069	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2011-07-21 09:18:27 UTC

Description Milos Malik 2010-11-26 14:32:31 UTC

Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-strict-2.4.6-295.el5
selinux-policy-minimum-2.4.6-295.el5
selinux-policy-devel-2.4.6-295.el5
selinux-policy-targeted-2.4.6-295.el5
selinux-policy-2.4.6-295.el5
selinux-policy-mls-2.4.6-295.el5

How reproducible:
always

Steps to Reproduce:
1. install MLS policy on a RHEL-5.6 machine, force filesystem auto-relabel
2. modify /etc/selinux/config so that the machine will start up with MLS policy
in permissive mode
3. reboot into single mode
4. log in via console
5. run dmesg
  
Actual results:
type=1400 audit(1290781239.496:3): avc:  denied  { signull } for  pid=923 comm="modprobe" scontext=system_u:system_r:insmod_t:s0-s15:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tclass=process

Expected results:
no AVCs

Comment 1 Miroslav Grepl 2010-11-29 12:13:15 UTC

So it happens always after reboot into single mode?

Comment 2 Milos Malik 2010-11-29 12:43:56 UTC

Yes. Always.

Comment 3 Daniel Walsh 2010-11-29 15:33:26 UTC

Looks like something that should be allowed.

Comment 4 Miroslav Grepl 2010-11-30 09:32:34 UTC

Fixed in selinux-policy-2.4.6-296.el5

Comment 6 Milos Malik 2010-12-02 11:33:35 UTC

Another very similar AVC showed up:

type=1400 audit(1291287482.776:3): avc:  denied  { signull } for  pid=1033 comm="modprobe" scontext=system_u:system_r:insmod_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pam_console_t:s0-s15:c0.c1023 tclass=process

Comment 7 Daniel Walsh 2010-12-02 14:32:32 UTC

Maybe modprobe is sending signull to all processes?

Comment 11 RHEL Program Management 2010-12-07 10:30:42 UTC

This request was evaluated by Red Hat Product Management for inclusion in Red Hat Enterprise Linux 5.6 and Red Hat does not plan to fix this issue the currently developed update.

Contact your manager or support representative in case you need to escalate this bug.

Comment 13 RHEL Program Management 2011-01-11 21:12:57 UTC

This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.

Comment 14 RHEL Program Management 2011-01-12 15:08:50 UTC

This request was erroneously denied for the current release of
Red Hat Enterprise Linux.  The error has been fixed and this
request has been re-proposed for the current release.

Comment 18 errata-xmlrpc 2011-07-21 09:19:16 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html

Comment 19 errata-xmlrpc 2011-07-21 11:49:58 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html

Note You need to log in before you can comment on or make changes to this bug.