Description of problem: Version-Release number of selected component (if applicable): pm-utils-0.99.3-10.el5 selinux-policy-2.4.6-297.el5 selinux-policy-devel-2.4.6-297.el5 selinux-policy-minimum-2.4.6-297.el5 selinux-policy-mls-2.4.6-297.el5 selinux-policy-strict-2.4.6-297.el5 selinux-policy-targeted-2.4.6-297.el5 How reproducible: always Steps to Reproduce: 1. log in as root via console (it's not reproducible when logged in via SSH) 2. run following test /CoreOS/selinux-policy/Regression/bz515491-vbetool-permission-denied Actual results: ---- time->Thu Dec 2 10:43:21 2010 type=SYSCALL msg=audit(1291304601.421:914): arch=c000003e syscall=59 success=yes exit=0 a0=a491400 a1=a3ed1d0 a2=a3ec2a0 a3=8 items=0 ppid=9651 pid=10140 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="vbetool" exe="/usr/sbin/vbetool" subj=root:system_r:vbetool_t:s0-s0:c0.c1023 key =(null) type=AVC msg=audit(1291304601.421:914): avc: denied { read write } for pid=10 140 comm="vbetool" name="console" dev=tmpfs ino=919 scontext=root:system_r:vbetool_t:s0-s0:c0.c1023 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file ---- Expected results: no AVCs
Is this happening on a s390?
The AVC was seen yesterday on x86_64 machine. I will check other architectures too.
Also seen on i386 machine.
BTW I believe for most machine vbetool should not even be necessary.
Fixed in selinux-policy-2.4.6-298.el5
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Previously, running the vbetool utility could cause AVC messages to be written to the audit log. With this update, the SELinux policy has been updated to address this issue, and such messages no longer appear.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0026.html