Description of problem: Version-Release number of selected component (if applicable): selinux-policy-mls-2.4.6-298.el5 selinux-policy-devel-2.4.6-298.el5 selinux-policy-targeted-2.4.6-298.el5 selinux-policy-2.4.6-298.el5 selinux-policy-strict-2.4.6-298.el5 selinux-policy-minimum-2.4.6-298.el5 How reproducible: always Steps to Reproduce: 1. install MLS policy on a RHEL-5.6 machine, force filesystem auto-relabel 2. modify /etc/selinux/config so that the machine will start up with MLS policy in permissive mode 3. reboot into single mode 4. log in via console 5. run dmesg | grep "type=" Actual results: type=1400 audit(1291801571.871:4): avc: denied { unix_read } for pid=753 comm="modprobe" key=1946157237 scontext=system_u:system_r:insmod_t:s0-s15:c0.c1023 tcontext=system_u:system_r:insmod_t:s15:c0.c1023 tclass=shm type=1400 audit(1291801571.876:5): avc: denied { unix_read } for pid=753 comm="modprobe" key=1946157237 scontext=system_u:system_r:insmod_t:s0-s15:c0.c1023 tcontext=system_u:system_r:insmod_t:s15:c0.c1023 tclass=shm Expected results: no AVCs
Fixed in selinux-policy-2.4.6-300.el5.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Prior to this update, the SELinux MLS policy prevented modprobe from reading an SHM (shared memory) object. This update corrects the SELinux policy, and modprobe now works as expected.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0026.html