Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 667370

Summary: enforcing MLS -- security_validate_transition: denied for oldcontext=... newcontext=...
Product: Red Hat Enterprise Linux 6 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: low    
Version: 6.1CC: dwalsh, ksrot
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-64.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 11:57:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2011-01-05 13:08:05 UTC 
Description of problem:

Version-Release number of selected component (if applicable):
selinux-policy-mls-3.7.19-62.el6.noarch
selinux-policy-doc-3.7.19-62.el6.noarch
selinux-policy-minimum-3.7.19-62.el6.noarch
selinux-policy-3.7.19-62.el6.noarch
selinux-policy-targeted-3.7.19-62.el6.noarch

How reproducible:
always (seen on 2 different machines, appeared after each reboot)

Steps to Reproduce:
1. install MLS policy on a RHEL-6 machine
2. modify /etc/selinux/config so that the machine will start up with MLS policy in enforcing mode
3. modify /boot/grub/grub.conf so that the machine will start up into single-user mode
4. run 'touch /.autorelabel'
5. run 'reboot'
6. log in as root via console
7. run "dmesg | grep type="

Actual results:
type=2000 audit(1294209652.908:1): initialized
type=1404 audit(1294209663.636:2): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295
type=1403 audit(1294209663.973:3): policy loaded auid=4294967295 ses=4294967295
type=1401 audit(1294209664.117:4): security_validate_transition:  denied for oldcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 newcontext=system_u:object_r:device_t:s0 taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir
type=1400 audit(1294227665.323:5): avc:  denied  { connectto } for  pid=733 comm="initctl" path=002F636F6D2F7562756E74752F75707374617274 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=unix_stream_socket
  
Expected results:
no denials
Comment 2 Miroslav Grepl 2011-01-05 14:24:42 UTC 
It can be allowed by

mls_file_downgrade(kernel_t)
Comment 4 Daniel Walsh 2011-01-05 20:29:07 UTC 
Is this after the relabel to MLS?
Comment 5 Milos Malik 2011-01-06 09:04:54 UTC 
These denials are not visible immediately after relabel to MLS, because I always add "enforcing=0" to /boot/grub/grub.conf before I run "touch /.autorelabel ; reboot".
In this moment the machine has booted up to single-user mode with MLS policy and /boot/grub/grub.conf still contains "enforcing=0".
As soon as I remove "enforcing=0" from /boot/grub/grub.conf and run reboot, these denials become visible.
Comment 6 Miroslav Grepl 2011-01-06 09:42:44 UTC 
The same for me. The error is repeated during each reboot.
Comment 7 Daniel Walsh 2011-01-06 16:54:07 UTC 
Ok if they are after the relabel then add the policy.
Comment 8 Miroslav Grepl 2011-01-10 18:33:19 UTC 
Fixed in selinux-policy-3.7.19-63.el6
Comment 10 Milos Malik 2011-01-13 13:56:13 UTC 
With -63.el6 policy I'm still seeing the second denial:

type=1400 audit(1294926491.024:4): avc:  denied  { connectto } for  pid=553 comm="initctl" path=002F636F6D2F7562756E74752F75707374617274 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=unix_stream_socket
Comment 11 Miroslav Grepl 2011-01-14 15:16:17 UTC 
Fixed in selinux-policy-3.7.19-64.el6
Comment 14 errata-xmlrpc 2011-05-19 11:57:18 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html