Hide Forgot
Description of problem: Version-Release number of selected component (if applicable): selinux-policy-mls-3.7.19-62.el6.noarch selinux-policy-doc-3.7.19-62.el6.noarch selinux-policy-minimum-3.7.19-62.el6.noarch selinux-policy-3.7.19-62.el6.noarch selinux-policy-targeted-3.7.19-62.el6.noarch How reproducible: always (seen on 2 different machines, appeared after each reboot) Steps to Reproduce: 1. install MLS policy on a RHEL-6 machine 2. modify /etc/selinux/config so that the machine will start up with MLS policy in enforcing mode 3. modify /boot/grub/grub.conf so that the machine will start up into single-user mode 4. run 'touch /.autorelabel' 5. run 'reboot' 6. log in as root via console 7. run "dmesg | grep type=" Actual results: type=2000 audit(1294209652.908:1): initialized type=1404 audit(1294209663.636:2): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 type=1403 audit(1294209663.973:3): policy loaded auid=4294967295 ses=4294967295 type=1401 audit(1294209664.117:4): security_validate_transition: denied for oldcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 newcontext=system_u:object_r:device_t:s0 taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir type=1400 audit(1294227665.323:5): avc: denied { connectto } for pid=733 comm="initctl" path=002F636F6D2F7562756E74752F75707374617274 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=unix_stream_socket Expected results: no denials
It can be allowed by mls_file_downgrade(kernel_t)
Is this after the relabel to MLS?
These denials are not visible immediately after relabel to MLS, because I always add "enforcing=0" to /boot/grub/grub.conf before I run "touch /.autorelabel ; reboot". In this moment the machine has booted up to single-user mode with MLS policy and /boot/grub/grub.conf still contains "enforcing=0". As soon as I remove "enforcing=0" from /boot/grub/grub.conf and run reboot, these denials become visible.
The same for me. The error is repeated during each reboot.
Ok if they are after the relabel then add the policy.
Fixed in selinux-policy-3.7.19-63.el6
With -63.el6 policy I'm still seeing the second denial: type=1400 audit(1294926491.024:4): avc: denied { connectto } for pid=553 comm="initctl" path=002F636F6D2F7562756E74752F75707374617274 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=unix_stream_socket
Fixed in selinux-policy-3.7.19-64.el6
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0526.html