RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 667370 - enforcing MLS -- security_validate_transition: denied for oldcontext=... newcontext=...
Summary: enforcing MLS -- security_validate_transition: denied for oldcontext=... newc...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.1
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-01-05 13:08 UTC by Milos Malik
Modified: 2013-06-12 08:49 UTC (History)
2 users (show)

Fixed In Version: selinux-policy-3.7.19-64.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-05-19 11:57:18 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0526 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-05-19 09:37:41 UTC

Description Milos Malik 2011-01-05 13:08:05 UTC
Description of problem:

Version-Release number of selected component (if applicable):
selinux-policy-mls-3.7.19-62.el6.noarch
selinux-policy-doc-3.7.19-62.el6.noarch
selinux-policy-minimum-3.7.19-62.el6.noarch
selinux-policy-3.7.19-62.el6.noarch
selinux-policy-targeted-3.7.19-62.el6.noarch

How reproducible:
always (seen on 2 different machines, appeared after each reboot)

Steps to Reproduce:
1. install MLS policy on a RHEL-6 machine
2. modify /etc/selinux/config so that the machine will start up with MLS policy in enforcing mode
3. modify /boot/grub/grub.conf so that the machine will start up into single-user mode
4. run 'touch /.autorelabel'
5. run 'reboot'
6. log in as root via console
7. run "dmesg | grep type="

Actual results:
type=2000 audit(1294209652.908:1): initialized
type=1404 audit(1294209663.636:2): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295
type=1403 audit(1294209663.973:3): policy loaded auid=4294967295 ses=4294967295
type=1401 audit(1294209664.117:4): security_validate_transition:  denied for oldcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 newcontext=system_u:object_r:device_t:s0 taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir
type=1400 audit(1294227665.323:5): avc:  denied  { connectto } for  pid=733 comm="initctl" path=002F636F6D2F7562756E74752F75707374617274 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=unix_stream_socket
  
Expected results:
no denials

Comment 2 Miroslav Grepl 2011-01-05 14:24:42 UTC
It can be allowed by

mls_file_downgrade(kernel_t)

Comment 4 Daniel Walsh 2011-01-05 20:29:07 UTC
Is this after the relabel to MLS?

Comment 5 Milos Malik 2011-01-06 09:04:54 UTC
These denials are not visible immediately after relabel to MLS, because I always add "enforcing=0" to /boot/grub/grub.conf before I run "touch /.autorelabel ; reboot".
In this moment the machine has booted up to single-user mode with MLS policy and /boot/grub/grub.conf still contains "enforcing=0".
As soon as I remove "enforcing=0" from /boot/grub/grub.conf and run reboot, these denials become visible.

Comment 6 Miroslav Grepl 2011-01-06 09:42:44 UTC
The same for me. The error is repeated during each reboot.

Comment 7 Daniel Walsh 2011-01-06 16:54:07 UTC
Ok if they are after the relabel then add the policy.

Comment 8 Miroslav Grepl 2011-01-10 18:33:19 UTC
Fixed in selinux-policy-3.7.19-63.el6

Comment 10 Milos Malik 2011-01-13 13:56:13 UTC
With -63.el6 policy I'm still seeing the second denial:

type=1400 audit(1294926491.024:4): avc:  denied  { connectto } for  pid=553 comm="initctl" path=002F636F6D2F7562756E74752F75707374617274 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=unix_stream_socket

Comment 11 Miroslav Grepl 2011-01-14 15:16:17 UTC
Fixed in selinux-policy-3.7.19-64.el6

Comment 14 errata-xmlrpc 2011-05-19 11:57:18 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html


Note You need to log in before you can comment on or make changes to this bug.