Hide Forgot
Description of problem: Version-Release number of selected component (if applicable): selinux-policy-mls-3.7.19-63.el6.noarch selinux-policy-3.7.19-63.el6.noarch selinux-policy-minimum-3.7.19-63.el6.noarch selinux-policy-targeted-3.7.19-63.el6.noarch selinux-policy-doc-3.7.19-63.el6.noarch How reproducible: always (seen on 1 machine, appeared after each reboot) Steps to Reproduce: 1. install MLS policy on a RHEL-6 machine 2. modify /etc/selinux/config so that the machine will start up with MLS policy in enforcing mode 3. modify /boot/grub/grub.conf so that the machine will start up into single-user mode 4. run 'touch /.autorelabel' 5. run 'reboot' 6. log in as root via console 7. run "dmesg | grep type=" Actual results: type=2000 audit(1294907006.360:1): initialized type=1403 audit(1294907008.605:2): policy loaded auid=4294967295 ses=4294967295 type=1400 audit(1294907009.326:3): avc: denied { read } for pid=396 comm="sh" path="/dev/kmsg" dev=devtmpfs ino=857 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file Expected results: no denials
Any chance you get something on output of # ps -eZ | grep initrc
I think this is something happening on boot. Notting do you know of anything during boot that would read /dev/kmsg?
Not in RHEL 6, no. systemd will in later releases.
Miroslav could this be one of the apps that were not labeled fsadm_t?
(In reply to comment #1) > Any chance you get something on output of > > # ps -eZ | grep initrc The output is empty.
(In reply to comment #4) > Miroslav could this be one of the apps that were not labeled fsadm_t? Trying to find out. But we have dev_write_kmsg(initrc_t) so I think we could add dev_read_kmsg(initrc_t)
This is probably a case where we should figure out which init script or program needs this access and give it to just that script rather then giving it to every init script. But it might be like looking for a needle in a haystack.
If you change "yes" to "no" in the /etc/sysconfig/readahead file, the AVC disappears. READAHEAD="yes" --> AVC READAHEAD="no" --> no AVC So the set of possible culprits is reduced now.
grep kmsg -R /usr/share/dracut ./modules.d/99base/init: mknod -m 0660 /dev/kmsg c 1 11 ./modules.d/99base/dracut-lib.sh: } > /dev/kmsg ./modules.d/99base/dracut-lib.sh: echo "<4>dracut Warning: $@" > /dev/kmsg ./modules.d/99base/dracut-lib.sh: echo "<6>dracut: $@" > /dev/kmsg ./modules.d/99base/loginit:[ -e /dev/kmsg ] && exec 5>/dev/kmsg || exec 5>/dev/null grep kmsg -R /lib/readahead /lib/readahead/readahead-collect.sh:echo "<6>readahead-collector: starting" > /dev/kmsg /lib/readahead/readahead-replay.sh:echo "<6>readahead: starting" > /dev/kmsg /lib/readahead/readahead-sort.sh:echo "<6>readahead-collector: sorting" > /dev/kmsg /lib/readahead/readahead-sort.sh:echo "<6>readahead-collector: finished" > /dev/kmsg Lots of writes...
Miroslav lets add a dontaudit rule, since I don't think it really needs to read it, and we do not want random initrc_t apps from reading this data.
Fixed in selinux-policy-3.7.19-67.el6
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0526.html