Hide Forgot
Description of problem: Version-Release number of selected component (if applicable): selinux-policy-3.7.19-72.el6.noarch selinux-policy-targeted-3.7.19-72.el6.noarch selinux-policy-mls-3.7.19-72.el6.noarch How reproducible: always Steps to Reproduce: * get a RHEL-6 machine with active MLS policy * log in as root via console * run lsblk Actual results: ---- time->Fri Feb 25 09:31:54 2011 type=SYSCALL msg=audit(1298644314.517:60): arch=40000003 syscall=5 success=yes exit=9 a0=98a5c18 a1=8000 a2=0 a3=98a5c78 items=0 ppid=1660 pid=1687 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="lsblk" exe="/bin/lsblk" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1298644314.517:60): avc: denied { open } for pid=1687 comm="lsblk" name="dm-0" dev=devtmpfs ino=6035 scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 tclass=blk_file type=AVC msg=audit(1298644314.517:60): avc: denied { read } for pid=1687 comm="lsblk" name="dm-0" dev=devtmpfs ino=6035 scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 tclass=blk_file ---- time->Fri Feb 25 09:31:54 2011 type=SYSCALL msg=audit(1298644314.518:61): arch=40000003 syscall=54 success=yes exit=0 a0=9 a1=125e a2=bff99454 a3=98a5c78 items=0 ppid=1660 pid=1687 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="lsblk" exe="/bin/lsblk" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1298644314.518:61): avc: denied { ioctl } for pid=1687 comm="lsblk" path="/dev/dm-0" dev=devtmpfs ino=6035 scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 tclass=blk_file ---- Expected results: no AVCs
Are you in permissive mode?
Miroslav we might want to label this as fsadm_exec_t
Or maybe better to just dontaudit the read since it seems to work fine. dontaudit sysadm_t fixed_disk_device_t:blk_file read; Not sure why it is opening the device. lsblk works from staff_t and we would loose this if we change the label. I don't think this command gives away any important data.
Add storage_dontaudit_read_fixed_disk($1_t) to userdom_admin_user_template
(In reply to comment #1) > Are you in permissive mode? Yes. permissive mode: 3 different AVCs enforcing mode: 1 "read" AVC multiple times
Fixed in selinux-policy-3.7.19-74.el6
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0526.html