Hide Forgot
Description of problem: Version-Release number of selected component (if applicable): libgudev1-147-2.34.el6.x86_64 libudev-147-2.34.el6.x86_64 python-gudev-147.1-4.el6_0.1.x86_64 selinux-policy-3.7.19-73.el6.noarch selinux-policy-mls-3.7.19-73.el6.noarch selinux-policy-targeted-3.7.19-73.el6.noarch udev-147-2.34.el6.x86_64 How reproducible: always Steps to Reproduce: * get a RHEL-6 machine with active MLS policy * log in as root via console # id -Z root:sysadm_r:sysadm_t:s0-s15:c0.c1023 # udevadm trigger # udevadm info --export-db >& /dev/null # udevadm settle # udevadm control --reload-rules # udevadm control --stop-exec-queue # udevadm control --start-exec-queue Actual results: ---- time->Tue Mar 1 09:45:40 2011 type=SYSCALL msg=audit(1298990740.726:6843): arch=c000003e syscall=2 success=yes exit=4 a0=401fcb a1=2 a2=0 a3=40 items=0 ppid=2177 pid=2271 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="console_init" exe="/lib/udev/console_init" subj=system_u:system_r:udev_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1298990740.726:6843): avc: denied { write } for pid=2271 comm="console_init" name="i18n" dev=dm-0 ino=407408 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file ---- time->Tue Mar 1 09:46:51 2011 type=SYSCALL msg=audit(1298990811.972:6845): arch=c000003e syscall=62 success=yes exit=0 a0=9df a1=a a2=7f8ae3d92238 a3=0 items=0 ppid=1 pid=498 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udevd" exe="/sbin/udevd" subj=system_u:system_r:udev_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1298990811.972:6845): avc: denied { signal } for pid=498 comm="udevd" scontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tclass=process ---- time->Tue Mar 1 09:46:51 2011 type=SYSCALL msg=audit(1298990811.970:6844): arch=c000003e syscall=44 success=yes exit=280 a0=3 a1=7fffffec88f0 a2=118 a3=0 items=0 ppid=2127 pid=2527 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS1 ses=2 comm="udevadm" exe="/sbin/udevadm" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1298990811.970:6844): avc: denied { sendto } for pid=2527 comm="udevadm" path=002F6F72672F6B65726E656C2F756465762F7564657664 scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tclass=unix_dgram_socket ---- Expected results: no AVCs
> type=AVC msg=audit(1298990740.726:6843): avc: denied { write } for pid=2271 > comm="console_init" name="i18n" dev=dm-0 ino=407408 > scontext=system_u:system_r:udev_t:s0-s15:c0.c1023 > tcontext=system_u:object_r:etc_t:s0 tclass=file We have in F14/F15 # console_init manages files in /etc/sysconfig files_manage_etc_files(udev_t)
Other issues are caused by udevadm (which is now labeled as udev_exec_t) running as sysadm_t. I am thinking about adding udev_run(sysadm_r, sysadm_t) I am trying to test it and it looks good. Milos, could you also test it?
I mean using a local policy which contains domtrans_pattern(sysadm_t, udev_exe_t, udev_t) role sysadm_r types udev_t;
No AVCs appear when following local policy is loaded: policy_module(testpolicy,1.0) require { type sysadm_t; type udev_t; type udev_exec_t; } files_manage_etc_files(udev_t) domtrans_pattern(sysadm_t, udev_exec_t, udev_t) role sysadm_r types udev_t;
Great.
Fixed in selinux-policy-3.7.19-76.el6
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0526.html