From: Stephen Smalley <sds@xxxxxxxxxxxxx>
To: Jason Dravet <dravet@xxxxxxxxxxx>
CC: James Morris <jmorris@xxxxxxxxx>, fedora-selinux-list@xxxxxxxxxx
Subject: Re: alot of selinux messages after todays rawhide update
Date: Fri, 21 Oct 2005 07:56:34 -0400
On Thu, 2005-10-20 at 16:19 -0500, Jason Dravet wrote:
> After updating my system to todays rawhide I see alot selinux related
> messages. I am running selinux-policy-targeted-1.27.1-21. I see these
> messages during boot and shutdown. I did a touch /autorelabel and
reboot to
> see if things got better but they remained the same. The first and
third
> messages (hwclock and fsck) have me concerned the most. Here are the
> messages:
>
> Oct 20 15:52:47 pcjason kernel: audit(1129823524.869:2): avc: denied {
use
> } for pid=417 comm="hwclock" name="VolGroup00-LogVol01" dev=tmpfs
ino=760
> scontext=system_u:system_r:hwclock_t:s0
> tcontext=system_u:system_r:kernel_t:s0 tclass=fd
>
> Oct 20 15:52:50 pcjason kernel: audit(1129841541.911:3): avc: denied {
> read } for pid=1164 comm="restorecon" name="VolGroup00-LogVol01"
dev=tmpfs
> ino=760 scontext=system_u:system_r:restorecon_t:s0
> tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
This means that the kernel (or early userspace prior to initial policy
load) is leaking a descriptor to that device to all descendants.
SELinux is then correctly denying access to the descriptor and device
and closing it on each domain transition. Someone needs to track down
the offending entity that is leaking the descriptor and fix it. In the
absence of SELinux, this kind of bug would likely never be noticed
(unless some program tried using the inherited descriptor for some
reason).
--
Stephen Smalley
National Security Agency
