Hello,
I'm running Fedora Core RawHhide and I'm seeing lots of SELinux AVCs during boot, related to my swap stored in a LVM volume:
audit(1130670344.636:4): avc: denied { read } for pid=919 comm="restorecon" name="VolGroup00-Swap" dev=tmpfs ino=653 scontext=system_u:system_r:restorecon_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
audit(1130670345.668:5): avc: denied { use } for pid=932 comm="fsck" name="VolGroup00-Swap" dev=tmpfs ino=653 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=fd
audit(1130670345.952:6): avc: denied { read } for pid=940 comm="restorecon" name="VolGroup00-Swap" dev=tmpfs ino=653 scontext=system_u:system_r:restorecon_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
audit(1130670346.092:7): avc: denied { read } for pid=941 comm="restorecon" name="VolGroup00-Swap" dev=tmpfs ino=653 scontext=system_u:system_r:restorecon_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
Attached to this message you will find "dmesg" which stores the dmesg kernel ring which results after booting into runlevel 5.
Any ideas? Thanks!
On Sun, 2005-10-30 at 11:11 +0200, Felipe Alfaro Solana wrote:
Hello,
I'm running Fedora Core RawHhide and I'm seeing lots of SELinux AVCs during boot, related to my swap stored in a LVM volume:
audit(1130670344.636:4): avc: denied { read } for pid=919 comm="restorecon" name="VolGroup00-Swap" dev=tmpfs ino=653 scontext=system_u:system_r:restorecon_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
audit(1130670345.668:5): avc: denied { use } for pid=932 comm="fsck" name="VolGroup00-Swap" dev=tmpfs ino=653 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=fd
This implies that a process that ran before the initial policy load by /sbin/init (hence a "kernel_t" file descriptor) opened the device (hence a "fixed_disk_device_t" block device file) and failed to ever close it (or mark it close-on-exec), thereby leaking it to all descendants. Already bugzilla'd: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=165912
Dan, James - looks like this could just be a bug in lvm? Should be filed against it?
Felipe Alfaro Solana wrote:
Hello,
I'm running Fedora Core RawHhide and I'm seeing lots of SELinux AVCs during boot, related to my swap stored in a LVM volume:
audit(1130670344.636:4): avc: denied { read } for pid=919 comm="restorecon" name="VolGroup00-Swap" dev=tmpfs ino=653 scontext=system_u:system_r:restorecon_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
audit(1130670345.668:5): avc: denied { use } for pid=932 comm="fsck" name="VolGroup00-Swap" dev=tmpfs ino=653 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=fd
audit(1130670345.952:6): avc: denied { read } for pid=940 comm="restorecon" name="VolGroup00-Swap" dev=tmpfs ino=653 scontext=system_u:system_r:restorecon_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
audit(1130670346.092:7): avc: denied { read } for pid=941 comm="restorecon" name="VolGroup00-Swap" dev=tmpfs ino=653 scontext=system_u:system_r:restorecon_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
Attached to this message you will find "dmesg" which stores the dmesg kernel ring which results after booting into runlevel 5.
Any ideas? Thanks!
The fd:use and blk_file read is caused by a kernel bug. Basically the kernel is leaking open file descriptors to subprocesses and SELinux is preventing access to these leaked file descriptors. This is a good thing, since these processes could gain would be able to manipulate these file descriptors. SELinux is great at detecting and preventing this type of problem. This has been reported to bugsilla. Reviewing you dmesg file also reveals that you have blkid.tab labeled incorrectly.
restorecon /etc/blkid.tab*
will fix this.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Mon, 2005-10-31 at 09:47 -0500, Daniel J Walsh wrote:
The fd:use and blk_file read is caused by a kernel bug. Basically the kernel is leaking open file descriptors to subprocesses and SELinux is preventing access to these leaked file descriptors. This is a good thing, since these processes could gain would be able to manipulate these file descriptors. SELinux is great at detecting and preventing this type of problem. This has been reported to bugsilla. Reviewing you dmesg file also reveals that you have blkid.tab labeled incorrectly.
I think it may be a lvm bug rather than a kernel bug, so you may want to re-assign it in bugzilla. Note that anything that runs prior to initial policy load by /sbin/init or anything that runs as a usermode helper from the kernel without a domain transition defined will run with type kernel_t.
On Mon, Oct 31, 2005 at 10:55:34AM -0500, Stephen Smalley wrote:
On Mon, 2005-10-31 at 09:47 -0500, Daniel J Walsh wrote:
The fd:use and blk_file read is caused by a kernel bug
I think it may be a lvm bug rather than a kernel bug, so you may want to re-assign it in bugzilla. Note that anything that runs prior to initial policy load by /sbin/init or anything that runs as a usermode helper from the kernel without a domain transition defined will run with type kernel_t.
Turned out to be a known bug in nash.
nash is a tiny shell used in the initrd and it sometimes appears to not to close the swap device before execing /sbin/init.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169427
# lsof ... init 1 root 53r BLK 8,5 935 /dev/sda5
Patches gratefully received:-)
Alasdair
selinux@lists.fedoraproject.org