SELinux AVCs with swap stored in LVM volume
Daniel J Walsh
dwalsh at redhat.com
Mon Oct 31 14:47:14 UTC 2005
Felipe Alfaro Solana wrote:
> Hello,
>
> I'm running Fedora Core RawHhide and I'm seeing lots of SELinux AVCs
> during boot, related to my swap stored in a LVM volume:
>
> audit(1130670344.636:4): avc: denied { read } for pid=919
> comm="restorecon" name="VolGroup00-Swap" dev=tmpfs ino=653
> scontext=system_u:system_r:restorecon_t:s0
> tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
>
> audit(1130670345.668:5): avc: denied { use } for pid=932
> comm="fsck" name="VolGroup00-Swap" dev=tmpfs ino=653
> scontext=system_u:system_r:fsadm_t:s0
> tcontext=system_u:system_r:kernel_t:s0 tclass=fd
>
> audit(1130670345.952:6): avc: denied { read } for pid=940
> comm="restorecon" name="VolGroup00-Swap" dev=tmpfs ino=653
> scontext=system_u:system_r:restorecon_t:s0
> tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
>
> audit(1130670346.092:7): avc: denied { read } for pid=941
> comm="restorecon" name="VolGroup00-Swap" dev=tmpfs ino=653
> scontext=system_u:system_r:restorecon_t:s0
> tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
>
> Attached to this message you will find "dmesg" which stores the dmesg
> kernel ring which results after booting into runlevel 5.
>
> Any ideas?
> Thanks!
>
The fd:use and blk_file read is caused by a kernel bug. Basically the
kernel is leaking open file descriptors to subprocesses and SELinux is
preventing access to these leaked file descriptors. This is a good
thing, since these processes could gain would be able to manipulate
these file descriptors. SELinux is great at detecting and preventing
this type of problem. This has been reported to bugsilla. Reviewing
you dmesg file also reveals that you have blkid.tab labeled incorrectly.
restorecon /etc/blkid.tab*
will fix this.
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
More information about the fedora-selinux-list
mailing list