SELinux AVCs with swap stored in LVM volume

Daniel J Walsh dwalsh at redhat.com
Mon Oct 31 14:47:14 UTC 2005 

Felipe Alfaro Solana wrote:
> Hello,
>
> I'm running Fedora Core RawHhide and I'm seeing lots of SELinux AVCs
> during boot, related to my swap stored in a LVM volume:
>
> audit(1130670344.636:4): avc:  denied  { read } for  pid=919
> comm="restorecon" name="VolGroup00-Swap" dev=tmpfs ino=653
> scontext=system_u:system_r:restorecon_t:s0
> tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
>
> audit(1130670345.668:5): avc:  denied  { use } for  pid=932
> comm="fsck" name="VolGroup00-Swap" dev=tmpfs ino=653
> scontext=system_u:system_r:fsadm_t:s0
> tcontext=system_u:system_r:kernel_t:s0 tclass=fd
>
> audit(1130670345.952:6): avc:  denied  { read } for  pid=940
> comm="restorecon" name="VolGroup00-Swap" dev=tmpfs ino=653
> scontext=system_u:system_r:restorecon_t:s0
> tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
>
> audit(1130670346.092:7): avc:  denied  { read } for  pid=941
> comm="restorecon" name="VolGroup00-Swap" dev=tmpfs ino=653
> scontext=system_u:system_r:restorecon_t:s0
> tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
>
> Attached to this message you will find "dmesg" which stores the dmesg
> kernel ring which results after booting into runlevel 5.
>
> Any ideas?
> Thanks!
>   
The fd:use and blk_file read is caused by a kernel bug.  Basically the 
kernel is leaking open file descriptors to subprocesses and SELinux is 
preventing access to these leaked file descriptors.  This is a good 
thing, since these processes could gain would be able to manipulate 
these file descriptors.  SELinux is great at detecting and preventing 
this type of problem.  This has been reported to bugsilla.  Reviewing 
you dmesg file also reveals that you have blkid.tab labeled incorrectly.

restorecon /etc/blkid.tab*

will fix this.
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list


--

More information about the fedora-selinux-list mailing list