Fedora 16 AVC at boot time

Dominick Grift dominick.grift at gmail.com
Sun Jan 29 22:39:56 UTC 2012 

On Sun, 2012-01-29 at 09:48 -0800, David Highley wrote:
> "Dominick Grift wrote:"
> > 
> > On Sat, 2012-01-28 at 14:55 -0800, David Highley wrote:
> > > "Daniel J Walsh wrote:"
> > > > 
> > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > Hash: SHA1
> > > > 
> > > > On 01/28/2012 02:15 PM, David Highley wrote:
> > > > > "David Highley wrote:"
> > > > >> 
> > > > >> "Miroslav Grepl wrote:"
> > > > >>> 
> > > > >>> On 01/26/2012 05:33 AM, David Highley wrote:
> > > > >>>> "Daniel J Walsh wrote:"
> > > > > On 01/25/2012 01:38 PM, David Highley wrote:
> > > > >>>>>>> "Daniel J Walsh wrote:" On 01/24/2012 10:39 PM, David
> > > > >>>>>>> Highley wrote:
> > > > >>>>>>>>>> time->Tue Jan 24 06:17:02 2012 type=SYSCALL 
> > > > >>>>>>>>>> msg=audit(1327414622.867:2517): arch=c000003e
> > > > >>>>>>>>>> syscall=59 success=yes exit=0 a0=9669f0 a1=cc8170
> > > > >>>>>>>>>> a2=7fff1bf396c8 a3=1f items=0 ppid=5248 pid=5253
> > > > >>>>>>>>>> auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > > > >>>>>>>>>> sgid=0 fsgid=0 tty=(none) ses=293 comm="sh" 
> > > > >>>>>>>>>> exe="/bin/bash" 
> > > > >>>>>>>>>> subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
> > > > >>>>>>>>>>
> > > > >>>>>>>>>> 
> > > > key=(null) type=AVC msg=audit(1327414622.867:2517): avc:
> > > > >>>>>>>>>> denied  { transition } for  pid=5253 comm="rpm" 
> > > > >>>>>>>>>> path="/bin/bash" dev=dm-1 ino=393240 
> > > > >>>>>>>>>> scontext=unconfined_u:system_r:bootloader_t:s0-s0:c0.c1023
> > > > >>>>>>>>>>
> > > > >>>>>>>>>> 
> > > > tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
> > > > >>>>>>>>>> tclass=process ---- time->Tue Jan 24 06:23:38
> > > > >>>>>>>>>> 2012 type=SYSCALL msg=audit(1327415018.410:38):
> > > > >>>>>>>>>> arch=c000003e syscall=2 success=no exit=-13
> > > > >>>>>>>>>> a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 a3=68
> > > > >>>>>>>>>> items=0 ppid=1180 pid=1359 auid=4294967295 uid=0
> > > > >>>>>>>>>> gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48
> > > > >>>>>>>>>> fsgid=48 tty=(none) ses=4294967295 
> > > > >>>>>>>>>> comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" 
> > > > >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> > > > >>>>>>>>>> type=AVC msg=audit(1327415018.410:38): avc:
> > > > >>>>>>>>>> denied  { search } for pid=1359
> > > > >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1 
> > > > >>>>>>>>>> ino=1313161
> > > > >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0 
> > > > >>>>>>>>>> tcontext=system_u:object_r:var_yp_t:s0 tclass=dir
> > > > >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL 
> > > > >>>>>>>>>> msg=audit(1327415018.410:39): arch=c000003e
> > > > >>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
> > > > >>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
> > > > >>>>>>>>>> pid=1360 auid=4294967295 uid=0 gid=48 euid=0
> > > > >>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
> > > > >>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
> > > > >>>>>>>>>> exe="/usr/sbin/httpd" 
> > > > >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> > > > >>>>>>>>>> type=AVC msg=audit(1327415018.410:39): avc:
> > > > >>>>>>>>>> denied  { search } for pid=1360
> > > > >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1 
> > > > >>>>>>>>>> ino=1313161
> > > > >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0 
> > > > >>>>>>>>>> tcontext=system_u:object_r:var_yp_t:s0 tclass=dir
> > > > >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL 
> > > > >>>>>>>>>> msg=audit(1327415018.411:40): arch=c000003e
> > > > >>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
> > > > >>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
> > > > >>>>>>>>>> pid=1361 auid=4294967295 uid=0 gid=48 euid=0
> > > > >>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
> > > > >>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
> > > > >>>>>>>>>> exe="/usr/sbin/httpd" 
> > > > >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> > > > >>>>>>>>>> type=AVC msg=audit(1327415018.411:40): avc:
> > > > >>>>>>>>>> denied  { search } for pid=1361
> > > > >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1 
> > > > >>>>>>>>>> ino=1313161
> > > > >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0 
> > > > >>>>>>>>>> tcontext=system_u:object_r:var_yp_t:s0 tclass=dir
> > > > >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL 
> > > > >>>>>>>>>> msg=audit(1327415018.411:41): arch=c000003e
> > > > >>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
> > > > >>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
> > > > >>>>>>>>>> pid=1362 auid=4294967295 uid=0 gid=48 euid=0
> > > > >>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
> > > > >>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
> > > > >>>>>>>>>> exe="/usr/sbin/httpd" 
> > > > >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> > > > >>>>>>>>>> type=AVC msg=audit(1327415018.411:41): avc:
> > > > >>>>>>>>>> denied  { search } for pid=1362
> > > > >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1 
> > > > >>>>>>>>>> ino=1313161
> > > > >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0 
> > > > >>>>>>>>>> tcontext=system_u:object_r:var_yp_t:s0 tclass=dir
> > > > >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL 
> > > > >>>>>>>>>> msg=audit(1327415018.414:42): arch=c000003e
> > > > >>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
> > > > >>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
> > > > >>>>>>>>>> pid=1365 auid=4294967295 uid=0 gid=48 euid=0
> > > > >>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
> > > > >>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
> > > > >>>>>>>>>> exe="/usr/sbin/httpd" 
> > > > >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> > > > >>>>>>>>>> type=AVC msg=audit(1327415018.414:42): avc:
> > > > >>>>>>>>>> denied  { search } for pid=1365
> > > > >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1 
> > > > >>>>>>>>>> ino=1313161
> > > > >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0 
> > > > >>>>>>>>>> tcontext=system_u:object_r:var_yp_t:s0 tclass=dir
> > > > >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL 
> > > > >>>>>>>>>> msg=audit(1327415018.414:43): arch=c000003e
> > > > >>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
> > > > >>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
> > > > >>>>>>>>>> pid=1364 auid=4294967295 uid=0 gid=48 euid=0
> > > > >>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
> > > > >>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
> > > > >>>>>>>>>> exe="/usr/sbin/httpd" 
> > > > >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> > > > >>>>>>>>>> type=AVC msg=audit(1327415018.414:43): avc:
> > > > >>>>>>>>>> denied  { search } for pid=1364
> > > > >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1 
> > > > >>>>>>>>>> ino=1313161
> > > > >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0 
> > > > >>>>>>>>>> tcontext=system_u:object_r:var_yp_t:s0 tclass=dir
> > > > >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL 
> > > > >>>>>>>>>> msg=audit(1327415018.415:44): arch=c000003e
> > > > >>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
> > > > >>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
> > > > >>>>>>>>>> pid=1366 auid=4294967295 uid=0 gid=48 euid=0
> > > > >>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
> > > > >>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
> > > > >>>>>>>>>> exe="/usr/sbin/httpd" 
> > > > >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> > > > >>>>>>>>>> type=AVC msg=audit(1327415018.415:44): avc:
> > > > >>>>>>>>>> denied  { search } for pid=1366
> > > > >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1 
> > > > >>>>>>>>>> ino=1313161
> > > > >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0 
> > > > >>>>>>>>>> tcontext=system_u:object_r:var_yp_t:s0 tclass=dir
> > > > >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL 
> > > > >>>>>>>>>> msg=audit(1327415018.416:45): arch=c000003e
> > > > >>>>>>>>>> syscall=2 success=no exit=-13 a0=7fff0fc10e50
> > > > >>>>>>>>>> a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180
> > > > >>>>>>>>>> pid=1363 auid=4294967295 uid=0 gid=48 euid=0
> > > > >>>>>>>>>> suid=0 fsuid=0 egid=48 sgid=48 fsgid=48
> > > > >>>>>>>>>> tty=(none) ses=4294967295 comm="/usr/sbin/httpd"
> > > > >>>>>>>>>> exe="/usr/sbin/httpd" 
> > > > >>>>>>>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
> > > > >>>>>>>>>> type=AVC msg=audit(1327415018.416:45): avc:
> > > > >>>>>>>>>> denied  { search } for pid=1363
> > > > >>>>>>>>>> comm="/usr/sbin/httpd" name="yp" dev=dm-1 
> > > > >>>>>>>>>> ino=1313161
> > > > >>>>>>>>>> scontext=system_u:system_r:httpd_t:s0 
> > > > >>>>>>>>>> tcontext=system_u:object_r:var_yp_t:s0 tclass=dir
> > > > >>>>>>>>>> ---- time->Tue Jan 24 06:23:38 2012 type=SYSCALL 
> > > > >>>>>>>>>> msg=audit(1327415018.418:46): arch=c000003e
> > > > >>>>>>>>>> syscall=42 success=no exit=-13 a0=3
> > > > >>>>>>>>>> a1=7fff071131f0 a2=10 a3=98 items=0 ppid=1367
> > > > >>>>>>>>>> pid=1369 auid=4294967295 uid=81 gid=81 euid=0 
> > > > >>>>>>>>>> suid=0 fsuid=0 egid=81 sgid=81 fsgid=81
> > > > >>>>>>>>>> tty=(none) ses=4294967295 comm="dbus-daemon-lau" 
> > > > >>>>>>>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper" 
> > > > >>>>>>>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> > > > >>>>>>>>>>
> > > > >>>>>>>>>> 
> > > > key=(null) type=AVC msg=audit(1327415018.418:46): avc:
> > > > >>>>>>>>>> denied  { name_connect } for  pid=1369
> > > > >>>>>>>>>> comm="dbus-daemon-lau" dest=111 
> > > > >>>>>>>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> > > > >>>>>>>>>>
> > > > >>>>>>>>>> 
> > > > tcontext=system_u:object_r:portmap_port_t:s0
> > > > >>>>>>>>>> tclass=tcp_socket ---- time->Tue Jan 24 06:23:38
> > > > >>>>>>>>>> 2012 type=SYSCALL msg=audit(1327415018.418:47):
> > > > >>>>>>>>>> arch=c000003e syscall=49 success=no exit=-13 a0=3
> > > > >>>>>>>>>> a1=7fff07112f60 a2=10 a3=98 items=0 ppid=1367
> > > > >>>>>>>>>> pid=1369 auid=4294967295 uid=81 gid=81 euid=0
> > > > >>>>>>>>>> suid=0 fsuid=0 egid=81 sgid=81 fsgid=81 
> > > > >>>>>>>>>> tty=(none) ses=4294967295 comm="dbus-daemon-lau" 
> > > > >>>>>>>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper" 
> > > > >>>>>>>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> > > > >>>>>>>>>>
> > > > >>>>>>>>>> 
> > > > key=(null) type=AVC msg=audit(1327415018.418:47): avc:
> > > > >>>>>>>>>> denied  { name_bind } for  pid=1369
> > > > >>>>>>>>>> comm="dbus-daemon-lau" src=697 
> > > > >>>>>>>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> > > > >>>>>>>>>>
> > > > >>>>>>>>>> 
> > > > tcontext=system_u:object_r:hi_reserved_port_t:s0
> > > > >>>>>>>>>> tclass=tcp_socket ---- time->Tue Jan 24 06:23:38
> > > > >>>>>>>>>> 2012 type=SYSCALL msg=audit(1327415018.418:48):
> > > > >>>>>>>>>> arch=c000003e syscall=42 success=no exit=-13 a0=3
> > > > >>>>>>>>>> a1=7fff071131f0 a2=10 a3=98 items=0 ppid=1367
> > > > >>>>>>>>>> pid=1369 auid=4294967295 uid=81 gid=81 euid=0
> > > > >>>>>>>>>> suid=0 fsuid=0 egid=81 sgid=81 fsgid=81 
> > > > >>>>>>>>>> tty=(none) ses=4294967295 comm="dbus-daemon-lau" 
> > > > >>>>>>>>>> exe="/lib64/dbus-1/dbus-daemon-launch-helper" 
> > > > >>>>>>>>>> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> > > > >>>>>>>>>>
> > > > >>>>>>>>>> 
> > > > key=(null) type=AVC msg=audit(1327415018.418:48): avc:
> > > > >>>>>>>>>> denied  { name_connect } for  pid=1369
> > > > >>>>>>>>>> comm="dbus-daemon-lau" dest=111 
> > > > >>>>>>>>>> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> > > > >>>>>>>>>>
> > > > >>>>>>>>>> 
> > > > tcontext=system_u:object_r:portmap_port_t:s0
> > > > >>>>>>>>>> tclass=tcp_socket
> > > > >>>>>>> Do you have the allow_ypbind boolean permanantly turned
> > > > >>>>>>> on
> > > > >>>>>>> 
> > > > >>>>>>> setsebool -P allow_ypbind 1
> > > > >>>>>>> 
> > > > >>>>>>>> Yes, we permanently set this bool.
> > > > >>>>>>> If the init script is turning it on, you could see
> > > > >>>>>>> avc's like this.
> > > > >>>>>>> 
> > > > >>>>>>> Have no idea what the bootloader->rpm_script one is.
> > > > >>>>>>> 
> > > > >>>>>>> There used to be some kernel update scripts that were
> > > > >>>>>>> labeled as bootloader_exec_t? -- selinux mailing list
> > > > >>>>>>> selinux at lists.fedoraproject.org 
> > > > >>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> > > > >
> > > > >>>>>>> 
> > > > Strange and these happen on every boot, and then stop?
> > > > >>>>> Just tried another reboot and got the same results so I
> > > > >>>>> would say that it happens on every boot.
> > > > >>>>> 
> > > > >>>>> 
> > > > >>>> -- selinux mailing list selinux at lists.fedoraproject.org 
> > > > >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> > > > >>> Could you make sure that the policy is installed correctly.
> > > > >>> 
> > > > >>> # yum reinstall selinux-policy-targeted
> > > > >>> 
> > > > >>> and see if something blows up.
> > > > >> 
> > > > >> Same results as before. Did get a new avc just before the reboot
> > > > >> doing a yum update.
> > > > > 
> > > > > To add more clarity to the boot up AVC, we did check for any sign
> > > > > of AVC when we reinstalled selinux-policy-targeted.
> > > > > 
> > > > >> allow bootloader_t rpm_script_t:process transition; ---- 
> > > > >> time->Sat Jan 28 07:47:51 2012 type=SYSCALL
> > > > >> msg=audit(1327765671.705:3395): arch=c000003e syscall=59 
> > > > >> success=ye s exit=0 a0=1429290 a1=12e3550 a2=7fffd4c974c8 a3=20
> > > > >> items=0 ppid=24868 pid=2487 8 auid=1000 uid=0 gid=0 euid=0 suid=0
> > > > >> fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses =404 comm="sh"
> > > > >> exe="/bin/bash" 
> > > > >> subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0. c1023
> > > > >> key=(null) type=AVC msg=audit(1327765671.705:3395): avc:  denied
> > > > >> { transition } for  pid=24878 comm="rpm" path="/bin/bash"
> > > > >> dev=dm-1 ino=393240 
> > > > >> scontext=unconfined_u:system_r:bootloader_t:s0-s0:c0.c1023 
> > > > >> tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 
> > > > >> tclass=process
> > > > > 
> > > > > Packages in this update were: Jan 28 07:46:28 Updated:
> > > > > libuuid-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:29 Updated:
> > > > > libblkid-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:29 Updated:
> > > > > 12:dhcp-libs-4.2.3-6.P2.fc16.x86_64 Jan 28 07:46:29 Updated:
> > > > > libcurl-7.21.7-6.fc16.x86_64 Jan 28 07:46:30 Updated:
> > > > > curl-7.21.7-6.fc16.x86_64 Jan 28 07:46:30 Updated:
> > > > > 12:dhcp-common-4.2.3-6.P2.fc16.x86_64 Jan 28 07:46:31 Updated:
> > > > > libmount-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:32 Updated:
> > > > > setroubleshoot-server-3.1.2-1.fc16.x86_64 Jan 28 07:46:32
> > > > > Installed: python-tornado-2.1.1-1.fc16.noarch Jan 28 07:46:33
> > > > > Updated: python-kitchen-1.1.0-1.fc16.noarch Jan 28 07:46:33
> > > > > Updated: pyrpkg-1.11-1.fc16.noarch Jan 28 07:46:34 Updated: 
> > > > > mozilla-firetray-core-0.3.6-0.1.143svn.fc16.x86_64 Jan 28 07:46:39
> > > > > Installed: kernel-3.2.2-1.fc16.x86_64 Jan 28 07:46:40 Updated:
> > > > > xorg-x11-drv-intel-2.17.0-8.fc16.x86_64 Jan 28 07:46:40 Updated: 
> > > > > mozilla-firetray-thunderbird-0.3.6-0.1.143svn.fc16.x86_64 Jan 28
> > > > > 07:46:40 Updated: fedpkg-1.7-1.fc16.noarch Jan 28 07:46:42 Updated:
> > > > > ipython-0.12-2.fc16.noarch Jan 28 07:46:43 Updated:
> > > > > setroubleshoot-3.1.2-1.fc16.x86_64 Jan 28 07:46:44 Updated:
> > > > > util-linux-2.20.1-2.2.fc16.x86_64 Jan 28 07:46:44 Updated:
> > > > > 12:dhclient-4.2.3-6.P2.fc16.x86_64 Jan 28 07:46:46 Updated:
> > > > > libcurl-devel-7.21.7-6.fc16.x86_64 Jan 28 07:46:47 Updated:
> > > > > rsyslog-5.8.7-1.fc16.x86_64 Jan 28 07:46:48 Updated:
> > > > > t1lib-5.1.2-9.fc16.x86_64 Jan 28 07:46:49 Updated:
> > > > > kernel-headers-3.2.2-1.fc16.x86_64 Jan 28 07:46:59 Installed:
> > > > > kernel-devel-3.2.2-1.fc16.x86_64 Jan 28 07:47:00 Updated:
> > > > > mdadm-3.2.3-3.fc16.x86_64
> > > > >> -- selinux mailing list selinux at lists.fedoraproject.org 
> > > > >> https://admin.fedoraproject.org/mailman/listinfo/selinux
> > > > >> 
> > > > > 
> > > > > 
> > > > 
> > > > Any idea of what process is running as bootloader_t?
> > > > 
> > > > ps -eZ | grep bootloader_t
> > > > or
> > > > find /sbin/ -context "*:bootloader_exec_t*"
> > > 
> > > Since we were running yum update and there was a kernel update involved
> > > it could be several from the list below.
> > > 
> > > /sbin/grub2-setup
> > > /sbin/installkernel
> > > /sbin/grub2-reboot
> > > /sbin/grub2-probe
> > > /sbin/grub2-mkdevicemap
> > > /sbin/grub2-set-default
> > > /sbin/grubby
> > > /sbin/grub2-install
> > > /sbin/grub2-mkconfig
> > > /sbin/grub2-mknetdir
> > > /sbin/new-kernel-pkg
> > 
> > Do you have any (a)?kmod packages installed from rpmfusion.
> 
> Yes, we run akmod for nvidia on that system and it also has the new ueif
> BIOS. You mentioned modifying grub for the BIOS, is that something that
> may need to be done? If so is there documentation about what needs to be
> changed?

I meant "i also do not have a default grub config because i am using
uefi setup." because a uefi setup requires package grub-efi which is not
installed if you do not use uefi. I have not modified grub manually in
any way.

I suspect above issue might be related to akmod. Not sure though. I use
to have a policy module for akmod back in the day. Would maybe have been
useful now to be able to determine whether this is actually akmod or
something else running in the bootloader domain.

> > I have specified labels for the above files bootloader_exec_t a while
> > ago and i was not sure whether this would be a good idea.
> > 
> > I have not had any AVC denials related to this but i do not use grub
> > manually often and i also do not have a default grub config because i am
> > using uefi setup.
> > 
> > > > -----BEGIN PGP SIGNATURE-----
> > > > Version: GnuPG v1.4.11 (GNU/Linux)
> > > > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> > > > 
> > > > iEYEARECAAYFAk8kSvwACgkQrlYvE4MpobOjywCghdmmQAxJ6Yw0Lg9Khj1RlPUV
> > > > si0AoIAqVYMmf2pon92UL7gFTUk7nsEQ
> > > > =5qAB
> > > > -----END PGP SIGNATURE-----
> > > > 
> > > --
> > > selinux mailing list
> > > selinux at lists.fedoraproject.org
> > > https://admin.fedoraproject.org/mailman/listinfo/selinux
> > 
> > 
> > --
> > selinux mailing list
> > selinux at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> > 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

More information about the selinux mailing list