Denials not reported in enforcing mode

Ian Pilcher arequipeno at gmail.com
Mon Nov 19 04:58:14 UTC 2012 

I just finished debugging an issue with kdump startup.  (systemd was
unable to load the kdump kernel, even though using the kdumpctl command
from a shell worked just fine.)  These symptoms immediately made me
think that the problem might be SELinux-related, and my /boot directory
was indeed not labeled correctly.

It took me quite a bit longer than it should have to figure out what was
going on, however, because no denials were reported -- either in the
audit log or by ausearch.  It was only when I put SELinux in permissive
mode "just to doublecheck" that anything was reported:

time->Sun Nov 18 22:42:13 2012
type=SYSCALL msg=audit(1353300133.076:93): arch=c000003e syscall=5
success=yes exit=0 a0=3 a1=7fff0a12e0e0 a2=7fff0a12e0e0 a3=7fff0a12de70
items=0 ppid=3402 pid=3422 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kexec"
exe="/usr/sbin/kexec" subj=system_u:system_r:kdump_t:s0 key=(null)
type=AVC msg=audit(1353300133.076:93): avc:  denied  { getattr } for
pid=3422 comm="kexec"
path="/boot/initramfs-3.6.6-1.fc17.x86_64kdump.img" dev="md0" ino=19
scontext=system_u:system_r:kdump_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file
----
time->Sun Nov 18 22:42:13 2012
type=SYSCALL msg=audit(1353300133.076:92): arch=c000003e syscall=2
success=yes exit=3 a0=7fff0a12fee4 a1=0 a2=a a3=7fff0a12de70 items=0
ppid=3402 pid=3422 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kexec"
exe="/usr/sbin/kexec" subj=system_u:system_r:kdump_t:s0 key=(null)
type=AVC msg=audit(1353300133.076:92): avc:  denied  { open } for
pid=3422 comm="kexec"
path="/boot/initramfs-3.6.6-1.fc17.x86_64kdump.img" dev="md0" ino=19
scontext=system_u:system_r:kdump_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file
type=AVC msg=audit(1353300133.076:92): avc:  denied  { read } for
pid=3422 comm="kexec" name="initramfs-3.6.6-1.fc17.x86_64kdump.img"
dev="md0" ino=19 scontext=system_u:system_r:kdump_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file

Is this expected behavior for some reason?  Anyone ever seen anything
like this?

-- 
========================================================================
Ian Pilcher                                         arequipeno at gmail.com
Sometimes there's nothing left to do but crash and burn...or die trying.
========================================================================

More information about the selinux mailing list