[DSE-Dev] Bug#707246: selinux-policy-default: dmesg produce AVC when trying to access to /etc/locale.alias

Michael Scherer misc at zarb.org
Wed May 8 14:16:57 UTC 2013 

Package: selinux-policy-default
Version: 2:2.20110726-12
Severity: normal

Hi, 

Having decided to give a test at SElinux, I have installed a debian 6.0 and later
upgraded to 7.0. As recommended on the wiki, I first did a boot with selinux in 
permissive mode to see if there is potential errors, and found several AVC.

On boot, it seems something is running dmesg in a confined domain :

[   11.562532] type=1400 audit(1367756552.570:6): avc:  denied  { read } for  pid=626 comm="dmesg" name="locale.alias" dev=sda1 ino=394340 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
[   11.562557] type=1400 audit(1367756552.570:7): avc:  denied  { open } for  pid=626 comm="dmesg" name="locale.alias" dev=sda1 ino=394340 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
[   11.562617] type=1400 audit(1367756552.570:8): avc:  denied  { getattr } for  pid=626 comm="dmesg" path="/etc/locale.alias" dev=sda1 ino=394340 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file

And domain system_u:system_r:dmesg_t:s0 cannot read /etc/locale.alias, as that file is not labeled to something special.

I assume that it should be labeled locale_t, since dmesg has access to that domain :
   
   # sesearch -s dmesg_t -A -c file -t locale_t
   Found 1 semantic av rules:
      allow dmesg_t locale_t : file { ioctl read getattr lock open } ; 

There is however no side effect to the AVC, except noise.

-- System Information:
Debian Release: 7.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.3-7.1
ii  libselinux1      2.1.9-5
ii  libsepol1        2.1.4-3
ii  policycoreutils  2.1.10-9
ii  python           2.7.3-4

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.1.8-2
ii  setools      3.3.7-3

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission denied: u'/etc/selinux/default/modules/active/file_contexts.local'

-- no debconf information

More information about the SELinux-devel mailing list