Re: [FC3] kernel panic after selinux-policy-targeted update

[Stephen Smalley <sds@xxxxxxxxxxxxx>]

On Wed, 2005-06-29 at 16:28 +0200, Erik P. Olsen wrote:
> I have seen the following denials with 1.35_FC3:
> 
> Jun 27 21:46:10 epo kernel: audit(1119901570.501:0): avc:  denied
> { execmod } for  pid=20186 comm=gpg path=/usr/bin/gpg dev=hdb8
> ino=328924 scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:bin_t tclass=file
> Jun 27 21:46:36 epo kernel: audit(1119901596.637:0): avc:  denied
> { execmod } for  pid=20201 comm=gpg path=/usr/bin/gpg dev=hdb8
> ino=328924 scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:bin_t tclass=file
> Jun 27 21:46:36 epo kernel: audit(1119901596.639:0): avc:  denied
> { execmod } for  pid=20202 comm=gpg path=/usr/bin/gpg dev=hdb8
> ino=328924 scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:bin_t tclass=file
> Jun 27 21:46:36 epo kernel: audit(1119901596.673:0): avc:  denied
> { execmod } for  pid=20203 comm=gpg path=/usr/bin/gpg dev=hdb8
> ino=328924 scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:bin_t tclass=file
> Jun 27 21:46:58 epo kernel: audit(1119901618.120:0): avc:  denied
> { execmod } for  pid=20207 comm=gpg path=/usr/bin/gpg dev=hdb8
> ino=328924 scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:bin_t tclass=file
> Jun 27 21:46:58 epo kernel: audit(1119901618.178:0): avc:  denied
> { execmod } for  pid=20208 comm=gpg path=/usr/bin/gpg dev=hdb8
> ino=328924 scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:bin_t tclass=file
> Jun 27 21:46:58 epo kernel: audit(1119901618.233:0): avc:  denied
> { execmod } for  pid=20209 comm=gpg path=/usr/bin/gpg dev=hdb8
> ino=328924 scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:bin_t tclass=file
> Jun 27 21:47:56 epo kernel: audit(1119901676.202:0): avc:  denied
> { execmod } for  pid=20211 comm=gpg path=/usr/bin/gpg dev=hdb8
> ino=328924 scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:bin_t tclass=file
> 
> I am now running in permissive mode otherwise I get too many problems
> that I can't solve.

Yes, the execmod checks on gpg in FC3 are expected, as it does have a
text relocation on FC3 (fixed in FC4).  What is not expected are the
pervasive execmod checks on /sbin/init and other core system processes,
which seems to be limited to the older kernels.

-- 
Stephen Smalley
National Security Agency