[DSE-Dev] Bug#756730: selinux-policy-default: Setting SELinux to enforce logs AVC: mount wants to access modules.dep

Andreas Florath andre at flonatel.org
Fri Aug 1 05:16:57 UTC 2014 

Package: selinux-policy-default
Version: 2:2.20110726-12
Severity: minor

Dear Maintainer,

after SELinux is set to enforcing the following AVC is logged during boot,
Nevertheless I did not find any problems with the system:

type=1400 audit(1406807193.926:4): avc:  denied  { read } for  pid=1385 comm="mount" name="modules.dep" dev=dm-0 ino=914388 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file

When allowing this (audit2allow & semodule -u) , the following AVCs are logged:
Jul 31 15:30:13 debtest kernel: [    4.029846] type=1400 audit(1406813412.816:4): avc:  denied  { open } for  pid=1385 comm="mount" name="modules.dep" dev=dm-0 ino=914388 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file
Jul 31 15:34:17 debtest kernel: [    4.286956] type=1400 audit(1406813655.960:4): avc:  denied  { getattr } for  pid=1383 comm="mount" path="/lib/modules/3.2.0-4-amd64/modules.dep" dev=dm-0 ino=914388 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file

I found two mail threads where this issue is discussed upstream:
http://oss.tresys.com/pipermail/refpolicy/2013-January/006267.html
http://oss.tresys.com/pipermail/refpolicy/2013-September/006529.html

Andre

-- System Information:
Debian Release: 7.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.3-7.1
ii  libselinux1      2.1.9-5
ii  libsepol1        2.1.4-3
ii  policycoreutils  2.1.10-9
ii  python           2.7.3-4+deb7u1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.1.8-2
pn  setools      <none>

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- no debconf information

More information about the SELinux-devel mailing list