I'm running CentOS 6.2, all updates. selinux-policy 3.7.19-126.el6_2.6. I
see /usr/share/selinux/devel/include/admin/mcelog.if:
########################################
## <summary>
## Execute a domain transition to run mcelog.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`mcelog_domtrans',`
gen_require(`
type mcelog_t, mcelog_exec_t;
')

domtrans_pattern($1, mcelog_exec_t, mcelog_t)
')

Yet, I'm seeing
SELinux is preventing /usr/sbin/mcelog from getattr access on the file
/var/run/mcelog.pid.

Now, from some googling, it *looks* as though this was fixed already. Am I
missing something, or has this bug been reintroduced?

mark


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/17/2012 11:43 AM, m.roth@5-cent.us wrote:
> I'm running CentOS 6.2, all updates. selinux-policy
> 3.7.19-126.el6_2.6. I see
> /usr/share/selinux/devel/include/admin/mcelog.if:
> ######################################## ## <summary> ##
> Execute a domain transition to run mcelog. ## </summary> ## <param
> name="domain"> ## <summary> ## Domain allowed to
> transition. ## </summary> ## </param> #
> interface(`mcelog_domtrans',` gen_require(` type mcelog_t,
> mcelog_exec_t; ')
>
> domtrans_pattern($1, mcelog_exec_t, mcelog_t) ')
>
> Yet, I'm seeing SELinux is preventing /usr/sbin/mcelog from getattr
> access on the file /var/run/mcelog.pid.
>
> Now, from some googling, it *looks* as though this was fixed
> already. Am I missing something, or has this bug been
> reintroduced?
>
> mark
>
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
Well i am not sure if it is was fixed in 6.2 policy or 6.3. I provide
the current selinux policy prerelease in
people.redhat.com/dwalsh/SELinux/RHEL6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8+xEsACgkQrlYvE4MpobPJqACeJfF5X0UW4s AeQeeTznTE5jOq
uwoAniRES1D+aspYM3oQQrWb4D3dP0Lc
=4SV1
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

On 02/17/2012 09:19 PM, Daniel J Walsh wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/17/2012 11:43 AM, m.roth@5-cent.us wrote:

I'm running CentOS 6.2, all updates. selinux-policy
3.7.19-126.el6_2.6. I see
/usr/share/selinux/devel/include/admin/mcelog.if:
######################################## ##<summary> ##
Execute a domain transition to run mcelog. ##</summary> ##<param
name="domain"> ##<summary> ## Domain allowed to
transition. ##</summary> ##</param> #
interface(`mcelog_domtrans',` gen_require(` type mcelog_t,
mcelog_exec_t; ')

domtrans_pattern($1, mcelog_exec_t, mcelog_t) ')

Yet, I'm seeing SELinux is preventing /usr/sbin/mcelog from getattr
access on the file /var/run/mcelog.pid.

Now, from some googling, it *looks* as though this was fixed
already. Am I missing something, or has this bug been
reintroduced?

mark


-- selinux mailing list selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux



Well i am not sure if it is was fixed in 6.2 policy or 6.3. I provide
the current selinux policy prerelease in
people.redhat.com/dwalsh/SELinux/RHEL6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8+xEsACgkQrlYvE4MpobPJqACeJfF5X0UW4s AeQeeTznTE5jOq
uwoAniRES1D+aspYM3oQQrWb4D3dP0Lc
=4SV1
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Please, could you use the latest selinux-policy packages from

people.redhat.com/dwalsh/SELinux/RHEL6


how Dan wrote.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

I wrote:
> I'm running CentOS 6.2, all updates. selinux-policy 3.7.19-126.el6_2.6.
I > see /usr/share/selinux/devel/include/admin/mcelog.if:
> ########################################
> ## <summary>
> ## Execute a domain transition to run mcelog.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed to transition.
> ## </summary>
> ## </param>
> #
> interface(`mcelog_domtrans',`
> gen_require(`
> type mcelog_t, mcelog_exec_t;
> ')
>
> domtrans_pattern($1, mcelog_exec_t, mcelog_t)
> ')
>
> Yet, I'm seeing
> SELinux is preventing /usr/sbin/mcelog from getattr access on the file
> /var/run/mcelog.pid.

> Now, from some googling, it *looks* as though this was fixed already.
> Am I missing something, or has this bug been reintroduced?

From: Miroslav Grepl <mgrepl@redhat.com>
> On 02/17/2012 09:19 PM, Daniel J Walsh wrote:

>> Well i am not sure if it is was fixed in 6.2 policy or 6.3. I provide
>> the current selinux policy prerelease in
>> people.redhat.com/dwalsh/SELinux/RHEL6

> Please, could you use the latest selinux-policy packages from
> people.redhat.com/dwalsh/SELinux/RHEL6
> how Dan wrote.

Are you asking me to test this policy update? I can do it on this one
machine... but it will be overwritten with the next update, and under no
circumstances will I roll it out to all our servers. We don't normally
even use CPAN - *everything's* from the repositories.

mark


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux