Bug 1011963

Summary: selinux avc denial on cluster nodes
Product: Red Hat Enterprise Linux 6 Reporter: michal novacek <mnovacek>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Michal Trunecka <mtruneck>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.5CC: dwalsh, ebenes, mmalik, mtruneck, tlavigne
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-218.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1016462 (view as bug list) Environment:
Last Closed: 2013-11-21 10:52:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1016462    
Attachments:
Description Flags
selinux messages none

Description michal novacek 2013-09-25 12:59:36 UTC 
Created attachment 802843 [details]
selinux messages

Description of problem:
There are selinux problem reported. This happens on automatic cluster creation
but I'm not sure however that this is cluster related problem.

Version-Release number of selected component (if applicable):
RHEL6.5-20130919.n.0
selinux-policy-3.7.19-216.el6.noarch
Comment 2 Milos Malik 2013-09-25 13:05:43 UTC 
Let's skip AVCs caused by prelink - here is the bug (BZ#1008464) which deals with them.
Comment 3 Milos Malik 2013-09-25 13:11:14 UTC 
The rest of AVCs consists of:
----
time->Mon Sep 23 10:24:43 2013
type=USER_AVC msg=audit(1379924683.286:28): user pid=1107 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.5 spid=1160 tpid=7704 scontext=system_u:system_r:hald_t:s0 tcontext=unconfined_u:system_r:qarshd_t:s0-s0:c0.c1023 tclass=dbus  exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Mon Sep 23 10:26:06 2013
type=SYSCALL msg=audit(1379924766.715:64): arch=c000003e syscall=2 success=no exit=-13 a0=7f81f8bd50dd a1=0 a2=1b6 a3=0 items=0 ppid=9387 pid=10202 auid=4294967295 uid=140 gid=0 euid=140 suid=140 fsuid=140 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="virsh" exe="/usr/bin/virsh" subj=unconfined_u:system_r:xm_t:s0 key=(null)
type=AVC msg=audit(1379924766.715:64): avc:  denied  { read } for  pid=10202 comm="virsh" name="tmp" dev=dm-0 ino=261235 scontext=unconfined_u:system_r:xm_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
Comment 4 Miroslav Grepl 2013-09-25 19:01:57 UTC 
We have in Fedora

cat /tmp/log |audit2allow


#============= xm_t ==============

#!!!! This avc is allowed in the current policy
allow xm_t tmp_t:dir read

type=USER_AVC msg=audit(1379924683.286:28): user pid=1107 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.5 spid=1160 tpid=7704 scontext=system_u:system_r:hald_t:s0 tcontext=unconfined_u:system_r:qarshd_t:s0-s0:c0.c1023 tclass=dbus  exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

is a qarshd policy issue.
Comment 8 errata-xmlrpc 2013-11-21 10:52:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html