Bug 1021984
| Summary: | create a MLS policy for lldpad | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Milos Malik <mmalik> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.5 | CC: | dwalsh, ebenes, mgrepl, mmalik, trustedsubject |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-252.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 891779 | Environment: | |
| Last Closed: | 2014-10-14 07:57:22 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 891779 | ||
| Bug Blocks: | |||
|
Description
Milos Malik
2013-10-22 12:47:47 UTC
Patch sent. fixed patch sent. # rpm -q selinux-policy selinux-policy-3.7.19-251.el6.noarch :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: TEST PROTOCOL :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Package : unknown :: [ LOG ] :: beakerlib RPM : beakerlib-1.9-3.el6 :: [ LOG ] :: bl-redhat RPM : beakerlib-redhat-1-12.el6eso :: [ LOG ] :: Test started : 2014-08-25 15:18:35 CEST :: [ LOG ] :: Test finished : 2014-08-25 15:19:26 CEST :: [ LOG ] :: Test name : unknown :: [ LOG ] :: Distro: : Red Hat Enterprise Linux Workstation release 6.6 Beta (Santiago) :: [ LOG ] :: Hostname : localhost.localdomain :: [ LOG ] :: Architecture : x86_64 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Test description :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: PURPOSE of /CoreOS/selinux-policy/Regression/bz723958-lldpad-and-similar Description: SELinux interferes with lldpad and related tools Author: Milos Malik <mmalik> :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Setup :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ INFO ] :: rlImport: Found 'selinux-policy/common' in /mnt/tests :: [ INFO ] :: rlImport: Will try to import selinux-policy/common from /mnt/tests/CoreOS/selinux-policy/Library/common/lib.sh :: [ PASS ] :: Command 'rlImport 'selinux-policy/common'' (Expected 0, got 0) :: [ PASS ] :: Checking for the presence of selinux-policy rpm :: [ LOG ] :: Package versions: :: [ LOG ] :: selinux-policy-3.7.19-251.el6.noarch :: [ PASS ] :: Checking for the presence of selinux-policy-mls rpm :: [ LOG ] :: Package versions: :: [ LOG ] :: selinux-policy-mls-3.7.19-251.el6.noarch :: [ PASS ] :: Checking for the presence of selinux-policy-targeted rpm :: [ LOG ] :: Package versions: :: [ LOG ] :: selinux-policy-targeted-3.7.19-251.el6.noarch :: [ PASS ] :: Checking for the presence of lldpad rpm :: [ LOG ] :: Package versions: :: [ LOG ] :: lldpad-0.9.46-2.el6.x86_64 :: [ PASS ] :: Command 'setenforce 1' (Expected 0, got 0) :: [ PASS ] :: Command 'sestatus' (Expected 0, got 0) :: [ LOG ] :: Setting timestamp 'TIMESTAMP' [08/25/2014 15:18:37] :: [ LOG ] :: Duration: 4s :: [ LOG ] :: Assertions: 7 good, 0 bad :: [ PASS ] :: RESULT: Setup :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: bz#723958 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Result of matchpathcon /etc/rc.d/init.d/lldpad should contain lldpad_initrc_exec_t (Assert: expected 0, got 0) :: [ PASS ] :: Result of matchpathcon /usr/sbin/dcbtool should contain bin_t (Assert: expected 0, got 0) :: [ PASS ] :: Result of matchpathcon /usr/sbin/lldpad should contain lldpad_exec_t (Assert: expected 0, got 0) :: [ PASS ] :: Result of matchpathcon /usr/sbin/lldptool should contain bin_t (Assert: expected 0, got 0) :: [ PASS ] :: Result of matchpathcon /var/lib/lldpad should contain lldpad_var_lib_t (Assert: expected 0, got 0) :: [ PASS ] :: sesearch --type -C -s initrc_t -t lldpad_exec_t -c process -p lldpad_t (Expected 0, got 0) :: [ LOG ] :: Checking rule 'allow lldpad_t unconfined_t : unix_dgram_socket { sendto }' :: [ PASS ] :: sesearch --allow -C -s lldpad_t -t unconfined_t -c unix_dgram_socket -p sendto (Expected 0, got 0) :: [ LOG ] :: Duration: 9s :: [ LOG ] :: Assertions: 7 good, 0 bad :: [ PASS ] :: RESULT: bz#723958 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: bz#727290 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Result of matchpathcon /usr/sbin/lldpad should contain lldpad_exec_t (Assert: expected 0, got 0) :: [ LOG ] :: Checking rule 'allow lldpad_t lldpad_t : capability { sys_module }' :: [ PASS ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c capability -p sys_module (Expected 0, got 0) :: [ LOG ] :: Duration: 2s :: [ LOG ] :: Assertions: 2 good, 0 bad :: [ PASS ] :: RESULT: bz#727290 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: bz#891779 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Result of matchpathcon /usr/sbin/lldpad should contain lldpad_exec_t (Assert: expected 0, got 0) :: [ LOG ] :: Checking rule 'allow lldpad_t lldpad_t : netlink_route_socket { nlmsg_write }' :: [ PASS ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c netlink_route_socket -p nlmsg_write (Expected 0, got 0) :: [ LOG ] :: Checking rule 'allow lldpad_t lldpad_t : packet_socket { bind create ioctl setopt }' :: [ PASS ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c packet_socket -p bind (Expected 0, got 0) :: [ PASS ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c packet_socket -p create (Expected 0, got 0) :: [ PASS ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c packet_socket -p ioctl (Expected 0, got 0) :: [ PASS ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c packet_socket -p setopt (Expected 0, got 0) :: [ LOG ] :: Checking rule 'allow lldpad_t lldpad_t : shm { create destroy read write associate unix_read unix_write }' :: [ PASS ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c shm -p create (Expected 0, got 0) :: [ PASS ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c shm -p destroy (Expected 0, got 0) :: [ PASS ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c shm -p read (Expected 0, got 0) :: [ PASS ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c shm -p write (Expected 0, got 0) :: [ PASS ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c shm -p associate (Expected 0, got 0) :: [ PASS ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c shm -p unix_read (Expected 0, got 0) :: [ PASS ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c shm -p unix_write (Expected 0, got 0) :: [ LOG ] :: Duration: 5s :: [ LOG ] :: Assertions: 13 good, 0 bad :: [ PASS ] :: RESULT: bz#891779 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: bz#986870 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Result of matchpathcon /usr/sbin/lldpad should contain lldpad_exec_t (Assert: expected 0, got 0) :: [ LOG ] :: Checking rule 'allow lldpad_t lldpad_t : capability { sys_resource }' :: [ PASS ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c capability -p sys_resource (Expected 0, got 0) :: [ LOG ] :: Duration: 3s :: [ LOG ] :: Assertions: 2 good, 0 bad :: [ PASS ] :: RESULT: bz#986870 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: bz#995434 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Result of matchpathcon /usr/sbin/lldpad should contain lldpad_exec_t (Assert: expected 0, got 0) :: [ LOG ] :: Checking rule 'allow lldpad_t fcoemon_t : unix_dgram_socket { sendto }' :: [ PASS ] :: sesearch --allow -C -s lldpad_t -t fcoemon_t -c unix_dgram_socket -p sendto (Expected 0, got 0) :: [ LOG ] :: Duration: 2s :: [ LOG ] :: Assertions: 2 good, 0 bad :: [ PASS ] :: RESULT: bz#995434 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: bz#1021984 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Result of matchpathcon /usr/sbin/lldpad should contain lldpad_exec_t (Assert: expected 0, got 0) :: [ PASS ] :: Result of matchpathcon /etc/localtime should contain locale_t (Assert: expected 0, got 0) :: [ LOG ] :: Checking rule 'allow lldpad_t lldpad_t : capability { sys_resource } mls' :: [ PASS ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c capability -p sys_resource /etc/selinux/mls/policy/policy.24 (Expected 0, got 0) :: [ LOG ] :: Checking rule 'allow lldpad_t locale_t : file { getattr open read } mls' :: [ PASS ] :: sesearch --allow -C -s lldpad_t -t locale_t -c file -p getattr /etc/selinux/mls/policy/policy.24 (Expected 0, got 0) :: [ PASS ] :: sesearch --allow -C -s lldpad_t -t locale_t -c file -p open /etc/selinux/mls/policy/policy.24 (Expected 0, got 0) :: [ PASS ] :: sesearch --allow -C -s lldpad_t -t locale_t -c file -p read /etc/selinux/mls/policy/policy.24 (Expected 0, got 0) :: [ LOG ] :: Duration: 4s :: [ LOG ] :: Assertions: 6 good, 0 bad :: [ PASS ] :: RESULT: bz#1021984 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: real scenario :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Command 'echo redhat | passwd --stdin root' (Expected 0, got 0) :: [ PASS ] :: Command 'semodule -l | grep lldpad' (Expected 0, got 0) :: [ PASS ] :: Command 'service lldpad start' (Expected 0, got 0) :: [ PASS ] :: Command 'ps -efZ | egrep -v " egrep " | egrep "lldpad_t.*lldpad"' (Expected 0, got 0) :: [ PASS ] :: Command 'service lldpad status' (Expected 0,1,3, got 0) :: [ PASS ] :: Command 'service lldpad restart' (Expected 0, got 0) :: [ PASS ] :: Command 'ps -efZ | egrep -v " egrep " | egrep "lldpad_t.*lldpad"' (Expected 0, got 0) :: [ PASS ] :: Command 'service lldpad status' (Expected 0,1,3, got 0) :: [ PASS ] :: Command 'lldptool -t -i eth0' (Expected 0,1, got 1) :: [ PASS ] :: Command 'lldptool -l -i eth0' (Expected 0,1, got 1) :: [ PASS ] :: Command 'lldptool -S -i eth0' (Expected 0,1, got 1) :: [ PASS ] :: Command 'dcbtool gc dcbx' (Expected 0, got 0) :: [ PASS ] :: Command 'dcbtool go dcbx' (Expected 0, got 0) :: [ PASS ] :: Command 'dcbtool gc eth0 dcb' (Expected 0-255, got 2) :: [ PASS ] :: Command 'dcbtool gc eth0 pg' (Expected 0-255, got 2) :: [ PASS ] :: Command 'dcbtool gc eth0 pfc' (Expected 0-255, got 2) :: [ PASS ] :: Command 'dcbtool gc eth0 app:0' (Expected 0-255, got 2) :: [ PASS ] :: Command 'dcbtool gc eth0 app:1' (Expected 0-255, got 2) :: [ PASS ] :: Command 'dcbtool gc eth0 ll:0' (Expected 0-255, got 2) :: [ PASS ] :: Command 'dcbtool go eth0 dcb' (Expected 0-255, got 2) :: [ PASS ] :: Command 'dcbtool go eth0 pg' (Expected 0-255, got 2) :: [ PASS ] :: Command 'dcbtool go eth0 pfc' (Expected 0-255, got 2) :: [ PASS ] :: Command 'dcbtool go eth0 app:0' (Expected 0-255, got 2) :: [ PASS ] :: Command 'dcbtool go eth0 app:1' (Expected 0-255, got 2) :: [ PASS ] :: Command 'dcbtool go eth0 ll:0' (Expected 0-255, got 2) :: [ PASS ] :: Command 'dcbtool gp eth0 dcb' (Expected 0-255, got 255) :: [ PASS ] :: Command 'dcbtool gp eth0 pg' (Expected 0-255, got 2) :: [ PASS ] :: Command 'dcbtool gp eth0 pfc' (Expected 0-255, got 2) :: [ PASS ] :: Command 'dcbtool gp eth0 app:0' (Expected 0-255, got 2) :: [ PASS ] :: Command 'dcbtool gp eth0 app:1' (Expected 0-255, got 2) :: [ PASS ] :: Command 'dcbtool gp eth0 ll:0' (Expected 0-255, got 2) :: [ PASS ] :: Command 'service lldpad stop' (Expected 0, got 0) :: [ PASS ] :: Command 'service lldpad status' (Expected 0,1,3, got 3) :: [ LOG ] :: Duration: 19s :: [ LOG ] :: Assertions: 33 good, 0 bad :: [ PASS ] :: RESULT: real scenario :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Cleanup :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Search for AVCs and SELINUX_ERRs since timestamp 'TIMESTAMP' [08/25/2014 15:18:37] :: [ PASS ] :: Command 'LC_TIME='en_US.UTF-8' ausearch -m AVC -m SELINUX_ERR -ts 08/25/2014 15:18:37 2>&1 | grep -v '<no matches>'' (Expected 1, got 1) :: [ LOG ] :: Duration: 2s :: [ LOG ] :: Assertions: 1 good, 0 bad :: [ PASS ] :: RESULT: Cleanup :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: unknown :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Phases: 9 good, 0 bad :: [ PASS ] :: RESULT: unknown :: [ 15:19:26 ] :: JOURNAL XML: /var/tmp/beakerlib-NhvRIfU/journal.xml :: [ 15:19:27 ] :: JOURNAL TXT: /var/tmp/beakerlib-NhvRIfU/journal.txt rhel6:/var/log/audit # service lldpad status lldpad (pid 27985) is running... rhel6:/var/log/audit # lldptool -p 27985 I'm without any AVC. Could you re-test it, or I have bad reproducer? Milos, then you need to have lldpad_admin() (In reply to Lukas Vrabec from comment #7) > I'm without any AVC. Could you re-test it, or I have bad reproducer? You need to run the automated TC (to be precise - the real scenario phase) on a machine where the MLS policy is active. The TC is unable to switch the machine from targeted to MLS. Following AVCs appear when "lldptool -p" is executed in permissive mode:
----
type=SOCKADDR msg=audit(08/25/2014 16:54:28.606:88) : saddr=local /com/intel/lldpad
type=SYSCALL msg=audit(08/25/2014 16:54:28.606:88) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x3 a1=0x9c7352 a2=0x14 a3=0x7fff949f9210 items=0 ppid=2600 pid=2665 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=lldptool exe=/usr/sbin/lldptool subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(08/25/2014 16:54:28.606:88) : avc: denied { sendto } for pid=2665 comm=lldptool path=/com/intel/lldpad scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:lldpad_t:s0-s15:c0.c1023 tclass=unix_dgram_socket
----
type=SOCKADDR msg=audit(08/25/2014 16:54:28.607:89) : saddr=local /com/intel/lldpad/2665
type=SYSCALL msg=audit(08/25/2014 16:54:28.607:89) : arch=x86_64 syscall=sendto success=yes exit=12 a0=0x4 a1=0x21ffb60 a2=0xc a3=0x0 items=0 ppid=1 pid=1375 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lldpad exe=/usr/sbin/lldpad subj=system_u:system_r:lldpad_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(08/25/2014 16:54:28.607:89) : avc: denied { sendto } for pid=1375 comm=lldpad path=/com/intel/lldpad/2665 scontext=system_u:system_r:lldpad_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tclass=unix_dgram_socket
----
Following rules seem to be needed:
allow lldpad_t sysadm_t:unix_dgram_socket sendto;
allow sysadm_t lldpad_t:unix_dgram_socket sendto;
commit a37f930d9fa6293c2a724e09c79207cda0854ae5
Author: Miroslav Grepl <mgrepl>
Date: Tue Aug 26 15:52:39 2014 +0200
Allow sysadm to talk with lldpad over unix dgram socket.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1568.html |