Bug 1028099
Summary: | SELinux prevents lsmd from executing various lsmplugins | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Milos Malik <mmalik> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.0 | CC: | mmalik |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.12.1-118.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-06-13 09:32:45 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Milos Malik
2013-11-07 16:29:39 UTC
If you replace 'sim://' with 'simc://' then you will get similar AVCs. sim_lsmplugin is a script, but simc_lsmplugin is a binary. After execution of "chcon -t lsmd_exec_t /usr/bin/simc_lsmplugin" the AVCs stopped appearing. But the reproducer from comment#0 still triggers AVCs. Each of these plugins can be triggered via the reproducer: # ls -l /usr/bin/*_lsmplugin -rwxr-xr-x. 1 root root 1340 Oct 14 17:00 /usr/bin/nstor_lsmplugin -rwxr-xr-x. 1 root root 1298 Oct 14 17:00 /usr/bin/ontap_lsmplugin -rwxr-xr-x. 1 root root 48312 Oct 14 16:58 /usr/bin/simc_lsmplugin -rwxr-xr-x. 1 root root 1324 Oct 14 17:00 /usr/bin/sim_lsmplugin -rwxr-xr-x. 1 root root 1297 Oct 14 17:00 /usr/bin/smispy_lsmplugin -rwxr-xr-x. 1 root root 23904 Oct 14 17:00 /usr/bin/targetd_lsmplugin # file /usr/bin/*_lsmplugin /usr/bin/nstor_lsmplugin: Python script, ASCII text executable /usr/bin/ontap_lsmplugin: Python script, ASCII text executable /usr/bin/simc_lsmplugin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=0xe19f870782280067178acabafa6fd1c34373d922, stripped /usr/bin/sim_lsmplugin: Python script, ASCII text executable /usr/bin/smispy_lsmplugin: Python script, ASCII text executable /usr/bin/targetd_lsmplugin: Python script, ASCII text executable # Milos, could you try to add corecmd_exec_bin(lsmd) to the local policy, and re-run and collect AVC msgs? commit c07234231b3ef9de9129c257d1ef1245bf1b9a4b Author: Miroslav Grepl <mgrepl> Date: Fri Nov 8 09:01:45 2013 +0100 Allow lsmd to execute various lsmplugins After compiling and loading of following module a bunch of AVCs showed up in enfocing mode: policy_module(mypolicy,1.0) require { type lsmd_t; } corecmd_exec_bin(lsmd_t) ---- type=PATH msg=audit(11/08/2013 10:22:24.897:861) : item=0 name=/proc/meminfo inode=4026532027 dev=00:03 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_t:s0 objtype=NORMAL type=CWD msg=audit(11/08/2013 10:22:24.897:861) : cwd=/ type=SYSCALL msg=audit(11/08/2013 10:22:24.897:861) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x38ca37c8cf a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x1 items=1 ppid=4541 pid=4565 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) type=AVC msg=audit(11/08/2013 10:22:24.897:861) : avc: denied { read } for pid=4565 comm=python2.7 name=meminfo dev="proc" ino=4026532027 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file ---- type=PATH msg=audit(11/08/2013 10:22:24.974:862) : item=0 name=/dev/urandom inode=4910 dev=00:05 mode=character,666 ouid=root ogid=root rdev=01:09 obj=system_u:object_r:urandom_device_t:s0 objtype=NORMAL type=CWD msg=audit(11/08/2013 10:22:24.974:862) : cwd=/ type=SYSCALL msg=audit(11/08/2013 10:22:24.974:862) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x38cf7410bd a1=O_RDONLY a2=0x38cf9bbf88 a3=0x0 items=1 ppid=4541 pid=4565 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) type=AVC msg=audit(11/08/2013 10:22:24.974:862) : avc: denied { read } for pid=4565 comm=python2.7 name=urandom dev="devtmpfs" ino=4910 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file ---- type=PATH msg=audit(11/08/2013 10:22:24.980:864) : item=1 name=/tmp/1MsK71 objtype=CREATE type=PATH msg=audit(11/08/2013 10:22:24.980:864) : item=0 name=/tmp/ inode=25165953 dev=fd:03 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=PARENT type=CWD msg=audit(11/08/2013 10:22:24.980:864) : cwd=/ type=SYSCALL msg=audit(11/08/2013 10:22:24.980:864) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x25fec40 a1=O_RDWR|O_CREAT|O_EXCL|O_NOFOLLOW a2=0600 a3=0x0 items=2 ppid=4541 pid=4565 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) type=AVC msg=audit(11/08/2013 10:22:24.980:864) : avc: denied { write } for pid=4565 comm=python2.7 name=tmp dev="vda3" ino=25165953 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir ---- Following AVCs were caught in permissive mode: ---- type=PATH msg=audit(11/08/2013 10:33:30.753:1330) : item=0 name=/proc/meminfo inode=4026532027 dev=00:03 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_t:s0 objtype=NORMAL type=CWD msg=audit(11/08/2013 10:33:30.753:1330) : cwd=/ type=SYSCALL msg=audit(11/08/2013 10:33:30.753:1330) : arch=x86_64 syscall=open success=yes exit=6 a0=0x38ca37c8cf a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x1 items=1 ppid=29521 pid=29545 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) type=AVC msg=audit(11/08/2013 10:33:30.753:1330) : avc: denied { open } for pid=29545 comm=python2.7 path=/proc/meminfo dev="proc" ino=4026532027 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(11/08/2013 10:33:30.753:1330) : avc: denied { read } for pid=29545 comm=python2.7 name=meminfo dev="proc" ino=4026532027 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file ---- type=SYSCALL msg=audit(11/08/2013 10:33:30.755:1331) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x6 a1=0x7fff1932c4a0 a2=0x7fff1932c4a0 a3=0x0 items=0 ppid=29521 pid=29545 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) type=AVC msg=audit(11/08/2013 10:33:30.755:1331) : avc: denied { getattr } for pid=29545 comm=python2.7 path=/proc/meminfo dev="proc" ino=4026532027 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file ---- type=PATH msg=audit(11/08/2013 10:33:30.835:1332) : item=0 name=/dev/urandom inode=4910 dev=00:05 mode=character,666 ouid=root ogid=root rdev=01:09 obj=system_u:object_r:urandom_device_t:s0 objtype=NORMAL type=CWD msg=audit(11/08/2013 10:33:30.835:1332) : cwd=/ type=SYSCALL msg=audit(11/08/2013 10:33:30.835:1332) : arch=x86_64 syscall=open success=yes exit=7 a0=0x38cf7410bd a1=O_RDONLY a2=0x38cf9bbf88 a3=0x0 items=1 ppid=29521 pid=29545 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) type=AVC msg=audit(11/08/2013 10:33:30.835:1332) : avc: denied { open } for pid=29545 comm=python2.7 path=/dev/urandom dev="devtmpfs" ino=4910 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file type=AVC msg=audit(11/08/2013 10:33:30.835:1332) : avc: denied { read } for pid=29545 comm=python2.7 name=urandom dev="devtmpfs" ino=4910 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file ---- type=PATH msg=audit(11/08/2013 10:33:30.841:1333) : item=1 name=/tmp/jGemB5 inode=26154463 dev=fd:03 mode=file,600 ouid=libstoragemgmt ogid=libstoragemgmt rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=CREATE type=PATH msg=audit(11/08/2013 10:33:30.841:1333) : item=0 name=/tmp/ inode=25165953 dev=fd:03 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=PARENT type=CWD msg=audit(11/08/2013 10:33:30.841:1333) : cwd=/ type=SYSCALL msg=audit(11/08/2013 10:33:30.841:1333) : arch=x86_64 syscall=open success=yes exit=6 a0=0x1ea7c40 a1=O_RDWR|O_CREAT|O_EXCL|O_NOFOLLOW a2=0600 a3=0x0 items=2 ppid=29521 pid=29545 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) type=AVC msg=audit(11/08/2013 10:33:30.841:1333) : avc: denied { create } for pid=29545 comm=python2.7 name=jGemB5 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(11/08/2013 10:33:30.841:1333) : avc: denied { add_name } for pid=29545 comm=python2.7 name=jGemB5 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(11/08/2013 10:33:30.841:1333) : avc: denied { write } for pid=29545 comm=python2.7 name=tmp dev="vda3" ino=25165953 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir ---- type=PATH msg=audit(11/08/2013 10:33:30.841:1334) : item=1 name=/tmp/jGemB5 inode=26154463 dev=fd:03 mode=file,600 ouid=libstoragemgmt ogid=libstoragemgmt rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=DELETE type=PATH msg=audit(11/08/2013 10:33:30.841:1334) : item=0 name=/tmp/ inode=25165953 dev=fd:03 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=PARENT type=CWD msg=audit(11/08/2013 10:33:30.841:1334) : cwd=/ type=SYSCALL msg=audit(11/08/2013 10:33:30.841:1334) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x1e2d4d0 a1=0xffffffff a2=0x38cf9bbf88 a3=0x0 items=2 ppid=29521 pid=29545 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) type=AVC msg=audit(11/08/2013 10:33:30.841:1334) : avc: denied { unlink } for pid=29545 comm=python2.7 name=jGemB5 dev="vda3" ino=26154463 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(11/08/2013 10:33:30.841:1334) : avc: denied { remove_name } for pid=29545 comm=python2.7 name=jGemB5 dev="vda3" ino=26154463 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir ---- type=PATH msg=audit(11/08/2013 10:33:31.270:1337) : item=0 name=/etc/resolv.conf inode=9210153 dev=fd:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL type=CWD msg=audit(11/08/2013 10:33:31.270:1337) : cwd=/ type=SYSCALL msg=audit(11/08/2013 10:33:31.270:1337) : arch=x86_64 syscall=open success=yes exit=5 a0=0x38ca37d3e8 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x38ca288210 items=1 ppid=29521 pid=29574 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) type=AVC msg=audit(11/08/2013 10:33:31.270:1337) : avc: denied { open } for pid=29574 comm=python2.7 path=/etc/resolv.conf dev="vda3" ino=9210153 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file type=AVC msg=audit(11/08/2013 10:33:31.270:1337) : avc: denied { read } for pid=29574 comm=python2.7 name=resolv.conf dev="vda3" ino=9210153 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file ---- type=SYSCALL msg=audit(11/08/2013 10:33:31.270:1338) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x5 a1=0x7fffed10f7b0 a2=0x7fffed10f7b0 a3=0x0 items=0 ppid=29521 pid=29574 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) type=AVC msg=audit(11/08/2013 10:33:31.270:1338) : avc: denied { getattr } for pid=29574 comm=python2.7 path=/etc/resolv.conf dev="vda3" ino=9210153 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file ---- type=SYSCALL msg=audit(11/08/2013 10:33:31.270:1339) : arch=x86_64 syscall=socket success=yes exit=5 a0=inet a1=SOCK_DGRAM a2=ip a3=0x1 items=0 ppid=29521 pid=29574 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) type=AVC msg=audit(11/08/2013 10:33:31.270:1339) : avc: denied { create } for pid=29574 comm=python2.7 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:system_r:lsmd_t:s0 tclass=udp_socket ---- type=SOCKADDR msg=audit(11/08/2013 10:33:31.271:1340) : saddr=inet host:192.168.122.1 serv:53 type=SYSCALL msg=audit(11/08/2013 10:33:31.271:1340) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x5 a1=0xaf1350 a2=0x10 a3=0x1 items=0 ppid=29521 pid=29574 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) type=AVC msg=audit(11/08/2013 10:33:31.271:1340) : avc: denied { connect } for pid=29574 comm=python2.7 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:system_r:lsmd_t:s0 tclass=udp_socket ---- type=SYSCALL msg=audit(11/08/2013 10:33:31.313:1341) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x5 a1=0x541b a2=0x7fffed10fb80 a3=0x4000 items=0 ppid=29521 pid=29574 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) type=AVC msg=audit(11/08/2013 10:33:31.313:1341) : avc: denied { getattr } for pid=29574 comm=python2.7 path=socket:[119147] dev="sockfs" ino=119147 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:system_r:lsmd_t:s0 tclass=udp_socket ---- type=PATH msg=audit(11/08/2013 10:33:31.863:1343) : item=1 name=/tmp/BqLXuZ inode=26154463 dev=fd:03 mode=file,600 ouid=libstoragemgmt ogid=libstoragemgmt rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=DELETE type=PATH msg=audit(11/08/2013 10:33:31.863:1343) : item=0 name=/tmp/ inode=25165953 dev=fd:03 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=PARENT type=CWD msg=audit(11/08/2013 10:33:31.863:1343) : cwd=/ type=SYSCALL msg=audit(11/08/2013 10:33:31.863:1343) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x24fa4d0 a1=0xffffffff a2=0x38cf9bbf88 a3=0x0 items=2 ppid=29521 pid=29620 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) type=AVC msg=audit(11/08/2013 10:33:31.863:1343) : avc: denied { unlink } for pid=29620 comm=python2.7 name=BqLXuZ dev="vda3" ino=26154463 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file ---- type=PATH msg=audit(11/08/2013 10:33:31.865:1344) : item=0 name=/tmp/lsm_sim_data inode=25908111 dev=fd:03 mode=file,666 ouid=libstoragemgmt ogid=libstoragemgmt rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 objtype=NORMAL type=CWD msg=audit(11/08/2013 10:33:31.865:1344) : cwd=/ type=SYSCALL msg=audit(11/08/2013 10:33:31.865:1344) : arch=x86_64 syscall=open success=yes exit=5 a0=0x2579490 a1=O_RDONLY a2=0x1b6 a3=0x0 items=1 ppid=29521 pid=29620 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) type=AVC msg=audit(11/08/2013 10:33:31.865:1344) : avc: denied { open } for pid=29620 comm=python2.7 path=/tmp/lsm_sim_data dev="vda3" ino=25908111 scontext=system_u:system_r:lsmd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file ---- type=PATH msg=audit(11/08/2013 10:33:31.942:1345) : item=0 name=/tmp/lsm_sim_data inode=25908111 dev=fd:03 mode=file,666 ouid=libstoragemgmt ogid=libstoragemgmt rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 objtype=NORMAL type=CWD msg=audit(11/08/2013 10:33:31.942:1345) : cwd=/ type=SYSCALL msg=audit(11/08/2013 10:33:31.942:1345) : arch=x86_64 syscall=chmod success=yes exit=0 a0=0x2539640 a1=0666 a2=0x38cf9bbf88 a3=0x0 items=1 ppid=29521 pid=29620 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) type=AVC msg=audit(11/08/2013 10:33:31.942:1345) : avc: denied { setattr } for pid=29620 comm=python2.7 name=lsm_sim_data dev="vda3" ino=25908111 scontext=system_u:system_r:lsmd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file ---- Here is the output from audit2allow: #============= lsmd_t ============== allow lsmd_t net_conf_t:file { read getattr open }; allow lsmd_t proc_t:file { read getattr open }; allow lsmd_t self:udp_socket { create connect getattr }; allow lsmd_t tmp_t:dir { write remove_name add_name }; allow lsmd_t tmp_t:file { create unlink }; #!!!! This avc can be allowed using the boolean 'global_ssp' allow lsmd_t urandom_device_t:chr_file { read open }; allow lsmd_t user_tmp_t:file { open setattr }; # Ok, the question now is if we need to have a new domain (lsmd_plugin_t for example). Probably we should ask lsmd folks what these plugins do. commit 4f72504c1cb09d526f75302b5d5ab3cf39dc5588 Author: Miroslav Grepl <mgrepl> Date: Tue Nov 26 17:49:39 2013 +0100 Add lsmd_plugin_t for lsm plugins commit bb9750eb405cd031fa32385664418bb629553b82 Author: Miroslav Grepl <mgrepl> Date: Fri Nov 29 11:40:22 2013 +0100 Allow lsmd_plugin_t send system log messages # ps -efZ | grep init_t system_u:system_r:init_t:s0 root 1 0 0 10:19 ? 00:00:02 /usr/lib/systemd/systemd --system --deserialize 24 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 3875 7641 0 11:45 pts/0 00:00:00 grep --color=auto init_t # Even "watch -n 1 'ps -efZ | grep init_t'" command (which was running at the same time as the test case) did not show other processes running as init_t. commit 82f025f878e67aac45f527cee63fa290897679f5 Author: Miroslav Grepl <mgrepl> Date: Fri Jan 10 09:58:57 2014 +0100 Allow lsmd plugins stream connect to lsmd/init This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |