Bug 1028099
| Summary: | SELinux prevents lsmd from executing various lsmplugins | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Milos Malik <mmalik> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.0 | CC: | mmalik |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.12.1-118.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-13 09:32:45 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
If you replace 'sim://' with 'simc://' then you will get similar AVCs. sim_lsmplugin is a script, but simc_lsmplugin is a binary. After execution of "chcon -t lsmd_exec_t /usr/bin/simc_lsmplugin" the AVCs stopped appearing. But the reproducer from comment#0 still triggers AVCs. Each of these plugins can be triggered via the reproducer: # ls -l /usr/bin/*_lsmplugin -rwxr-xr-x. 1 root root 1340 Oct 14 17:00 /usr/bin/nstor_lsmplugin -rwxr-xr-x. 1 root root 1298 Oct 14 17:00 /usr/bin/ontap_lsmplugin -rwxr-xr-x. 1 root root 48312 Oct 14 16:58 /usr/bin/simc_lsmplugin -rwxr-xr-x. 1 root root 1324 Oct 14 17:00 /usr/bin/sim_lsmplugin -rwxr-xr-x. 1 root root 1297 Oct 14 17:00 /usr/bin/smispy_lsmplugin -rwxr-xr-x. 1 root root 23904 Oct 14 17:00 /usr/bin/targetd_lsmplugin # file /usr/bin/*_lsmplugin /usr/bin/nstor_lsmplugin: Python script, ASCII text executable /usr/bin/ontap_lsmplugin: Python script, ASCII text executable /usr/bin/simc_lsmplugin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=0xe19f870782280067178acabafa6fd1c34373d922, stripped /usr/bin/sim_lsmplugin: Python script, ASCII text executable /usr/bin/smispy_lsmplugin: Python script, ASCII text executable /usr/bin/targetd_lsmplugin: Python script, ASCII text executable # Milos,
could you try to add
corecmd_exec_bin(lsmd)
to the local policy, and re-run and collect AVC msgs?
commit c07234231b3ef9de9129c257d1ef1245bf1b9a4b
Author: Miroslav Grepl <mgrepl>
Date: Fri Nov 8 09:01:45 2013 +0100
Allow lsmd to execute various lsmplugins
After compiling and loading of following module a bunch of AVCs showed up in enfocing mode:
policy_module(mypolicy,1.0)
require {
type lsmd_t;
}
corecmd_exec_bin(lsmd_t)
----
type=PATH msg=audit(11/08/2013 10:22:24.897:861) : item=0 name=/proc/meminfo inode=4026532027 dev=00:03 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_t:s0 objtype=NORMAL
type=CWD msg=audit(11/08/2013 10:22:24.897:861) : cwd=/
type=SYSCALL msg=audit(11/08/2013 10:22:24.897:861) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x38ca37c8cf a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x1 items=1 ppid=4541 pid=4565 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null)
type=AVC msg=audit(11/08/2013 10:22:24.897:861) : avc: denied { read } for pid=4565 comm=python2.7 name=meminfo dev="proc" ino=4026532027 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
type=PATH msg=audit(11/08/2013 10:22:24.974:862) : item=0 name=/dev/urandom inode=4910 dev=00:05 mode=character,666 ouid=root ogid=root rdev=01:09 obj=system_u:object_r:urandom_device_t:s0 objtype=NORMAL
type=CWD msg=audit(11/08/2013 10:22:24.974:862) : cwd=/
type=SYSCALL msg=audit(11/08/2013 10:22:24.974:862) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x38cf7410bd a1=O_RDONLY a2=0x38cf9bbf88 a3=0x0 items=1 ppid=4541 pid=4565 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null)
type=AVC msg=audit(11/08/2013 10:22:24.974:862) : avc: denied { read } for pid=4565 comm=python2.7 name=urandom dev="devtmpfs" ino=4910 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
----
type=PATH msg=audit(11/08/2013 10:22:24.980:864) : item=1 name=/tmp/1MsK71 objtype=CREATE
type=PATH msg=audit(11/08/2013 10:22:24.980:864) : item=0 name=/tmp/ inode=25165953 dev=fd:03 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=PARENT
type=CWD msg=audit(11/08/2013 10:22:24.980:864) : cwd=/
type=SYSCALL msg=audit(11/08/2013 10:22:24.980:864) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x25fec40 a1=O_RDWR|O_CREAT|O_EXCL|O_NOFOLLOW a2=0600 a3=0x0 items=2 ppid=4541 pid=4565 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null)
type=AVC msg=audit(11/08/2013 10:22:24.980:864) : avc: denied { write } for pid=4565 comm=python2.7 name=tmp dev="vda3" ino=25165953 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
Following AVCs were caught in permissive mode:
----
type=PATH msg=audit(11/08/2013 10:33:30.753:1330) : item=0 name=/proc/meminfo inode=4026532027 dev=00:03 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_t:s0 objtype=NORMAL
type=CWD msg=audit(11/08/2013 10:33:30.753:1330) : cwd=/
type=SYSCALL msg=audit(11/08/2013 10:33:30.753:1330) : arch=x86_64 syscall=open success=yes exit=6 a0=0x38ca37c8cf a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x1 items=1 ppid=29521 pid=29545 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null)
type=AVC msg=audit(11/08/2013 10:33:30.753:1330) : avc: denied { open } for pid=29545 comm=python2.7 path=/proc/meminfo dev="proc" ino=4026532027 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=AVC msg=audit(11/08/2013 10:33:30.753:1330) : avc: denied { read } for pid=29545 comm=python2.7 name=meminfo dev="proc" ino=4026532027 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
type=SYSCALL msg=audit(11/08/2013 10:33:30.755:1331) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x6 a1=0x7fff1932c4a0 a2=0x7fff1932c4a0 a3=0x0 items=0 ppid=29521 pid=29545 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null)
type=AVC msg=audit(11/08/2013 10:33:30.755:1331) : avc: denied { getattr } for pid=29545 comm=python2.7 path=/proc/meminfo dev="proc" ino=4026532027 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
type=PATH msg=audit(11/08/2013 10:33:30.835:1332) : item=0 name=/dev/urandom inode=4910 dev=00:05 mode=character,666 ouid=root ogid=root rdev=01:09 obj=system_u:object_r:urandom_device_t:s0 objtype=NORMAL
type=CWD msg=audit(11/08/2013 10:33:30.835:1332) : cwd=/
type=SYSCALL msg=audit(11/08/2013 10:33:30.835:1332) : arch=x86_64 syscall=open success=yes exit=7 a0=0x38cf7410bd a1=O_RDONLY a2=0x38cf9bbf88 a3=0x0 items=1 ppid=29521 pid=29545 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null)
type=AVC msg=audit(11/08/2013 10:33:30.835:1332) : avc: denied { open } for pid=29545 comm=python2.7 path=/dev/urandom dev="devtmpfs" ino=4910 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=AVC msg=audit(11/08/2013 10:33:30.835:1332) : avc: denied { read } for pid=29545 comm=python2.7 name=urandom dev="devtmpfs" ino=4910 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
----
type=PATH msg=audit(11/08/2013 10:33:30.841:1333) : item=1 name=/tmp/jGemB5 inode=26154463 dev=fd:03 mode=file,600 ouid=libstoragemgmt ogid=libstoragemgmt rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=CREATE
type=PATH msg=audit(11/08/2013 10:33:30.841:1333) : item=0 name=/tmp/ inode=25165953 dev=fd:03 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=PARENT
type=CWD msg=audit(11/08/2013 10:33:30.841:1333) : cwd=/
type=SYSCALL msg=audit(11/08/2013 10:33:30.841:1333) : arch=x86_64 syscall=open success=yes exit=6 a0=0x1ea7c40 a1=O_RDWR|O_CREAT|O_EXCL|O_NOFOLLOW a2=0600 a3=0x0 items=2 ppid=29521 pid=29545 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null)
type=AVC msg=audit(11/08/2013 10:33:30.841:1333) : avc: denied { create } for pid=29545 comm=python2.7 name=jGemB5 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(11/08/2013 10:33:30.841:1333) : avc: denied { add_name } for pid=29545 comm=python2.7 name=jGemB5 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(11/08/2013 10:33:30.841:1333) : avc: denied { write } for pid=29545 comm=python2.7 name=tmp dev="vda3" ino=25165953 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
type=PATH msg=audit(11/08/2013 10:33:30.841:1334) : item=1 name=/tmp/jGemB5 inode=26154463 dev=fd:03 mode=file,600 ouid=libstoragemgmt ogid=libstoragemgmt rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=DELETE
type=PATH msg=audit(11/08/2013 10:33:30.841:1334) : item=0 name=/tmp/ inode=25165953 dev=fd:03 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=PARENT
type=CWD msg=audit(11/08/2013 10:33:30.841:1334) : cwd=/
type=SYSCALL msg=audit(11/08/2013 10:33:30.841:1334) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x1e2d4d0 a1=0xffffffff a2=0x38cf9bbf88 a3=0x0 items=2 ppid=29521 pid=29545 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null)
type=AVC msg=audit(11/08/2013 10:33:30.841:1334) : avc: denied { unlink } for pid=29545 comm=python2.7 name=jGemB5 dev="vda3" ino=26154463 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(11/08/2013 10:33:30.841:1334) : avc: denied { remove_name } for pid=29545 comm=python2.7 name=jGemB5 dev="vda3" ino=26154463 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
type=PATH msg=audit(11/08/2013 10:33:31.270:1337) : item=0 name=/etc/resolv.conf inode=9210153 dev=fd:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
type=CWD msg=audit(11/08/2013 10:33:31.270:1337) : cwd=/
type=SYSCALL msg=audit(11/08/2013 10:33:31.270:1337) : arch=x86_64 syscall=open success=yes exit=5 a0=0x38ca37d3e8 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x38ca288210 items=1 ppid=29521 pid=29574 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null)
type=AVC msg=audit(11/08/2013 10:33:31.270:1337) : avc: denied { open } for pid=29574 comm=python2.7 path=/etc/resolv.conf dev="vda3" ino=9210153 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
type=AVC msg=audit(11/08/2013 10:33:31.270:1337) : avc: denied { read } for pid=29574 comm=python2.7 name=resolv.conf dev="vda3" ino=9210153 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
----
type=SYSCALL msg=audit(11/08/2013 10:33:31.270:1338) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x5 a1=0x7fffed10f7b0 a2=0x7fffed10f7b0 a3=0x0 items=0 ppid=29521 pid=29574 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null)
type=AVC msg=audit(11/08/2013 10:33:31.270:1338) : avc: denied { getattr } for pid=29574 comm=python2.7 path=/etc/resolv.conf dev="vda3" ino=9210153 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
----
type=SYSCALL msg=audit(11/08/2013 10:33:31.270:1339) : arch=x86_64 syscall=socket success=yes exit=5 a0=inet a1=SOCK_DGRAM a2=ip a3=0x1 items=0 ppid=29521 pid=29574 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null)
type=AVC msg=audit(11/08/2013 10:33:31.270:1339) : avc: denied { create } for pid=29574 comm=python2.7 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:system_r:lsmd_t:s0 tclass=udp_socket
----
type=SOCKADDR msg=audit(11/08/2013 10:33:31.271:1340) : saddr=inet host:192.168.122.1 serv:53
type=SYSCALL msg=audit(11/08/2013 10:33:31.271:1340) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x5 a1=0xaf1350 a2=0x10 a3=0x1 items=0 ppid=29521 pid=29574 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null)
type=AVC msg=audit(11/08/2013 10:33:31.271:1340) : avc: denied { connect } for pid=29574 comm=python2.7 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:system_r:lsmd_t:s0 tclass=udp_socket
----
type=SYSCALL msg=audit(11/08/2013 10:33:31.313:1341) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x5 a1=0x541b a2=0x7fffed10fb80 a3=0x4000 items=0 ppid=29521 pid=29574 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null)
type=AVC msg=audit(11/08/2013 10:33:31.313:1341) : avc: denied { getattr } for pid=29574 comm=python2.7 path=socket:[119147] dev="sockfs" ino=119147 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:system_r:lsmd_t:s0 tclass=udp_socket
----
type=PATH msg=audit(11/08/2013 10:33:31.863:1343) : item=1 name=/tmp/BqLXuZ inode=26154463 dev=fd:03 mode=file,600 ouid=libstoragemgmt ogid=libstoragemgmt rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=DELETE
type=PATH msg=audit(11/08/2013 10:33:31.863:1343) : item=0 name=/tmp/ inode=25165953 dev=fd:03 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=PARENT
type=CWD msg=audit(11/08/2013 10:33:31.863:1343) : cwd=/
type=SYSCALL msg=audit(11/08/2013 10:33:31.863:1343) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x24fa4d0 a1=0xffffffff a2=0x38cf9bbf88 a3=0x0 items=2 ppid=29521 pid=29620 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null)
type=AVC msg=audit(11/08/2013 10:33:31.863:1343) : avc: denied { unlink } for pid=29620 comm=python2.7 name=BqLXuZ dev="vda3" ino=26154463 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
----
type=PATH msg=audit(11/08/2013 10:33:31.865:1344) : item=0 name=/tmp/lsm_sim_data inode=25908111 dev=fd:03 mode=file,666 ouid=libstoragemgmt ogid=libstoragemgmt rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 objtype=NORMAL
type=CWD msg=audit(11/08/2013 10:33:31.865:1344) : cwd=/
type=SYSCALL msg=audit(11/08/2013 10:33:31.865:1344) : arch=x86_64 syscall=open success=yes exit=5 a0=0x2579490 a1=O_RDONLY a2=0x1b6 a3=0x0 items=1 ppid=29521 pid=29620 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null)
type=AVC msg=audit(11/08/2013 10:33:31.865:1344) : avc: denied { open } for pid=29620 comm=python2.7 path=/tmp/lsm_sim_data dev="vda3" ino=25908111 scontext=system_u:system_r:lsmd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
----
type=PATH msg=audit(11/08/2013 10:33:31.942:1345) : item=0 name=/tmp/lsm_sim_data inode=25908111 dev=fd:03 mode=file,666 ouid=libstoragemgmt ogid=libstoragemgmt rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 objtype=NORMAL
type=CWD msg=audit(11/08/2013 10:33:31.942:1345) : cwd=/
type=SYSCALL msg=audit(11/08/2013 10:33:31.942:1345) : arch=x86_64 syscall=chmod success=yes exit=0 a0=0x2539640 a1=0666 a2=0x38cf9bbf88 a3=0x0 items=1 ppid=29521 pid=29620 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null)
type=AVC msg=audit(11/08/2013 10:33:31.942:1345) : avc: denied { setattr } for pid=29620 comm=python2.7 name=lsm_sim_data dev="vda3" ino=25908111 scontext=system_u:system_r:lsmd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
----
Here is the output from audit2allow:
#============= lsmd_t ==============
allow lsmd_t net_conf_t:file { read getattr open };
allow lsmd_t proc_t:file { read getattr open };
allow lsmd_t self:udp_socket { create connect getattr };
allow lsmd_t tmp_t:dir { write remove_name add_name };
allow lsmd_t tmp_t:file { create unlink };
#!!!! This avc can be allowed using the boolean 'global_ssp'
allow lsmd_t urandom_device_t:chr_file { read open };
allow lsmd_t user_tmp_t:file { open setattr };
#
Ok, the question now is if we need to have a new domain (lsmd_plugin_t for example). Probably we should ask lsmd folks what these plugins do. commit 4f72504c1cb09d526f75302b5d5ab3cf39dc5588
Author: Miroslav Grepl <mgrepl>
Date: Tue Nov 26 17:49:39 2013 +0100
Add lsmd_plugin_t for lsm plugins
commit bb9750eb405cd031fa32385664418bb629553b82
Author: Miroslav Grepl <mgrepl>
Date: Fri Nov 29 11:40:22 2013 +0100
Allow lsmd_plugin_t send system log messages
# ps -efZ | grep init_t system_u:system_r:init_t:s0 root 1 0 0 10:19 ? 00:00:02 /usr/lib/systemd/systemd --system --deserialize 24 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 3875 7641 0 11:45 pts/0 00:00:00 grep --color=auto init_t # Even "watch -n 1 'ps -efZ | grep init_t'" command (which was running at the same time as the test case) did not show other processes running as init_t. commit 82f025f878e67aac45f527cee63fa290897679f5
Author: Miroslav Grepl <mgrepl>
Date: Fri Jan 10 09:58:57 2014 +0100
Allow lsmd plugins stream connect to lsmd/init
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |
Description of problem: Version-Release number of selected component (if applicable): libstoragemgmt-0.0.22-4.el7.x86_64 libstoragemgmt-devel-0.0.22-4.el7.x86_64 libstoragemgmt-netapp-plugin-0.0.22-4.el7.noarch libstoragemgmt-nstor-plugin-0.0.22-4.el7.noarch libstoragemgmt-python-0.0.22-4.el7.noarch libstoragemgmt-smis-plugin-0.0.22-4.el7.noarch libstoragemgmt-targetd-plugin-0.0.22-4.el7.noarch selinux-policy-3.12.1-98.el7.noarch selinux-policy-devel-3.12.1-98.el7.noarch selinux-policy-doc-3.12.1-98.el7.noarch selinux-policy-minimum-3.12.1-98.el7.noarch selinux-policy-mls-3.12.1-98.el7.noarch selinux-policy-targeted-3.12.1-98.el7.noarch How reproducible: always Steps to Reproduce: # service libstoragemgmt start # for I in VOLUMES INITIATORS POOLS FS SNAPSHOTS EXPORTS NFS_CLIENT_AUTH ACCESS_GROUPS SYSTEMS ; do lsmcli -l $I -u 'sim://' ; done # search for AVCs Actual results: ---- type=PATH msg=audit(11/07/2013 17:16:27.410:7783) : item=0 name=/usr/bin/sim_lsmplugin inode=6433551 dev=08:04 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 objtype=NORMAL type=CWD msg=audit(11/07/2013 17:16:27.410:7783) : cwd=/ type=SYSCALL msg=audit(11/07/2013 17:16:27.410:7783) : arch=x86_64 syscall=execve success=no exit=-13(Permission denied) a0=0x7f0c2738c050 a1=0x7fff756f1960 a2=0x7fff756f1bc0 a3=0x0 items=1 ppid=32719 pid=32746 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=lsmd exe=/usr/bin/lsmd subj=system_u:system_r:lsmd_t:s0 key=(null) type=AVC msg=audit(11/07/2013 17:16:27.410:7783) : avc: denied { execute } for pid=32746 comm=lsmd name=sim_lsmplugin dev="sda4" ino=6433551 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file ---- Expected results: * no AVCs