Bug 1041308

Summary: openlmi: setting up power state causes selinux denial, cannot change power state of machine
Product: Red Hat Enterprise Linux 7 Reporter: Petr Sklenar <psklenar>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 7.0CC: mmalik, rnovacek
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-116.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 12:07:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 922084    

Description Petr Sklenar 2013-12-12 14:32:40 UTC 
Description of problem:
openlmi: setting up power state causes selinux denial, cannot change power state of machine

Version-Release number of selected component (if applicable):
rpm -q selinux-policy openlmi
selinux-policy-3.12.1-108.el7.noarch
openlmi-0.4.1-12.el7.noarch
openlmi-powermanagement-0.4.1-12.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. http://www.openlmi.org/sites/default/files/doc/admin/openlmi-providers/0.4.1/power/usage.html#setting-the-power-state


Actual results:
time->Thu Dec 12 09:20:52 2013
type=SYSCALL msg=audit(1386858052.985:1951): arch=c000003e syscall=4 success=no exit=-13 a0=98aa50 a1=7fff87f3b090 a2=7fff87f3b090 a3=11 items=0 ppid=1 pid=13350 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:pegasus_openlmi_system_t:s0 key=(null)
type=AVC msg=audit(1386858052.985:1951): avc:  denied  { getattr } for  pid=13350 comm="sh" path="/usr/bin/systemctl" dev="dm-1" ino=134544178 scontext=system_u:system_r:pegasus_openlmi_system_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file



Expected results:
no denial, I can change power state of machine

Additional info:
find / -mount -inum 134544178
/usr/bin/systemctl
Comment 2 Miroslav Grepl 2014-01-06 12:09:49 UTC 
commit d4b2e51a675d3991118763c64683ab01a67d18ae
Author: Miroslav Grepl <mgrepl>
Date:   Mon Jan 6 13:09:34 2014 +0100

    Allow cmpiLMI_PowerManagement-cimprovagt to  change power state of machine
Comment 3 Petr Sklenar 2014-01-07 10:17:05 UTC 
hi,
there are all denials when running in the permissive:
1, have a connection to tog-pegasus

type=USER_AVC msg=audit(1389089612.481:924): pid=879 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=:1.0 spid=1113 tpid=878 scontext=system_u:system_r:pegasus_openlmi_system_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1389089612.482:925): pid=879 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.71 spid=878 tpid=1113 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:pegasus_openlmi_system_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'


2, perform reboot:
type=AVC msg=audit(1389089704.837:1003): avc:  denied  { create } for  pid=1231 comm="plymouthd" scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:system_r:plymouthd_t:s0 tclass=netlink_kobject_uevent_socket
type=AVC msg=audit(1389089704.837:1004): avc:  denied  { setopt } for  pid=1231 comm="plymouthd" scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:system_r:plymouthd_t:s0 tclass=netlink_kobject_uevent_socket
type=AVC msg=audit(1389089704.837:1005): avc:  denied  { bind } for  pid=1231 comm="plymouthd" scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:system_r:plymouthd_t:s0 tclass=netlink_kobject_uevent_socket
type=AVC msg=audit(1389089704.837:1006): avc:  denied  { getattr } for  pid=1231 comm="plymouthd" scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:system_r:plymouthd_t:s0 tclass=netlink_kobject_uevent_socket
type=AVC msg=audit(1389089704.837:1007): avc:  denied  { read } for  pid=1231 comm="plymouthd" name="queue.bin" dev="tmpfs" ino=79075 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file
type=AVC msg=audit(1389089704.837:1007): avc:  denied  { open } for  pid=1231 comm="plymouthd" path="/run/udev/queue.bin" dev="tmpfs" ino=79075 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file
type=AVC msg=audit(1389089704.837:1008): avc:  denied  { getattr } for  pid=1231 comm="plymouthd" path="/run/udev/queue.bin" dev="tmpfs" ino=79075 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file
Comment 4 Milos Malik 2014-01-07 10:21:48 UTC 
AVCs mentioned in the second section of comment#3 are already part of bz#1045382.
Comment 7 Ludek Smid 2014-06-13 12:07:27 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.