Bug 1122106
| Summary: | conman initscripts AVC denials on rhel 6 | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Miroslav Hradílek <mhradile> | ||||
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 6.6 | CC: | dwalsh, lvrabec, mgrepl, mhradile, mmalik, tgummels | ||||
| Target Milestone: | rc | ||||||
| Target Release: | 6.6 | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | selinux-policy-3.7.19-247.el6 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 1122467 (view as bug list) | Environment: | |||||
| Last Closed: | 2014-10-14 08:03:39 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1005265 | ||||||
| Attachments: |
|
||||||
ERROR: Unable to open pidfile "/var/run/conmand.pid": Permission denied
Here are results from enforcing mode:
----
time->Tue Jul 22 16:59:49 2014
type=PATH msg=audit(1406041189.176:1456): item=1 name="/var/run/conmand.pid" nametype=CREATE
type=PATH msg=audit(1406041189.176:1456): item=0 name="/var/run/" inode=1042 dev=fc:03 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=PARENT
type=CWD msg=audit(1406041189.176:1456): cwd="/"
type=SYSCALL msg=audit(1406041189.176:1456): arch=c000003e syscall=2 success=no exit=-13 a0=257ab40 a1=241 a2=1b6 a3=0 items=2 ppid=1 pid=13350 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="conmand" exe="/usr/sbin/conmand" subj=unconfined_u:system_r:conman_t:s0 key=(null)
type=AVC msg=audit(1406041189.176:1456): avc: denied { write } for pid=13350 comm="conmand" name="run" dev=vda3 ino=1042 scontext=unconfined_u:system_r:conman_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
----
The label for conmand PID file is not defined:
# matchpathcon /var/run/conmand.pid
/var/run/conmand.pid <<none>>
# seinfo -t | grep conman
conman_exec_t
conman_server_packet_t
conman_log_t
conman_port_t
conman_initrc_exec_t
conman_t
conman_client_packet_t
# sesearch -s conman_t -t var_run_t -T
#
patch sent. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1568.html |
Created attachment 919941 [details] ausearch output Description of problem: There are avc denials when running conmand binary (from package conman) using initscripts like "service conman start" $ cat avcs_recent.txt | audit2allow #============= conman_t ============== #!!!! The source type 'conman_t' can write to a 'dir' of the following types: # mnt_t, var_log_t, conman_log_t, cluster_var_lib_t, cluster_var_run_t, root_t, cluster_conf_t allow conman_t var_run_t:dir { write remove_name add_name }; #!!!! The source type 'conman_t' can write to a 'file' of the following types: # mnt_t, conman_log_t, cluster_var_lib_t, cluster_var_run_t, root_t, cluster_conf_t allow conman_t var_run_t:file { write create unlink open getattr }; #============= prelink_t ============== allow prelink_t initrc_t:fifo_file setattr; Additional info: The pidfile and lockfile are being handled by conmand directly not by ini scripts. I think it should be allowed to write those.