Bug 1122106
Summary: | conman initscripts AVC denials on rhel 6 | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Miroslav Hradílek <mhradile> | ||||
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 6.6 | CC: | dwalsh, lvrabec, mgrepl, mhradile, mmalik, tgummels | ||||
Target Milestone: | rc | ||||||
Target Release: | 6.6 | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | selinux-policy-3.7.19-247.el6 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | |||||||
: | 1122467 (view as bug list) | Environment: | |||||
Last Closed: | 2014-10-14 08:03:39 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1005265 | ||||||
Attachments: |
|
ERROR: Unable to open pidfile "/var/run/conmand.pid": Permission denied Here are results from enforcing mode: ---- time->Tue Jul 22 16:59:49 2014 type=PATH msg=audit(1406041189.176:1456): item=1 name="/var/run/conmand.pid" nametype=CREATE type=PATH msg=audit(1406041189.176:1456): item=0 name="/var/run/" inode=1042 dev=fc:03 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=PARENT type=CWD msg=audit(1406041189.176:1456): cwd="/" type=SYSCALL msg=audit(1406041189.176:1456): arch=c000003e syscall=2 success=no exit=-13 a0=257ab40 a1=241 a2=1b6 a3=0 items=2 ppid=1 pid=13350 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="conmand" exe="/usr/sbin/conmand" subj=unconfined_u:system_r:conman_t:s0 key=(null) type=AVC msg=audit(1406041189.176:1456): avc: denied { write } for pid=13350 comm="conmand" name="run" dev=vda3 ino=1042 scontext=unconfined_u:system_r:conman_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir ---- The label for conmand PID file is not defined: # matchpathcon /var/run/conmand.pid /var/run/conmand.pid <<none>> # seinfo -t | grep conman conman_exec_t conman_server_packet_t conman_log_t conman_port_t conman_initrc_exec_t conman_t conman_client_packet_t # sesearch -s conman_t -t var_run_t -T # patch sent. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1568.html |
Created attachment 919941 [details] ausearch output Description of problem: There are avc denials when running conmand binary (from package conman) using initscripts like "service conman start" $ cat avcs_recent.txt | audit2allow #============= conman_t ============== #!!!! The source type 'conman_t' can write to a 'dir' of the following types: # mnt_t, var_log_t, conman_log_t, cluster_var_lib_t, cluster_var_run_t, root_t, cluster_conf_t allow conman_t var_run_t:dir { write remove_name add_name }; #!!!! The source type 'conman_t' can write to a 'file' of the following types: # mnt_t, conman_log_t, cluster_var_lib_t, cluster_var_run_t, root_t, cluster_conf_t allow conman_t var_run_t:file { write create unlink open getattr }; #============= prelink_t ============== allow prelink_t initrc_t:fifo_file setattr; Additional info: The pidfile and lockfile are being handled by conmand directly not by ini scripts. I think it should be allowed to write those.