Bug 1122467

Summary: SELinux prevents conmand from creating its own PID file
Product: Red Hat Enterprise Linux 7 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: mgrepl, mhradile
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-8.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1122106 Environment:
Last Closed: 2015-03-05 10:42:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2014-07-23 10:32:28 UTC 
Description of problem:

Version-Release number of selected component (if applicable):
conman-0.2.7-8.el7.x86_64
selinux-policy-3.12.1-155.el7.noarch
selinux-policy-devel-3.12.1-155.el7.noarch
selinux-policy-doc-3.12.1-155.el7.noarch
selinux-policy-minimum-3.12.1-155.el7.noarch
selinux-policy-mls-3.12.1-155.el7.noarch
selinux-policy-sandbox-3.12.1-155.el7.noarch
selinux-policy-targeted-3.12.1-155.el7.noarch

How reproducible:
 * always

Steps to Reproduce:
# echo 'server logfile="/var/log/conman/conmand.log"' >> /etc/conman.conf
# echo 'server pidfile="/var/run/conmand.pid"' >> /etc/conman.conf
# service conman restart

Actual results (enforcing mode):
----
time->Wed Jul 23 12:17:34 2014
type=PATH msg=audit(1406110654.179:507): item=1 name="/var/run/conmand.pid" inode=47244 dev=00:12 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t:s0 objtype=CREATE
type=PATH msg=audit(1406110654.179:507): item=0 name="/var/run/" inode=5981 dev=00:12 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t:s0 objtype=PARENT
type=CWD msg=audit(1406110654.179:507):  cwd="/"
type=SYSCALL msg=audit(1406110654.179:507): arch=c000003e syscall=2 success=yes exit=7 a0=1207b20 a1=241 a2=1b6 a3=3 items=2 ppid=1 pid=6621 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="conmand" exe="/usr/sbin/conmand" subj=system_u:system_r:conman_t:s0 key=(null)
type=AVC msg=audit(1406110654.179:507): avc:  denied  { write open } for  pid=6621 comm="conmand" path="/run/conmand.pid" dev="tmpfs" ino=47244 scontext=system_u:system_r:conman_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1406110654.179:507): avc:  denied  { create } for  pid=6621 comm="conmand" name="conmand.pid" scontext=system_u:system_r:conman_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1406110654.179:507): avc:  denied  { add_name } for  pid=6621 comm="conmand" name="conmand.pid" scontext=system_u:system_r:conman_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
type=AVC msg=audit(1406110654.179:507): avc:  denied  { write } for  pid=6621 comm="conmand" name="/" dev="tmpfs" ino=5981 scontext=system_u:system_r:conman_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
----
time->Wed Jul 23 12:17:34 2014
type=SYSCALL msg=audit(1406110654.179:508): arch=c000003e syscall=5 success=yes exit=0 a0=7 a1=7fffb2bf0b00 a2=7fffb2bf0b00 a3=0 items=0 ppid=1 pid=6621 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="conmand" exe="/usr/sbin/conmand" subj=system_u:system_r:conman_t:s0 key=(null)
type=AVC msg=audit(1406110654.179:508): avc:  denied  { getattr } for  pid=6621 comm="conmand" path="/run/conmand.pid" dev="tmpfs" ino=47244 scontext=system_u:system_r:conman_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
----
time->Wed Jul 23 12:17:39 2014
type=PATH msg=audit(1406110659.211:512): item=1 name="/var/run/conmand.pid" inode=48408 dev=00:12 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t:s0 objtype=CREATE
type=PATH msg=audit(1406110659.211:512): item=0 name="/var/run/" inode=5981 dev=00:12 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t:s0 objtype=PARENT
type=CWD msg=audit(1406110659.211:512):  cwd="/"
type=SYSCALL msg=audit(1406110659.211:512): arch=c000003e syscall=2 success=yes exit=7 a0=2495b20 a1=241 a2=1b6 a3=3 items=2 ppid=1 pid=7176 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="conmand" exe="/usr/sbin/conmand" subj=system_u:system_r:conman_t:s0 key=(null)
type=AVC msg=audit(1406110659.211:512): avc:  denied  { write open } for  pid=7176 comm="conmand" path="/run/conmand.pid" dev="tmpfs" ino=48408 scontext=system_u:system_r:conman_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1406110659.211:512): avc:  denied  { create } for  pid=7176 comm="conmand" name="conmand.pid" scontext=system_u:system_r:conman_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
----
time->Wed Jul 23 12:17:39 2014
type=SYSCALL msg=audit(1406110659.211:513): arch=c000003e syscall=5 success=yes exit=0 a0=7 a1=7fffee1af9d0 a2=7fffee1af9d0 a3=0 items=0 ppid=1 pid=7176 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="conmand" exe="/usr/sbin/conmand" subj=system_u:system_r:conman_t:s0 key=(null)
type=AVC msg=audit(1406110659.211:513): avc:  denied  { getattr } for  pid=7176 comm="conmand" path="/run/conmand.pid" dev="tmpfs" ino=48408 scontext=system_u:system_r:conman_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
----
time->Wed Jul 23 12:17:39 2014
type=PATH msg=audit(1406110659.154:510): item=1 name="/var/run/conmand.pid" inode=47244 dev=00:12 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t:s0 objtype=DELETE
type=PATH msg=audit(1406110659.154:510): item=0 name="/var/run/" inode=5981 dev=00:12 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t:s0 objtype=PARENT
type=CWD msg=audit(1406110659.154:510):  cwd="/"
type=SYSCALL msg=audit(1406110659.154:510): arch=c000003e syscall=87 success=yes exit=0 a0=1207b20 a1=0 a2=61bb00 a3=34 items=2 ppid=1 pid=6621 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="conmand" exe="/usr/sbin/conmand" subj=system_u:system_r:conman_t:s0 key=(null)
type=AVC msg=audit(1406110659.154:510): avc:  denied  { unlink } for  pid=6621 comm="conmand" name="conmand.pid" dev="tmpfs" ino=47244 scontext=system_u:system_r:conman_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1406110659.154:510): avc:  denied  { remove_name } for  pid=6621 comm="conmand" name="conmand.pid" dev="tmpfs" ino=47244 scontext=system_u:system_r:conman_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
----
time->Wed Jul 23 12:17:43 2014
type=PATH msg=audit(1406110663.724:515): item=1 name="/var/run/conmand.pid" inode=48408 dev=00:12 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t:s0 objtype=DELETE
type=PATH msg=audit(1406110663.724:515): item=0 name="/var/run/" inode=5981 dev=00:12 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t:s0 objtype=PARENT
type=CWD msg=audit(1406110663.724:515):  cwd="/"
type=SYSCALL msg=audit(1406110663.724:515): arch=c000003e syscall=87 success=yes exit=0 a0=2495b20 a1=0 a2=61bb00 a3=34 items=2 ppid=1 pid=7176 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="conmand" exe="/usr/sbin/conmand" subj=system_u:system_r:conman_t:s0 key=(null)
type=AVC msg=audit(1406110663.724:515): avc:  denied  { unlink } for  pid=7176 comm="conmand" name="conmand.pid" dev="tmpfs" ino=48408 scontext=system_u:system_r:conman_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1406110663.724:515): avc:  denied  { remove_name } for  pid=7176 comm="conmand" name="conmand.pid" dev="tmpfs" ino=48408 scontext=system_u:system_r:conman_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
type=AVC msg=audit(1406110663.724:515): avc:  denied  { write } for  pid=7176 comm="conmand" name="/" dev="tmpfs" ino=5981 scontext=system_u:system_r:conman_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
----

Expected results:
 * no AVCs
Comment 1 Lukas Vrabec 2014-10-27 13:46:11 UTC 
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: real scenario -- standalone service
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'echo 'CONSOLE name="pokus" dev="/usr/share/conman/exec/ipmitool.exp 127.0.0.1 admin"' >> /etc/conman.conf' (Expected 0, got 0)
:: [   PASS   ] :: Command 'echo 'server logfile="/var/log/conman/conmand.log"' >> /etc/conman.conf' (Expected 0, got 0)
:: [   PASS   ] :: Command 'echo 'server pidfile="/var/run/conmand.pid"' >> /etc/conman.conf' (Expected 0, got 0)
:: [   PASS   ] :: Command 'echo redhat | passwd --stdin root' (Expected 0, got 0)
:: [   PASS   ] :: Command 'service conman start' (Expected 0, got 0)
:: [   PASS   ] :: Command 'ps -efZ | grep -v " grep " | grep -E "conmand"' (Expected 0, got 0)
:: [   PASS   ] :: Command 'ps -efZ | grep -v " grep " | grep -E "conman_t.*conmand"' (Expected 0, got 0)
:: [   PASS   ] :: Command 'service conman status' (Expected 0,1,3, got 0)
:: [   PASS   ] :: Command 'service conman restart' (Expected 0, got 0)
:: [   PASS   ] :: Command 'ps -efZ | grep -v " grep " | grep -E "conmand"' (Expected 0, got 0)
:: [   PASS   ] :: Command 'ps -efZ | grep -v " grep " | grep -E "conman_t.*conmand"' (Expected 0, got 0)
:: [   PASS   ] :: Command 'service conman status' (Expected 0,1,3, got 0)
:: [   PASS   ] :: Command 'service conman stop' (Expected 0, got 0)
:: [   PASS   ] :: Command 'service conman status' (Expected 0,1,3, got 3)
:: [   LOG    ] :: Duration: 12s
:: [   LOG    ] :: Assertions: 14 good, 0 bad
:: [   PASS   ] :: RESULT: real scenario -- standalone service

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Cleanup
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Search for AVCs and SELINUX_ERRs since timestamp 'TIMESTAMP' [10/27/2014 09:44:15]
:: [   PASS   ] :: Command 'LC_TIME='en_US.UTF-8' ausearch -m AVC -m SELINUX_ERR -ts 10/27/2014 09:44:15 2>&1 | grep -v '<no matches>'' (Expected 1, got 1)
:: [   LOG    ] :: Duration: 2s
:: [   LOG    ] :: Assertions: 1 good, 0 bad
:: [   PASS   ] :: RESULT: Cleanup

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: unknown
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Phases: 5 good, 0 bad
:: [   PASS   ] :: RESULT: unknown
:: [ 09:44:41 ] :: JOURNAL XML: /var/tmp/beakerlib-Yc0tVDh/journal.xml
:: [ 09:44:41 ] :: JOURNAL TXT: /var/tmp/beakerlib-Yc0tVDh/journal.txt


This ist just labeling issue. 
Run:
# restorecon -r -v /var/run/conmand.pid

to fix your issue.
Comment 4 Miroslav Grepl 2014-11-05 09:17:10 UTC 
commit e3c6656dfdd45a164c4062ae23672dbc5a02f6fd
Author: Miroslav Grepl <mgrepl>
Date:   Wed Nov 5 10:16:45 2014 +0100

    Make conman as nsswitch domain to make ipmitool.exp runing as conman_t working.
Comment 8 errata-xmlrpc 2015-03-05 10:42:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0458.html