Bug 1150948
| Summary: | tortilla wrapper produces AVCs when selinux-policy >= 3.13.1 | ||
|---|---|---|---|
| Product: | [Retired] Beaker | Reporter: | Milos Malik <mmalik> |
| Component: | beah | Assignee: | beaker-dev-list |
| Status: | CLOSED DUPLICATE | QA Contact: | tools-bugs <tools-bugs> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | develop | CC: | aigao, asaha, dcallagh, rmancy |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-10-10 06:33:53 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
*** This bug has been marked as a duplicate of bug 1149988 *** |
Description of problem: Version-Release number of selected component (if applicable): beah-0.7.6-1.el7eng.noarch selinux-policy-3.13.1-3.el7.noarch selinux-policy-targeted-3.13.1-3.el7.noarch How reproducible: always Steps to Reproduce: 1. get a RHEL-7.0 machine 2. install the latest selinux-policy 3. reboot the machine 4. check the context of running beah processes 5. search for AVCs Actual results: ---- type=SYSCALL msg=audit(10/09/2014 04:01:38.544:46) : arch=s390x syscall=execve success=no exit=-13(Permission denied) a0=0x3ffff9e2b27 a1=0x3ffff9e2ed8 a2=0x3ffff9e2ee8 a3=0x0 items=0 ppid=2246 pid=2285 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=runcon exe=/usr/bin/runcon subj=system_u:system_r:unconfined_service_t:s0 key=(null) type=AVC msg=audit(10/09/2014 04:01:38.544:46) : avc: denied { transition } for pid=2285 comm=runcon path=/usr/bin/true dev="dm-0" ino=33842238 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process ---- Expected results: Following lines in the /var/lib/beah/tortilla/wrappers.d/unconfined should be modified: if runcon | grep -q ":unconfined_r:unconfined_t:"; then # Already in the desired context exec "$@" elif $runcon_cmd -- true; then # Run command with SELinux context of the root exec $runcon_cmd -- "$@" else echo "-- WARNING: '$runcon_cmd -- true' failed. Running in default context!" exec "$@" fi