Bug 1192338

Summary: selinux-policy prevents openafs-1.6 fileserver from starting
Product: Red Hat Enterprise Linux 7 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: high    
Version: 7.1CC: jaltman, jan.iven, ksrot, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde, tlavigne
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-50.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1136396 Environment:
Last Closed: 2015-11-19 10:26:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2015-02-13 08:26:55 UTC 
+++ This bug was initially created as a clone of Bug #1136396 +++

Description of problem:

Version-Release number of selected component (if applicable):
openafs-1.6.10-2.el7.x86_64
openafs-server-1.6.10-2.el7.x86_64
selinux-policy-3.13.1-23.el7.noarch
selinux-policy-devel-3.13.1-23.el7.noarch
selinux-policy-doc-3.13.1-23.el7.noarch
selinux-policy-minimum-3.13.1-23.el7.noarch
selinux-policy-mls-3.13.1-23.el7.noarch
selinux-policy-sandbox-3.13.1-23.el7.noarch
selinux-policy-targeted-3.13.1-23.el7.noarch

How reproducible:
always

Steps to Reproduce:
1. get a RHEL-7.1 machine
2. wget -c http://www.openafs.org/dl/openafs/1.6.10/openafs-1.6.10-2.src.rpm
3. rpmbuild --rebuild openafs-1.6.10-2.src.rpm
4. install openafs, openafs-server packages
5. service openafs-server start
6. search for AVCs

Actual results (enforcing mode):
----
type=PATH msg=audit(02/13/2015 09:14:45.078:228) : item=1 name=/usr/afs/local objtype=CREATE 
type=PATH msg=audit(02/13/2015 09:14:45.078:228) : item=0 name=/usr/afs/ inode=42380544 dev=fd:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:usr_t:s0 objtype=PARENT 
type=CWD msg=audit(02/13/2015 09:14:45.078:228) :  cwd=/ 
type=SYSCALL msg=audit(02/13/2015 09:14:45.078:228) : arch=x86_64 syscall=mkdir success=no exit=-13(Permission denied) a0=0x6643a0 a1=0700 a2=0x1ff a3=0x7fff4c5d4bc0 items=2 ppid=1 pid=25547 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=bosserver exe=/usr/afs/bin/bosserver subj=system_u:system_r:afs_bosserver_t:s0 key=(null) 
type=AVC msg=audit(02/13/2015 09:14:45.078:228) : avc:  denied  { write } for  pid=25547 comm=bosserver name=afs dev="vda3" ino=42380544 scontext=system_u:system_r:afs_bosserver_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir 
----
type=PATH msg=audit(02/13/2015 09:14:45.078:229) : item=1 name=/usr/afs/db objtype=CREATE 
type=PATH msg=audit(02/13/2015 09:14:45.078:229) : item=0 name=/usr/afs/ inode=42380544 dev=fd:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:usr_t:s0 objtype=PARENT 
type=CWD msg=audit(02/13/2015 09:14:45.078:229) :  cwd=/ 
type=SYSCALL msg=audit(02/13/2015 09:14:45.078:229) : arch=x86_64 syscall=mkdir success=no exit=-13(Permission denied) a0=0x6641a0 a1=0700 a2=0x1ff a3=0x7fff4c5d4bc0 items=2 ppid=1 pid=25547 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=bosserver exe=/usr/afs/bin/bosserver subj=system_u:system_r:afs_bosserver_t:s0 key=(null) 
type=AVC msg=audit(02/13/2015 09:14:45.078:229) : avc:  denied  { write } for  pid=25547 comm=bosserver name=afs dev="vda3" ino=42380544 scontext=system_u:system_r:afs_bosserver_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir 
----
type=PATH msg=audit(02/13/2015 09:14:45.079:230) : item=1 name=/usr/vice objtype=CREATE 
type=PATH msg=audit(02/13/2015 09:14:45.079:230) : item=0 name=/usr/ inode=155 dev=fd:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:usr_t:s0 objtype=PARENT 
type=CWD msg=audit(02/13/2015 09:14:45.079:230) :  cwd=/ 
type=SYSCALL msg=audit(02/13/2015 09:14:45.079:230) : arch=x86_64 syscall=mkdir success=no exit=-13(Permission denied) a0=0x6645a0 a1=0777 a2=0x1ff a3=0x7fff4c5d4bc0 items=2 ppid=1 pid=25547 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=bosserver exe=/usr/afs/bin/bosserver subj=system_u:system_r:afs_bosserver_t:s0 key=(null) 
type=AVC msg=audit(02/13/2015 09:14:45.079:230) : avc:  denied  { write } for  pid=25547 comm=bosserver name=usr dev="vda3" ino=155 scontext=system_u:system_r:afs_bosserver_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir 
----
type=PATH msg=audit(02/13/2015 09:14:45.097:232) : item=0 name=/etc/krb5.conf inode=16898885 dev=fd:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:krb5_conf_t:s0 objtype=NORMAL 
type=CWD msg=audit(02/13/2015 09:14:45.097:232) :  cwd=/usr/afs/logs 
type=SYSCALL msg=audit(02/13/2015 09:14:45.097:232) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0x17fdb68 a1=0x7fff4c5d2ad0 a2=0x7fff4c5d2ad0 a3=0x7fff4c5d2850 items=1 ppid=1 pid=25547 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=bosserver exe=/usr/afs/bin/bosserver subj=system_u:system_r:afs_bosserver_t:s0 key=(null) 
type=AVC msg=audit(02/13/2015 09:14:45.097:232) : avc:  denied  { getattr } for  pid=25547 comm=bosserver path=/etc/krb5.conf dev="vda3" ino=16898885 scontext=system_u:system_r:afs_bosserver_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file
----

Expected results:
 * no AVCs
Comment 1 Milos Malik 2015-02-13 08:29:20 UTC 
Actual resuls (permissive mode):
----
type=PATH msg=audit(02/13/2015 09:27:31.026:286) : item=1 name=/usr/afs/local inode=20836814 dev=fd:03 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:usr_t:s0 objtype=CREATE 
type=PATH msg=audit(02/13/2015 09:27:31.026:286) : item=0 name=/usr/afs/ inode=42380544 dev=fd:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:usr_t:s0 objtype=PARENT 
type=CWD msg=audit(02/13/2015 09:27:31.026:286) :  cwd=/ 
type=SYSCALL msg=audit(02/13/2015 09:27:31.026:286) : arch=x86_64 syscall=mkdir success=yes exit=0 a0=0x6643a0 a1=0700 a2=0x1ff a3=0x7fff37585cc0 items=2 ppid=1 pid=26389 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=bosserver exe=/usr/afs/bin/bosserver subj=system_u:system_r:afs_bosserver_t:s0 key=(null) 
type=AVC msg=audit(02/13/2015 09:27:31.026:286) : avc:  denied  { create } for  pid=26389 comm=bosserver name=local scontext=system_u:system_r:afs_bosserver_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir 
type=AVC msg=audit(02/13/2015 09:27:31.026:286) : avc:  denied  { add_name } for  pid=26389 comm=bosserver name=local scontext=system_u:system_r:afs_bosserver_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir 
type=AVC msg=audit(02/13/2015 09:27:31.026:286) : avc:  denied  { write } for  pid=26389 comm=bosserver name=afs dev="vda3" ino=42380544 scontext=system_u:system_r:afs_bosserver_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir 
----
type=PATH msg=audit(02/13/2015 09:27:31.029:287) : item=2 name=/usr/vice/etc/ThisCell inode=2620843 dev=fd:03 mode=link,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:usr_t:s0 objtype=CREATE 
type=PATH msg=audit(02/13/2015 09:27:31.029:287) : item=1 name=/usr/vice/etc/ inode=2620842 dev=fd:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:usr_t:s0 objtype=PARENT 
type=PATH msg=audit(02/13/2015 09:27:31.029:287) : item=0 name=/usr/afs/etc/ThisCell objtype=UNKNOWN 
type=CWD msg=audit(02/13/2015 09:27:31.029:287) :  cwd=/ 
type=SYSCALL msg=audit(02/13/2015 09:27:31.029:287) : arch=x86_64 syscall=symlink success=yes exit=0 a0=0x6648a0 a1=0x666ba0 a2=0x663ca0 a3=0x7fff37585d60 items=3 ppid=1 pid=26389 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=bosserver exe=/usr/afs/bin/bosserver subj=system_u:system_r:afs_bosserver_t:s0 key=(null) 
type=AVC msg=audit(02/13/2015 09:27:31.029:287) : avc:  denied  { create } for  pid=26389 comm=bosserver name=ThisCell scontext=system_u:system_r:afs_bosserver_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file 
----
type=PATH msg=audit(02/13/2015 09:27:31.032:288) : item=1 name=/usr/afs/local/bosserver.rxbind inode=20836820 dev=fd:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:usr_t:s0 objtype=CREATE 
type=PATH msg=audit(02/13/2015 09:27:31.032:288) : item=0 name=/usr/afs/local/ inode=20836814 dev=fd:03 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:usr_t:s0 objtype=PARENT 
type=CWD msg=audit(02/13/2015 09:27:31.032:288) :  cwd=/usr/afs/logs 
type=SYSCALL msg=audit(02/13/2015 09:27:31.032:288) : arch=x86_64 syscall=open success=yes exit=4 a0=0x665fa0 a1=O_WRONLY|O_CREAT|O_TRUNC a2=0666 a3=0x3650bba7b8 items=2 ppid=1 pid=26389 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=bosserver exe=/usr/afs/bin/bosserver subj=system_u:system_r:afs_bosserver_t:s0 key=(null) 
type=AVC msg=audit(02/13/2015 09:27:31.032:288) : avc:  denied  { write } for  pid=26389 comm=bosserver path=/usr/afs/local/bosserver.rxbind dev="vda3" ino=20836820 scontext=system_u:system_r:afs_bosserver_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file 
type=AVC msg=audit(02/13/2015 09:27:31.032:288) : avc:  denied  { create } for  pid=26389 comm=bosserver name=bosserver.rxbind scontext=system_u:system_r:afs_bosserver_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file 
----
type=PATH msg=audit(02/13/2015 09:27:31.033:289) : item=0 name=/etc/krb5.conf inode=16898885 dev=fd:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:krb5_conf_t:s0 objtype=NORMAL 
type=CWD msg=audit(02/13/2015 09:27:31.033:289) :  cwd=/usr/afs/logs 
type=SYSCALL msg=audit(02/13/2015 09:27:31.033:289) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x1fe4208 a1=0x7fff37583bd0 a2=0x7fff37583bd0 a3=0x7fff37583950 items=1 ppid=1 pid=26389 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=bosserver exe=/usr/afs/bin/bosserver subj=system_u:system_r:afs_bosserver_t:s0 key=(null) 
type=AVC msg=audit(02/13/2015 09:27:31.033:289) : avc:  denied  { getattr } for  pid=26389 comm=bosserver path=/etc/krb5.conf dev="vda3" ino=16898885 scontext=system_u:system_r:afs_bosserver_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file 
----
type=PATH msg=audit(02/13/2015 09:27:31.033:290) : item=0 name=/etc/krb5.conf inode=16898885 dev=fd:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:krb5_conf_t:s0 objtype=NORMAL 
type=CWD msg=audit(02/13/2015 09:27:31.033:290) :  cwd=/usr/afs/logs 
type=SYSCALL msg=audit(02/13/2015 09:27:31.033:290) : arch=x86_64 syscall=open success=yes exit=4 a0=0x1fe4208 a1=O_RDONLY a2=0x1b6 a3=0x7fff37583950 items=1 ppid=1 pid=26389 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=bosserver exe=/usr/afs/bin/bosserver subj=system_u:system_r:afs_bosserver_t:s0 key=(null) 
type=AVC msg=audit(02/13/2015 09:27:31.033:290) : avc:  denied  { open } for  pid=26389 comm=bosserver path=/etc/krb5.conf dev="vda3" ino=16898885 scontext=system_u:system_r:afs_bosserver_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file 
type=AVC msg=audit(02/13/2015 09:27:31.033:290) : avc:  denied  { read } for  pid=26389 comm=bosserver name=krb5.conf dev="vda3" ino=16898885 scontext=system_u:system_r:afs_bosserver_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file 
----
type=PATH msg=audit(02/13/2015 09:27:31.033:291) : item=0 name=/dev/urandom inode=4563 dev=00:05 mode=character,666 ouid=root ogid=root rdev=01:09 obj=system_u:object_r:urandom_device_t:s0 objtype=NORMAL 
type=CWD msg=audit(02/13/2015 09:27:31.033:291) :  cwd=/usr/afs/logs 
type=SYSCALL msg=audit(02/13/2015 09:27:31.033:291) : arch=x86_64 syscall=open success=yes exit=4 a0=0x3655c2a444 a1=O_RDONLY a2=0x40 a3=0x7fff37585b00 items=1 ppid=1 pid=26389 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=bosserver exe=/usr/afs/bin/bosserver subj=system_u:system_r:afs_bosserver_t:s0 key=(null) 
type=AVC msg=audit(02/13/2015 09:27:31.033:291) : avc:  denied  { open } for  pid=26389 comm=bosserver path=/dev/urandom dev="devtmpfs" ino=4563 scontext=system_u:system_r:afs_bosserver_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file 
type=AVC msg=audit(02/13/2015 09:27:31.033:291) : avc:  denied  { read } for  pid=26389 comm=bosserver name=urandom dev="devtmpfs" ino=4563 scontext=system_u:system_r:afs_bosserver_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file 
----
type=SYSCALL msg=audit(02/13/2015 09:27:31.034:292) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x4 a1=0x7fff37585d80 a2=0x7fff37585d80 a3=0x7fff37585b00 items=0 ppid=1 pid=26389 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=bosserver exe=/usr/afs/bin/bosserver subj=system_u:system_r:afs_bosserver_t:s0 key=(null) 
type=AVC msg=audit(02/13/2015 09:27:31.034:292) : avc:  denied  { getattr } for  pid=26389 comm=bosserver path=/dev/urandom dev="devtmpfs" ino=4563 scontext=system_u:system_r:afs_bosserver_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file 
----
Comment 3 Lukas Vrabec 2015-07-14 15:29:34 UTC 
commit 874bc2c50ff0431dc710c6b466f11887e1f224c7
Author: Lukas Vrabec <lvrabec>
Date:   Tue Jul 14 17:01:54 2015 +0200

    Label /usr/afs/ as afs_files_t
    Allow afs_bosserver_t create afs_config_t and afs_dbdir_t dirs under afs_files_t
    Allow afs_bosserver_t read kerberos config
Comment 8 Milos Malik 2015-09-17 12:32:03 UTC 
Yes, we have these labels and rules in the latest selinux-policy for RHEL-6.7.
Comment 12 errata-xmlrpc 2015-11-19 10:26:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html