Bug 1259519

Summary:

SELinux alerts for audispd

Product:

Red Hat Enterprise Linux 6

Reporter:

agilley

Component:

selinux-policy

Assignee:

Miroslav Grepl <mgrepl>

Status:

CLOSED WORKSFORME

QA Contact:

BaseOS QE Security Team <qe-baseos-security>

Severity:

low

Docs Contact:

Priority:

unspecified

Version:

6.8

CC:

agilley, dwalsh, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde

Target Milestone:

Target Release:

---

Hardware:

Unspecified

OS:

Linux

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2015-11-11 16:16:19 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Attachments:

Description	Flags
audispd AVD denial	none
end of var/log/messages file that contains more information	none
ps output	none

Description agilley 2015-09-02 20:59:08 UTC

Description of problem:

RHEL 6.5 systems getting SELinux alerts for audispd.


Version-Release number of selected component (if applicable):

RHEL 6.5


How reproducible:

Reproducible on several systems. 

Steps to Reproduce:
See attached files from customer. 

Actual results:
AVC Denial 


Expected results:
No modification needed to SELinux policy

Additional info:
See attached.

Comment 1 agilley 2015-09-02 21:07:19 UTC

Created attachment 1069596 [details]
audispd AVD denial

Comment 2 agilley 2015-09-02 21:08:38 UTC

Created attachment 1069597 [details]
end of var/log/messages file that contains more information

end of var/log/messages file that contains more information

Comment 4 Milos Malik 2015-09-03 05:14:48 UTC

audispd tries to communicate with a process running as initrc_t. Is auditd running as initrc_t ?

# ps -efZ | grep initrc_t

Comment 5 agilley 2015-09-14 18:24:16 UTC

auditd does not appear to be running as initrc_t.

Comment 6 agilley 2015-09-14 18:25:22 UTC

Created attachment 1073393 [details]
ps output

Comment 7 Milos Malik 2015-09-15 07:07:36 UTC

Based on the latest attachment, there are 2 syslog daemons running (syslog-ng and rsyslogd). syslog daemons usually listen on /dev/log socket. I suspect that one of them is not running in correct SELinux domain. Could you paste here the output of following commands?

# fuser /dev/log

# ps -efZ | grep syslog

Comment 8 agilley 2015-09-22 19:49:44 UTC

The customer has created a SELinux policy module to fix this. I have the full sosreport but I am not sure if having him run those commands to get that information will be helpful at this point. 

If it will still be beneficial I will get that information.

Comment 9 Miroslav Grepl 2015-10-05 06:30:18 UTC

(In reply to agilley from comment #8)
> The customer has created a SELinux policy module to fix this. I have the
> full sosreport but I am not sure if having him run those commands to get
> that information will be helpful at this point. 
> 
> If it will still be beneficial I will get that information.

Without that we are not able to identify which service is running with initrc_t SELinux domain.

Comment 10 Miroslav Grepl 2015-11-11 16:16:19 UTC

We will reopen it if we get requested info. Thank you.