Bug 1260682
Summary: | avc running pacemaker tests (iptables, xtables) | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | michal novacek <mnovacek> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED DUPLICATE | QA Contact: | Milos Malik <mmalik> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.2 | CC: | lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde, todoleza |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-09-10 15:17:33 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
michal novacek
2015-09-07 12:48:38 UTC
The xtables.lock file is mislabeled. We need to find out, which process created it. restorecon -v /run/xtables.lock is able to correct the label. Here is the reproducer: # service NetworkManager stop Redirecting to /bin/systemctl stop NetworkManager.service # service firewalld stop Redirecting to /bin/systemctl stop firewalld.service # rm -f /run/xtables.lock # service iptables start Redirecting to /bin/systemctl start iptables.service # ls -Z /run/xtables.lock ls: cannot access /run/xtables.lock: No such file or directory # service ip6tables start Redirecting to /bin/systemctl start ip6tables.service # ls -Z /run/xtables.lock ls: cannot access /run/xtables.lock: No such file or directory # service firewalld start Redirecting to /bin/systemctl start firewalld.service # ls -Z /run/xtables.lock -rw-------. root root system_u:object_r:var_run_t:s0 /run/xtables.lock # A special policy module, which contains an auditallow rule, revealed which process created the xtables.lock file: ---- type=PATH msg=audit(09/07/2015 15:26:51.078:3156) : item=1 name=/run/xtables.lock inode=417551 dev=00:12 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 objtype=CREATE type=PATH msg=audit(09/07/2015 15:26:51.078:3156) : item=0 name=/run/ inode=6608 dev=00:12 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 objtype=PARENT type=CWD msg=audit(09/07/2015 15:26:51.078:3156) : cwd=/ type=SYSCALL msg=audit(09/07/2015 15:26:51.078:3156) : arch=x86_64 syscall=open success=yes exit=3 a0=0x4129fb a1=O_RDONLY|O_CREAT a2=0600 a3=0x7ffd7eccf3c0 items=2 ppid=10827 pid=10849 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ip6tables exe=/usr/sbin/xtables-multi subj=system_u:system_r:unconfined_service_t:s0 key=(null) type=AVC msg=audit(09/07/2015 15:26:51.078:3156) : avc: granted { create } for pid=10849 comm=ip6tables name=xtables.lock scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file ---- Which service does it causes and is running as unconfined_service_t? I don't know. Here is another reproducer of the issue: * https://bugzilla.redhat.com/show_bug.cgi?id=1243403#c17 *** This bug has been marked as a duplicate of bug 1243403 *** |