Bug 1282860
| Summary: | oddjobd stopped by SELinux policy with interaction with syslog | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Robert Patt-Corner <robert.patt-corner> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.7 | CC: | dwalsh, lvrabec, mgrepl, mmalik, plautrba, pvrabec, robert.patt-corner, ssekidde |
| Target Milestone: | rc | Flags: | robert.patt-corner:
needinfo-
|
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-02 17:27:13 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Based on the rules recommended by audit2why / audit2allow, it seems that some files / directories on your machine are mislabeled. There shouldn't be any default_t labels. Could you find out, which processes are running as initrc_t? Apparently, oddjobd wants to communicate via D-bus with one of those processes. Could you collect AVCs and attach them here? It will help us to resolve the problems you see. Here you go (see below). On collecting AVCs, I'm not too familiar with SELinux, and a concrete suggestion or example might help me send what is needed. The processes below containing 'opscode' are various Chef processes... [root@egt-labs-prod-mu-master ~]# ps axZ | grep initrc_t system_u:system_r:initrc_t:s0 847 ? S 0:13 /opt/opscode/embedded/service/opscode-chef-mover/erts-5.10.4/bin/epmd -daemon system_u:system_r:initrc_t:s0 2223 ? Ss 5:01 /usr/sbin/nagios -d /etc/nagios/nagios.cfg system_u:system_r:initrc_t:s0 2232 ? S 2:12 /usr/sbin/nagios -d /etc/nagios/nagios.cfg unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3444 pts/0 S+ 0:00 grep initrc_t system_u:system_r:initrc_t:s0 15160 ? Ss 0:11 /opt/opscode/embedded/service/bookshelf/lib/exec-1.0+build.149.refb3548d6/priv/x86_64-unknown-linux-gnu/exec-port -n system_u:system_r:initrc_t:s0 15277 ? Ss 0:05 inet_gethost 4 system_u:system_r:initrc_t:s0 15305 ? S 0:02 inet_gethost 4 system_u:system_r:initrc_t:s0 15478 ? Ss 0:07 inet_gethost 4 system_u:system_r:initrc_t:s0 15479 ? S 0:02 inet_gethost 4 system_u:system_r:initrc_t:s0 15501 ? Ss 0:00 inet_gethost 4 system_u:system_r:initrc_t:s0 15504 ? S 0:00 inet_gethost 4 system_u:system_r:initrc_t:s0 15557 ? Ssl 0:00 ruby /opt/opscode/embedded/service/opscode-erchef/lib/chef_objects-12.2.0/priv/depselector_rb/depselector.rb system_u:system_r:initrc_t:s0 15569 ? Ssl 0:00 ruby /opt/opscode/embedded/service/opscode-erchef/lib/chef_objects-12.2.0/priv/depselector_rb/depselector.rb system_u:system_r:initrc_t:s0 15583 ? Ssl 0:00 ruby /opt/opscode/embedded/service/opscode-erchef/lib/chef_objects-12.2.0/priv/depselector_rb/depselector.rb system_u:system_r:initrc_t:s0 15623 ? Ssl 0:00 ruby /opt/opscode/embedded/service/opscode-erchef/lib/chef_objects-12.2.0/priv/depselector_rb/depselector.rb system_u:system_r:initrc_t:s0 15651 ? Ssl 0:05 ruby /opt/opscode/embedded/service/opscode-erchef/lib/chef_objects-12.2.0/priv/depselector_rb/depselector.rb system_u:system_r:initrc_t:s0 15699 ? Ss 0:00 inet_gethost 4 system_u:system_r:initrc_t:s0 15700 ? S 0:00 inet_gethost 4 unconfined_u:system_r:initrc_t:s0 20267 ? Ssl 26:41 /usr/lib/jvm/java/bin/java -Dcom.sun.akuma.Daemon=daemonized -Djava.awt.headless=true -DJENKINS_HOME=/home/jenkins -jar /usr/lib/jenkins/jenkins.war --logfile=/var/log/jenkins/jenkins.log --webroot=/var/cache/jenkins/war --daemon --httpPort=8080 --httpListenAddress=0.0.0.0 --ajp13Port=8009 --debug=5 --handlerCountMax=100 --handlerCountMaxIdle=20 --prefix=/jenkins # ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today Hi, What is state of this issue? Could you reproduce it and attach output from comment#4 ? Thank you. Red Hat Enterprise Linux version 6 is entering the Production 2 phase of its lifetime and this bug doesn't meet the criteria for it, i.e. only high severity issues will be fixed. Please see https://access.redhat.com/support/policy/updates/errata/ for further information. Feel free to clone this bug to RHEL-7 if it is still a problem for you. |
Description of problem: SELinux prevents start of oddjobd How reproducible: 100% Steps to Reproduce: 1. setenforce 1 2. service oddjobd start [failure] 3. setenforce 0 4. service oddjobd start [success] Additional info: type=AVC msg=audit(1447777247.585:2122): avc: denied { dac_override } for pid=15783 comm="oddjobd" capability=1 scontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=capability Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. and #============= oddjob_t ============== allow oddjob_t initrc_t:dbus send_msg; allow oddjob_t self:capability dac_override; #============= setfiles_t ============== allow setfiles_t admin_home_t:file write; #============= sshd_t ============== allow sshd_t admin_home_t:file write; #============= syslogd_t ============== #!!!! The source type 'syslogd_t' can write to a 'dir' of the following types: # var_log_t, var_run_t, syslogd_tmp_t, syslogd_var_lib_t, syslogd_var_run_t, innd_log_t, device_t, tmp_t, logfile, cluster_var_lib_t, cluster_var_run_t, root_t, krb5_host_rcache_t, cluster_conf_t, tmp_t allow syslogd_t default_t:dir { write add_name }; allow syslogd_t default_t:file { create open ioctl append getattr };