Bug 1349058
| Summary: | avc: denied {open | read | write) comm="ipmievd" path="/dev/ipmi0" dev="devtmpfs" generated after staring ipmievd service | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Rachel Sibley <rasibley> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.3 | CC: | branto, lvrabec, mgrepl, mmalik, plautrba, pvrabec, rasibley, ssekidde |
| Target Milestone: | rc | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-93.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-04 02:32:23 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
What is a label for /dev/ipmi0? # ls -Z /dev/ipmi0 Hi Miroslav, information is provided below: ~]# uname -r 3.10.0-442.el7.x86_64 ~]# ls -Z /dev/ipmi0 crw-------. root root system_u:object_r:ipmi_device_t:s0 /dev/ipmi0 *** This bug has been marked as a duplicate of bug 1083031 *** I'm not sure if this is the same issue as bug 1083031 ? I'm still seeing avc denied failures when starting ipmievd with selinux-policy-3.13.1-85.el7: # rpm -q selinux-policy selinux-policy-3.13.1-85.el7.noarch # systemctl start ipmievd # grep denied audit.log type=AVC msg=audit(1468593240.028:107): avc: denied { read write } for pid=16201 comm="ipmievd" name="ipmi0" dev="devtmpfs" ino=76197 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1468593240.028:107): avc: denied { open } for pid=16201 comm="ipmievd" path="/dev/ipmi0" dev="devtmpfs" ino=76197 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1468593240.028:108): avc: denied { ioctl } for pid=16201 comm="ipmievd" path="/dev/ipmi0" dev="devtmpfs" ino=76197 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file # ps -efZ | grep ipmievd system_u:system_r:ipmievd_t:s0 root 16202 1 0 10:33 ? 00:00:00 /usr/sbin/ipmievd sel daemon pidfile=/var/run/ipmievd.pid unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 16209 16122 0 10:46 pts/0 00:00:00 grep --color=auto ipmievd Hi Rachel, Problem here is that you have mislabeled /dev/ipmi0 on your system. This is output of my system: [root@rhel7-virt ~]# matchpathcon /dev/ipmi0 /dev/ipmi0 system_u:object_r:ipmi_device_t:s0 [root@rhel7-virt ~]# rpm -q selinux-policy selinux-policy-3.13.1-88.el7.noarch Please, could you run restorecon to fix labels on your system and try to reproduce the issue? # restorecon -Rv /dev *** This bug has been marked as a duplicate of bug 1083031 *** Reopening as this is still causing my tests to fail, I have even removed the audit log and rebooted, yet still seeing the failures with the latest selinux-policy.
[root@dell-pet610-01 audit]# rpm -q selinux-policy
selinux-policy-3.13.1-92.el7.noarch
[root@dell-pet610-01 audit]# grep -r denied audit.log
[root@dell-pet610-01 audit]#
[root@dell-pet610-01 audit]# systemctl start ipmi
[root@dell-pet610-01 audit]# systemctl start ipmievd
[root@dell-pet610-01 audit]# grep -r denied audit.log
type=AVC msg=audit(1470337273.996:81): avc: denied { read write } for pid=2657 comm="ipmievd" name="ipmi0" dev="devtmpfs" ino=13859 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1470337273.996:81): avc: denied { open } for pid=2657 comm="ipmievd" path="/dev/ipmi0" dev="devtmpfs" ino=13859 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1470337273.996:82): avc: denied { ioctl } for pid=2657 comm="ipmievd" path="/dev/ipmi0" dev="devtmpfs" ino=13859 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Hi Milos, unfortunately I'm seeing even more failures than before
# rpm -q selinux-policy
selinux-policy-3.13.1-93.el7.noarch
# grep -r denied audit.log
#
# systemctl start ipmi
# systemctl start ipmievd
# grep -r denied audit.log
type=AVC msg=audit(1471358658.638:84): avc: denied { read } for pid=11529 comm="openipmi-helper" name="meminfo" dev="proc" ino=4026532028 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=AVC msg=audit(1471358658.638:84): avc: denied { open } for pid=11529 comm="openipmi-helper" path="/proc/meminfo" dev="proc" ino=4026532028 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=AVC msg=audit(1471358658.638:85): avc: denied { getattr } for pid=11529 comm="openipmi-helper" path="/proc/meminfo" dev="proc" ino=4026532028 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=AVC msg=audit(1471358658.638:86): avc: denied { read } for pid=11529 comm="openipmi-helper" name="passwd" dev="dm-0" ino=67175617 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1471358658.638:86): avc: denied { open } for pid=11529 comm="openipmi-helper" path="/etc/passwd" dev="dm-0" ino=67175617 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1471358658.638:87): avc: denied { getattr } for pid=11529 comm="openipmi-helper" path="/etc/passwd" dev="dm-0" ino=67175617 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1471358658.641:88): avc: denied { execute } for pid=11531 comm="openipmi-helper" name="uname" dev="dm-0" ino=67253286 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1471358658.641:89): avc: denied { execute } for pid=11532 comm="openipmi-helper" name="cut" dev="dm-0" ino=67253209 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1471358658.641:90): avc: denied { execute_no_trans } for pid=11531 comm="openipmi-helper" path="/usr/bin/uname" dev="dm-0" ino=67253286 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1471358658.643:91): avc: denied { getattr } for pid=11529 comm="openipmi-helper" path="/usr/bin/kmod" dev="dm-0" ino=67420176 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=AVC msg=audit(1471358658.643:92): avc: denied { execute } for pid=11529 comm="openipmi-helper" name="kmod" dev="dm-0" ino=67420176 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=AVC msg=audit(1471358658.643:93): avc: denied { read } for pid=11529 comm="openipmi-helper" name="kmod" dev="dm-0" ino=67420176 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=AVC msg=audit(1471358658.645:94): avc: denied { open } for pid=11533 comm="openipmi-helper" path="/usr/bin/kmod" dev="dm-0" ino=67420176 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=AVC msg=audit(1471358658.645:94): avc: denied { execute_no_trans } for pid=11533 comm="openipmi-helper" path="/usr/bin/kmod" dev="dm-0" ino=67420176 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=AVC msg=audit(1471358658.645:95): avc: denied { getattr } for pid=11533 comm="modprobe" path="/etc/modprobe.d" dev="dm-0" ino=67420175 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
type=AVC msg=audit(1471358658.645:96): avc: denied { read } for pid=11533 comm="modprobe" name="modprobe.d" dev="dm-0" ino=67420175 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
type=AVC msg=audit(1471358658.645:96): avc: denied { open } for pid=11533 comm="modprobe" path="/etc/modprobe.d" dev="dm-0" ino=67420175 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
type=AVC msg=audit(1471358658.645:97): avc: denied { getattr } for pid=11533 comm="modprobe" path="/etc/modprobe.d/lockd.conf" dev="dm-0" ino=67526296 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1471358658.645:98): avc: denied { read } for pid=11533 comm="modprobe" name="lockd.conf" dev="dm-0" ino=67526296 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1471358658.645:98): avc: denied { open } for pid=11533 comm="modprobe" path="/etc/modprobe.d/lockd.conf" dev="dm-0" ino=67526296 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1471358658.645:99): avc: denied { search } for pid=11533 comm="modprobe" name="modules" dev="dm-0" ino=101279051 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=dir
type=AVC msg=audit(1471358658.645:99): avc: denied { read } for pid=11533 comm="modprobe" name="modules.softdep" dev="dm-0" ino=944863 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file
type=AVC msg=audit(1471358658.645:99): avc: denied { open } for pid=11533 comm="modprobe" path="/usr/lib/modules/3.10.0-492.el7.x86_64/modules.softdep" dev="dm-0" ino=944863 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file
type=AVC msg=audit(1471358658.645:100): avc: denied { getattr } for pid=11533 comm="modprobe" path="/usr/lib/modules/3.10.0-492.el7.x86_64/modules.softdep" dev="dm-0" ino=944863 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file
type=AVC msg=audit(1471358658.645:101): avc: denied { read } for pid=11533 comm="modprobe" name="initstate" dev="sysfs" ino=21105 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1471358658.645:101): avc: denied { open } for pid=11533 comm="modprobe" path="/sys/module/ipmi_msghandler/initstate" dev="sysfs" ino=21105 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1471358658.647:102): avc: denied { read } for pid=11534 comm="lsmod" name="intel_powerclamp" dev="sysfs" ino=22565 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
type=AVC msg=audit(1471358658.665:103): avc: denied { read } for pid=11547 comm="touch" name="lock" dev="dm-0" ino=205 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file
type=AVC msg=audit(1471358658.665:103): avc: denied { write } for pid=11547 comm="touch" name="subsys" dev="tmpfs" ino=14083 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
type=AVC msg=audit(1471358658.665:103): avc: denied { add_name } for pid=11547 comm="touch" name="ipmi" scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
type=AVC msg=audit(1471358658.665:103): avc: denied { create } for pid=11547 comm="touch" name="ipmi" scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1471358658.665:103): avc: denied { write open } for pid=11547 comm="touch" path="/run/lock/subsys/ipmi" dev="tmpfs" ino=36008 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
Fixed all AVC from comment#15 No longer seeing the errors with selinux-policy-3.13.1-94.el7 build: [root@dell-pem910-02 audit]# rpm -q selinux-policy selinux-policy-3.13.1-94.el7.noarch [root@dell-pem910-02 audit]# grep -r denied audit.log [root@dell-pem910-02 audit]# systemctl start ipmi [root@dell-pem910-02 audit]# systemctl start ipmievd [root@dell-pem910-02 audit]# grep -r denied audit.log [root@dell-pem910-02 audit]# [root@dell-pem910-02 audit]# uname -r 3.10.0-493.el7.x86_64 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2283.html |
Description of problem: Seeing avc denied errors are generated when starting the ipmievd service Version-Release number of selected component (if applicable): # rpm -q ipmitool ipmitool-1.8.15-7.el7.x86_64 # rpm -q OpenIPMI OpenIPMI-2.0.19-15.el7.x86_64 # uname -r 3.10.0-442.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. yum install ipmitool OpenIPMI 2. systemctl start ipmievd 3. tail /var/log/audit/audit.log Actual results: type=AVC msg=audit(1466608886.490:287): avc: denied { read write } for pid=19878 comm="ipmievd" name="ipmi0" dev="devtmpfs" ino=79280 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1466608886.490:287): avc: denied { open } for pid=19878 comm="ipmievd" path="/dev/ipmi0" dev="devtmpfs" ino=79280 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1466608886.490:287): arch=c000003e syscall=2 success=yes exit=3 a0=7ffd0e0a5460 a1=2 a2=0 a3=0 items=0 ppid=1 pid=19878 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipmievd" exe="/usr/sbin/ipmievd" subj=system_u:system_r:ipmievd_t:s0 key=(null) type=AVC msg=audit(1466608886.490:288): avc: denied { ioctl } for pid=19878 comm="ipmievd" path="/dev/ipmi0" dev="devtmpfs" ino=79280 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file Expected results: no avc denied errors Additional info: