| Summary: | AVC denials when running dhpcd resource agent | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | michal novacek <mnovacek> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 7.3 | CC: | lvrabec, mgrepl, mmalik, mnovacek, plautrba, pvrabec, ssekidde |
| Target Milestone: | rc | Flags: | mgrepl:
needinfo?
(mnovacek) mmalik: needinfo? (mnovacek) |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | |||
| Bug Blocks: | 1393066 | ||
The /lib64/libnss_sss.so.2 file is mislabeled # matchpathcon /lib64/libnss_sss.so.2 /lib64/libnss_sss.so.2 system_u:object_r:lib_t:s0 # Please run following command on your machine: # restorecon -Rv /lib64 Is this something that I have broken myself or is this something that needs to be fixed in selinux-policy? It looks like that you system is/was mislabeled, so there is no need to change it in selinux-policy. Are you able to reproduce it? Where does it come from? Beaker? Thank you. *** Bug 1388442 has been marked as a duplicate of this bug. *** Is it still relevant? Do you still see SELinux denials mentioned in comment#0? If not, we will close the bug because of mislableled filesystem on your side. Mislabeled files can be repaired via restorecon -Rv ... We're going to close this bug as WONTFIX because * of limited capacity of selinux-policy developers * the bug is related to EPEL component or 3rd party SW only * the bug appears in unsupported configuration We believe this bug can be fixed via a local policy module. For more information please see: * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow If you disagree, please re-open the bug. We're going to close this bug as WONTFIX because * of limited capacity of selinux-policy developers * the bug is related to EPEL component or 3rd party SW only * the bug appears in unsupported configuration We believe this bug can be fixed via a local policy module. For more information please see: * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow If you disagree, please re-open the bug. |
Info: Searching AVC errors produced since 1474892210.29 (Mon Sep 26 14:16:50 2016) Searching logs... Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 09/26/2016 14:16:50 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.rFRjd8 2>&1' ---- time->Mon Sep 26 14:22:58 2016 type=USER_AVC msg=audit(1474892578.631:254): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=3) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Mon Sep 26 14:23:05 2016 type=SYSCALL msg=audit(1474892585.830:269): arch=c000003e syscall=9 success=yes exit=140244910362624 a0=0 a1=208470 a2=5 a3=802 items=0 ppid=27132 pid=27133 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dhcpd" exe="/usr/sbin/dhcpd" subj=system_u:system_r:dhcpd_t:s0 key=(null) type=AVC msg=audit(1474892585.830:269): avc: denied { execute } for pid=27133 comm="dhcpd" path="/lib64/libnss_sss.so.2" dev="dm-0" ino=9498937 scontext=system_u:system_r:dhcpd_t:s0 tcontext=system_u:object_r:dhcpd_state_t:s0 tclass=file ---- time->Mon Sep 26 14:23:27 2016 type=SYSCALL msg=audit(1474892607.507:392): arch=c000003e syscall=9 success=yes exit=140418800103424 a0=0 a1=208470 a2=5 a3=802 items=0 ppid=27791 pid=27792 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dhcpd" exe="/usr/sbin/dhcpd" subj=system_u:system_r:dhcpd_t:s0 key=(null) type=AVC msg=audit(1474892607.507:392): avc: denied { execute } for pid=27792 comm="dhcpd" path="/lib64/libnss_sss.so.2" dev="dm-0" ino=9498937 scontext=system_u:system_r:dhcpd_t:s0 tcontext=system_u:object_r:dhcpd_state_t:s0 tclass=file Fail: AVC messages found. Checking for errors... Using stronger AVC checks. Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems. Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.rFRjd8 | /sbin/ausearch -m AVC -m SELINUX_ERR' Fail: AVC messages found. Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.u8UuL8 2>&1' Info: No AVC messages found. /bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log No AVC messages found in dmesg Running '/usr/sbin/sestatus' SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 Running 'rpm -q selinux-policy || true' selinux-policy-3.13.1-100.el7.noarch