Bug 1413064
| Summary: | Freeradius after rebase has started to produce avcs | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jaroslav Aster <jaster> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.3 | CC: | lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde |
| Target Milestone: | rc | Keywords: | Rebase |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-01 15:20:12 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Full auditing enabled (enforcing mode):
----
type=PROCTITLE msg=audit(01/17/2017 13:59:02.541:519) : proctitle=/usr/sbin/radiusd -C
type=SYSCALL msg=audit(01/17/2017 13:59:02.541:519) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x10000 a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=MAP_PRIVATE|MAP_ANONYMOUS items=0 ppid=1 pid=5669 auid=unset uid=root gid=radiusd euid=radiusd suid=root fsuid=radiusd egid=radiusd sgid=radiusd fsgid=radiusd tty=(none) ses=unset comm=radiusd exe=/usr/sbin/radiusd subj=system_u:system_r:radiusd_t:s0 key=(null)
type=AVC msg=audit(01/17/2017 13:59:02.541:519) : avc: denied { execmem } for pid=5669 comm=radiusd scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:system_r:radiusd_t:s0 tclass=process permissive=0
----
type=PROCTITLE msg=audit(01/17/2017 13:59:02.541:520) : proctitle=/usr/sbin/radiusd -d /etc/raddb
type=OBJ_PID msg=audit(01/17/2017 13:59:02.541:520) : opid=5672 oauid=unset ouid=root oses=-1 obj=system_u:system_r:radiusd_t:s0 ocomm=radiusd
type=SYSCALL msg=audit(01/17/2017 13:59:02.541:520) : arch=x86_64 syscall=ptrace success=no exit=EACCES(Permission denied) a0=PTRACE_ATTACH a1=0x1628 a2=0x0 a3=0x0 items=0 ppid=5672 pid=5673 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=radiusd exe=/usr/sbin/radiusd subj=system_u:system_r:radiusd_t:s0 key=(null)
type=AVC msg=audit(01/17/2017 13:59:02.541:520) : avc: denied { ptrace } for pid=5673 comm=radiusd scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:system_r:radiusd_t:s0 tclass=process permissive=0
----
Full auditing enabled (permissive mode):
----
type=PROCTITLE msg=audit(01/17/2017 14:01:01.690:551) : proctitle=/usr/sbin/radiusd -C
type=OBJ_PID msg=audit(01/17/2017 14:01:01.690:551) : opid=5892 oauid=unset ouid=root oses=-1 obj=system_u:system_r:radiusd_t:s0 ocomm=radiusd
type=SYSCALL msg=audit(01/17/2017 14:01:01.690:551) : arch=x86_64 syscall=ptrace success=yes exit=0 a0=PTRACE_ATTACH a1=0x1704 a2=0x0 a3=0x0 items=0 ppid=5892 pid=5893 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=radiusd exe=/usr/sbin/radiusd subj=system_u:system_r:radiusd_t:s0 key=(null)
type=AVC msg=audit(01/17/2017 14:01:01.690:551) : avc: denied { sys_ptrace } for pid=5893 comm=radiusd capability=sys_ptrace scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:system_r:radiusd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(01/17/2017 14:01:01.690:551) : avc: denied { ptrace } for pid=5893 comm=radiusd scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:system_r:radiusd_t:s0 tclass=process permissive=1
----
type=PROCTITLE msg=audit(01/17/2017 14:01:01.710:552) : proctitle=/usr/sbin/radiusd -C
type=SYSCALL msg=audit(01/17/2017 14:01:01.710:552) : arch=x86_64 syscall=mmap success=yes exit=139648869724160 a0=0x0 a1=0x10000 a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=MAP_PRIVATE|MAP_ANONYMOUS items=0 ppid=1 pid=5892 auid=unset uid=root gid=radiusd euid=radiusd suid=root fsuid=radiusd egid=radiusd sgid=radiusd fsgid=radiusd tty=(none) ses=unset comm=radiusd exe=/usr/sbin/radiusd subj=system_u:system_r:radiusd_t:s0 key=(null)
type=AVC msg=audit(01/17/2017 14:01:01.710:552) : avc: denied { execmem } for pid=5892 comm=radiusd scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:system_r:radiusd_t:s0 tclass=process permissive=1
----
There is no need to move this bug to RHEL-7.5. This bug is fixed, because it mixes symptoms of following bugs: * BZ#1426205 * BZ#1426641 Both of them are fixed in the latest selinux-policy. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1861 |
Description of problem: Freeradius after rebase has started to produce avcs and many of tests have started to fail. Version-Release number of selected component (if applicable): selinux-policy-3.13.1-102.el7.noarch How reproducible: 100% Steps to Reproduce: 1. Run freeradius-3.0.12-1.el7_3. time->Tue Dec 20 06:15:14 2016 type=SYSCALL msg=audit(1482232514.172:59): arch=c000003e syscall=101 success=no exit=-13 a0=10 a1=2a53 a2=0 a3=0 items=0 ppid=10835 pid=10837 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="radiusd" exe="/usr/sbin/radiusd" subj=system_u:system_r:radiusd_t:s0 key=(null) type=AVC msg=audit(1482232514.172:59): avc: denied { ptrace } for pid=10837 comm="radiusd" scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:system_r:radiusd_t:s0 tclass=process ---- time->Tue Dec 20 06:20:23 2016 type=SYSCALL msg=audit(1482232823.440:64): arch=c000003e syscall=101 success=no exit=-13 a0=10 a1=40f6 a2=0 a3=0 items=0 ppid=16630 pid=16633 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="radiusd" exe="/usr/sbin/radiusd" subj=system_u:system_r:radiusd_t:s0 key=(null) type=AVC msg=audit(1482232823.440:64): avc: denied { ptrace } for pid=16633 comm="radiusd" scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:system_r:radiusd_t:s0 tclass=process ---- time->Tue Dec 20 06:20:23 2016 type=SYSCALL msg=audit(1482232823.467:65): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=10000 a2=7 a3=22 items=0 ppid=1 pid=16630 auid=4294967295 uid=0 gid=95 euid=95 suid=0 fsuid=95 egid=95 sgid=95 fsgid=95 tty=(none) ses=4294967295 comm="radiusd" exe="/usr/sbin/radiusd" subj=system_u:system_r:radiusd_t:s0 key=(null) type=AVC msg=audit(1482232823.467:65): avc: denied { execmem } for pid=16630 comm="radiusd" scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:system_r:radiusd_t:s0 tclass=process ---- time->Tue Dec 20 06:20:23 2016 type=SYSCALL msg=audit(1482232823.467:66): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=10000 a2=7 a3=22 items=0 ppid=1 pid=16630 auid=4294967295 uid=0 gid=95 euid=95 suid=0 fsuid=95 egid=95 sgid=95 fsgid=95 tty=(none) ses=4294967295 comm="radiusd" exe="/usr/sbin/radiusd" subj=system_u:system_r:radiusd_t:s0 key=(null) type=AVC msg=audit(1482232823.467:66): avc: denied { execmem } for pid=16630 comm="radiusd" scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:system_r:radiusd_t:s0 tclass=process Actual results: There are avcs. Expected results: There are no avcs.