Bug 1413064
Summary: | Freeradius after rebase has started to produce avcs | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jaroslav Aster <jaster> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 7.3 | CC: | lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde |
Target Milestone: | rc | Keywords: | Rebase |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-01 15:20:12 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jaroslav Aster
2017-01-13 14:23:22 UTC
Full auditing enabled (enforcing mode): ---- type=PROCTITLE msg=audit(01/17/2017 13:59:02.541:519) : proctitle=/usr/sbin/radiusd -C type=SYSCALL msg=audit(01/17/2017 13:59:02.541:519) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x10000 a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=MAP_PRIVATE|MAP_ANONYMOUS items=0 ppid=1 pid=5669 auid=unset uid=root gid=radiusd euid=radiusd suid=root fsuid=radiusd egid=radiusd sgid=radiusd fsgid=radiusd tty=(none) ses=unset comm=radiusd exe=/usr/sbin/radiusd subj=system_u:system_r:radiusd_t:s0 key=(null) type=AVC msg=audit(01/17/2017 13:59:02.541:519) : avc: denied { execmem } for pid=5669 comm=radiusd scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:system_r:radiusd_t:s0 tclass=process permissive=0 ---- type=PROCTITLE msg=audit(01/17/2017 13:59:02.541:520) : proctitle=/usr/sbin/radiusd -d /etc/raddb type=OBJ_PID msg=audit(01/17/2017 13:59:02.541:520) : opid=5672 oauid=unset ouid=root oses=-1 obj=system_u:system_r:radiusd_t:s0 ocomm=radiusd type=SYSCALL msg=audit(01/17/2017 13:59:02.541:520) : arch=x86_64 syscall=ptrace success=no exit=EACCES(Permission denied) a0=PTRACE_ATTACH a1=0x1628 a2=0x0 a3=0x0 items=0 ppid=5672 pid=5673 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=radiusd exe=/usr/sbin/radiusd subj=system_u:system_r:radiusd_t:s0 key=(null) type=AVC msg=audit(01/17/2017 13:59:02.541:520) : avc: denied { ptrace } for pid=5673 comm=radiusd scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:system_r:radiusd_t:s0 tclass=process permissive=0 ---- Full auditing enabled (permissive mode): ---- type=PROCTITLE msg=audit(01/17/2017 14:01:01.690:551) : proctitle=/usr/sbin/radiusd -C type=OBJ_PID msg=audit(01/17/2017 14:01:01.690:551) : opid=5892 oauid=unset ouid=root oses=-1 obj=system_u:system_r:radiusd_t:s0 ocomm=radiusd type=SYSCALL msg=audit(01/17/2017 14:01:01.690:551) : arch=x86_64 syscall=ptrace success=yes exit=0 a0=PTRACE_ATTACH a1=0x1704 a2=0x0 a3=0x0 items=0 ppid=5892 pid=5893 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=radiusd exe=/usr/sbin/radiusd subj=system_u:system_r:radiusd_t:s0 key=(null) type=AVC msg=audit(01/17/2017 14:01:01.690:551) : avc: denied { sys_ptrace } for pid=5893 comm=radiusd capability=sys_ptrace scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:system_r:radiusd_t:s0 tclass=capability permissive=1 type=AVC msg=audit(01/17/2017 14:01:01.690:551) : avc: denied { ptrace } for pid=5893 comm=radiusd scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:system_r:radiusd_t:s0 tclass=process permissive=1 ---- type=PROCTITLE msg=audit(01/17/2017 14:01:01.710:552) : proctitle=/usr/sbin/radiusd -C type=SYSCALL msg=audit(01/17/2017 14:01:01.710:552) : arch=x86_64 syscall=mmap success=yes exit=139648869724160 a0=0x0 a1=0x10000 a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=MAP_PRIVATE|MAP_ANONYMOUS items=0 ppid=1 pid=5892 auid=unset uid=root gid=radiusd euid=radiusd suid=root fsuid=radiusd egid=radiusd sgid=radiusd fsgid=radiusd tty=(none) ses=unset comm=radiusd exe=/usr/sbin/radiusd subj=system_u:system_r:radiusd_t:s0 key=(null) type=AVC msg=audit(01/17/2017 14:01:01.710:552) : avc: denied { execmem } for pid=5892 comm=radiusd scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:system_r:radiusd_t:s0 tclass=process permissive=1 ---- There is no need to move this bug to RHEL-7.5. This bug is fixed, because it mixes symptoms of following bugs: * BZ#1426205 * BZ#1426641 Both of them are fixed in the latest selinux-policy. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1861 |