Bug 1581613
| Summary: | avc: denied { read } for pid=89057 comm="ebtables" name="ebtables.lock" dev="tmpfs" | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | redhat-airlock |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.5 | CC: | lvrabec, mgrepl, mmalik, plautrba, redhat-airlock, ssekidde |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-05-23 13:50:04 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Could you run following commands and copy&paste their output here? # find /run -inum 6913013 # ls -Z `find /run -inum 6913013` I believe the ebtables.lock is located in /run and is mislabeled: # matchpathcon /run/ebtables.lock /run/ebtables.lock system_u:object_r:iptables_var_run_t:s0 # If my assumption is correct, following command should fix the problem: # restorecon -v /run/ebtables.lock Oh, we created a custom policy in 7.4 for this file: == # Allow ebtables to remove /var/run/ebtables.lock delete_files_pattern(iptables_t, var_run_t, var_run_t); == Output looks like this: == root@lesbos:~[13] # find /run -inum 6913013 -ls 6913013 0 -rw------- 1 root root 0 May 23 07:12 /run/ebtables.lock root@lesbos:~[14] # ls -Z `find /run -inum 6913013` -rw-------. root root system_u:object_r:var_run_t:s0 /run/ebtables.lock root@lesbos:~[15] # matchpathcon /run/ebtables.lock /run/ebtables.lock system_u:object_r:var_run_t:s0 root@lesbos:~[16] # restorecon -v /run/ebtables.lock root@lesbos:~[17] # == I'll try to reproduce it without our custom labeling and use the default "iptables_var_run_t" I've tested the setup without our custom label. The file gets the same permissions. root@lesbos:audit[26] # ll -Z /run/ebtables.lock -rw-------. root root system_u:object_r:var_run_t:s0 /run/ebtables.lock Is this another variant of https://access.redhat.com/solutions/2625731 ? I believe it is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1511437 *** This bug has been marked as a duplicate of bug 1511437 *** |
I see following deny message in /var/log/audit/audit.log after installation + yum update type=AVC msg=audit(1527052327.648:86899): avc: denied { read } for pid=89057 comm="ebtables" name="ebtables.lock" dev="tmpfs" ino=6913013 scontext=system_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file Version-Release number of selected component (if applicable): selinux-policy-3.13.1-192.el7_5.3.noarch.rpm