Bug 240228

Summary:	AVCs with netlabelctl
Product:	Red Hat Enterprise Linux 5	Reporter:	Linda Knippers <linda.knippers>
Component:	selinux-policy	Assignee:	Daniel Walsh <dwalsh>
Status:	CLOSED ERRATA	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	5.0	CC:	dwalsh, ebenes, iboverma, paul.moore, poelstra, sgrubb
Target Milestone:	---	Keywords:	OtherQA
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	RHBA-2007-0544	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2007-11-07 16:39:40 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Linda Knippers 2007-05-15 20:33:19 UTC

Description of problem:
When I do a "run_init /etc/init.d/netlabel restart" the
command works but I end up with a bunch of AVCs.

Everything seems to work so this isn't blocking anything.

Version-Release number of selected component (if applicable):
LSPP .68 policy.

How reproducible:
Very

Steps to Reproduce:
1.install a system with the mls (and probably strict) policy
2.run_init /etc/init.d/netlabel restart
3.look at the avcs in the audit log
  
Actual results:
These AVCs (from a run in permissive mode)
type=AVC msg=audit(1179260824.780:4390): avc:  denied  { read write } for 
pid=15247 comm="netlabelctl" name="1" dev=devpts ino=3
scontext=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023
tcontext=system_u:object_r:initrc_devpts_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1179260824.780:4390): arch=c000003e syscall=59
success=yes exit=0 a0=10dd2630 a1=10dd26b0 a2=10de5b10 a3=2 items=0 ppid=15246
pid=15247 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts1 comm="netlabelctl" exe="/sbin/netlabelctl"
subj=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 key=(null)
type=MAC_MAP_DEL msg=audit(1179260824.784:4391): netlabel: auid=500
subj=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023
nlbl_domain=lspp_test_netlabel_t res=1
type=MAC_CIPSOV4_DEL msg=audit(1179260824.784:4391): netlabel: auid=500
subj=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 cipso_doi=100 res=1
type=SYSCALL msg=audit(1179260824.784:4391): arch=c000003e syscall=46
success=yes exit=28 a0=3 a1=7ffff19d7130 a2=0 a3=6c2a178 items=0 ppid=15239
pid=15248 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts1 comm="netlabelctl" exe="/sbin/netlabelctl"
subj=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1179260824.804:4392): avc:  denied  { read } for  pid=15265
comm="netlabelctl" name="netlabel.rules" dev=dm-0 ino=1016650
scontext=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023
tcontext=system_u:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1179260824.804:4392): arch=c000003e syscall=59
success=yes exit=0 a0=10e02740 a1=10dd2010 a2=10de5b10 a3=65 items=0 ppid=15239
pid=15265 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts1 comm="netlabelctl" exe="/sbin/netlabelctl"
subj=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 key=(null)
type=AVC_PATH msg=audit(1179260824.804:4392):  path="/etc/netlabel.rules"
type=MAC_CIPSOV4_ADD msg=audit(1179260824.805:4393): netlabel: auid=500
subj=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 cipso_doi=100
cipso_type=pass res=1
type=SYSCALL msg=audit(1179260824.805:4393): arch=c000003e syscall=46
success=yes exit=48 a0=3 a1=7fff6e7e6e40 a2=0 a3=e8d1058 items=0 ppid=15239
pid=15265 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts1 comm="netlabelctl" exe="/sbin/netlabelctl"
subj=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 key=(null)
type=MAC_MAP_ADD msg=audit(1179260824.815:4394): netlabel: auid=500
subj=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023
nlbl_domain=lspp_test_netlabel_t nlbl_protocol=cipsov4 cipso_doi=100 res=1
type=SYSCALL msg=audit(1179260824.815:4394): arch=c000003e syscall=46
success=yes exit=64 a0=3 a1=7fff0c3f5ab0 a2=0 a3=15f2155c items=0 ppid=15239
pid=15272 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts1 comm="netlabelctl" exe="/sbin/netlabelctl"
subj=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 key=(null)


Expected results:
No AVCs:

Additional info:
audit2allow shows:
#============= netlabel_mgmt_t ==============
allow netlabel_mgmt_t etc_t:file read;
allow netlabel_mgmt_t initrc_devpts_t:chr_file { read write };

Comment 1 Daniel Walsh 2007-05-16 01:10:54 UTC

Fixed in selinux-policy-2.4.6-71

Comment 2 RHEL Program Management 2007-06-04 20:44:12 UTC

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 5 Eduard Benes 2007-08-21 16:27:30 UTC

A fix for this issue has been included in the packages contained in the beta
(RHN channel) or most recent snapshot (partners.redhat.com) for RHEL5.1.  Please
verify that your issue is fixed.

After you (Red Hat Partner) have verified that this issue has been addressed,
please perform the following:
1) Change the *status* of this bug to VERIFIED.
2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified)

If this issue is not fixed, please add a comment describing the most recent
symptoms of the problem you are having and change the status of the bug to 
ASSIGNED.

Comment 6 John Poelstra 2007-08-24 05:13:42 UTC

A fix for this issue should have been included in the packages contained in the
most recent snapshot (partners.redhat.com) for RHEL5.1.  

Requested action: Please verify that your issue is fixed as soon as possible to
ensure that it is included in this update release.

After you (Red Hat Partner) have verified that this issue has been addressed,
please perform the following:
1) Change the *status* of this bug to VERIFIED.
2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified)

If this issue is not fixed, please add a comment describing the most recent
symptoms of the problem you are having and change the status of the bug to FAILS_QA.

More assistance: If you cannot access bugzilla, please reply with a message to
Issue Tracker and I will change the status for you.  If you need assistance
accessing ftp://partners.redhat.com, please contact your Partner Manager.

Comment 7 Paul Moore 2007-08-24 11:14:34 UTC

Yes, I understood the requirements clearly from comment #6, which was posted 
only three days ago.  This is on my short list of action items and will be 
addressed.

Comment 8 Paul Moore 2007-08-27 21:03:53 UTC

I just repeated the reproducing steps listed in the original bug report here 
on a system with RHEL5 Update 1 Snapshot 2 and did not see any of the AVC 
denial messages as originally reported.

Comment 10 errata-xmlrpc 2007-11-07 16:39:40 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0544.html