Bug 436895

Summary: SELinux is preventing rsyslogd (syslogd_t) "read" to ./System.map-2.6.25-0.95.rc4.fc9 (system_map_t).
Product: [Fedora] Fedora Reporter: Antonio A. Olivares <olivares14031>
Component: rsyslogAssignee: Peter Vrabec <pvrabec>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: dwalsh, mcepl, mcepl, selinux
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-03-13 12:55:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
dmesg from failing reboot
none
dmesg output from "working" reboot. none

Description Antonio A. Olivares 2008-03-10 23:49:19 UTC 
Description of problem:
SELinux is preventing rsyslogd (syslogd_t) "read" to
./System.map-2.6.25-0.95.rc4.fc9 (system_map_t).v

Version-Release number of selected component (if applicable):
Source RPM Packages           rsyslog-2.0.2-1.fc9

How reproducible:
Upon rebooting to try out new kernel, setroubleshoot fired out warning.  

Steps to Reproduce:
1. turn on machine
2. login to DE
3. open setroubleshoot to see it, 

*happens on one of the two machines*
  
Actual results:
Summary:

SELinux is preventing rsyslogd (syslogd_t) "read" to
./System.map-2.6.25-0.95.rc4.fc9 (system_map_t).

Detailed Description:

SELinux denied access requested by rsyslogd. It is not
expected that this access
is required by rsyslogd and this access may signal an
intrusion attempt. It is
also possible that the specific version or
configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials.
You could try to restore
the default system file context for
./System.map-2.6.25-0.95.rc4.fc9,

restorecon -v './System.map-2.6.25-0.95.rc4.fc9'

If this does not work, there is currently no automatic
way to allow this access.
Instead, you can generate a local policy module to
allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)
Or you can disable
SELinux protection altogether. Disabling SELinux
protection is not recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context               
unconfined_u:system_r:syslogd_t
Target Context               
system_u:object_r:system_map_t
Target Objects               
./System.map-2.6.25-0.95.rc4.fc9 [ file ]
Source                        rsyslogd
Source Path                   /sbin/rsyslogd
Port                          <Unknown>
Host                          localhost
Source RPM Packages           rsyslog-2.0.2-1.fc9
Target RPM Packages           
Policy RPM                   
selinux-policy-3.3.1-12.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     localhost
Platform                      Linux localhost
2.6.25-0.95.rc4.fc9 #1 SMP Thu Mar
                              6 01:17:49 EST 2008 i686
athlon
Alert Count                   1
First Seen                    Sat 08 Mar 2008 07:58:10
AM CST
Last Seen                     Sat 08 Mar 2008 07:58:10
AM CST
Local ID                     
b9ac46d0-bfde-485c-8cec-2547c11a4daf
Line Numbers                  

Raw Audit Messages            

host=localhost type=AVC msg=audit(1204984690.594:21):
avc:  denied  { read } for  pid=2913 comm="rsyslogd"
name="System.map-2.6.25-0.95.rc4.fc9" dev=sda3
ino=6052 scontext=unconfined_u:system_r:syslogd_t:s0
tcontext=system_u:object_r:system_map_t:s0 tclass=file

host=localhost type=SYSCALL
msg=audit(1204984690.594:21): arch=40000003 syscall=5
success=no exit=-13 a0=1357c0 a1=0 a2=1b6 a3=0 items=0
ppid=2912 pid=2913 auid=500 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1
comm="rsyslogd" exe="/sbin/rsyslogd"
subj=unconfined_u:system_r:syslogd_t:s0 key=(null)

Expected results:
To work as normal

Additional info:
upon request
Comment 1 Peter Vrabec 2008-03-11 13:20:14 UTC 
Could you check, if the problem exists even with rsyslog-3.12.1. It was built 
in rawhide on Feb 1st. thnx.
Comment 2 Peter Vrabec 2008-03-11 15:14:45 UTC 
*** Bug 436989 has been marked as a duplicate of this bug. ***
Comment 4 Tom London 2008-03-12 20:53:32 UTC 
I can't find rsyslog-3.12.1 in koji. If you provide a link, I will test.

cached packages in /var/cache/yum are:
-rw-r--r-- 1 root root 209273 2008-01-18 05:20 rsyslog-2.0.0-1.fc9.i386.rpm
-rw-r--r-- 1 root root 209432 2008-01-22 06:42 rsyslog-2.0.0-2.fc9.i386.rpm
-rw-r--r-- 1 root root 206448 2008-02-13 09:02 rsyslog-2.0.2-1.fc9.i386.rpm
-rw-r--r-- 1 root root 301513 2008-03-07 03:25 rsyslog-3.12.1-1.fc9.i386.rpm

No 3.12.1 :-(
Comment 5 Matěj Cepl 2008-03-12 22:51:15 UTC 
http://koji.fedoraproject.org/koji/buildinfo?buildID=42536
Comment 6 Tom London 2008-03-12 22:59:16 UTC 
Well, I got this AVC installing it:

type=AVC msg=audit(1205362698.730:35): avc:  denied  { read } for  pid=7842
comm="rsyslogd" name="System.map-2.6.25-0.113.rc5.git2.fc9" dev=sda3 ino=6056
scontext=unconfined_u:system_r:syslogd_t:s0
tcontext=system_u:object_r:system_map_t:s0 tclass=file
type=SYSCALL msg=audit(1205362698.730:35): arch=40000003 syscall=5 success=no
exit=-13 a0=11a7c0 a1=0 a2=1b6 a3=0 items=0 ppid=7841 pid=7842 auid=500 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1
comm="rsyslogd" exe="/sbin/rsyslogd" subj=unconfined_u:system_r:syslogd_t:s0
key=(null)
Comment 7 Tom London 2008-03-13 00:12:37 UTC 
No joy on reboot.

In fact, the first reboot after the update to the new rsyslog caused lots of
issues. A successive reboot seemed to work better. I attach complete outputs
from dmesg for the "next 2 reboots" below.

The "failure" in the first reboot seemed to be avahi and hal not starting.

In any case, in the "working second reboot", I still see this AVC:
type=1400 audit(1205363081.774:4): avc:  denied  { read } for  pid=2232
comm="rsyslogd" name="System.map-2.6.25-0.113.rc5.git2.fc9" dev=sda3 ino=6056
scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:object_r:system_map_t:s0 tclass=file
Comment 8 Tom London 2008-03-13 00:14:15 UTC 
Created attachment 297865 [details]
dmesg from failing reboot

On this reboot, avahi and hal did not start properly, nor did gdm.  System was
left in "text console" mode.
Comment 9 Tom London 2008-03-13 00:15:24 UTC 
Created attachment 297866 [details]
dmesg output from "working" reboot.

This reboot booted up to gdm, and appears functioning, but has same AVC as
prior version.
Comment 10 Daniel Walsh 2008-03-13 12:55:01 UTC 
Fixed in selinux-policy-3.3.1-17.fc9

Tom the first bug is NetworkManager blowing up and trying to run gdb to get a
stack trace.  We are trying to figure out a better way to handle this.