Bug 440599

Summary: Multiple SELinux denials for snapshot #4
Product: Red Hat Enterprise Linux 5 Reporter: Alexander Todorov <atodorov>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: 5.2CC: borgan, mzazrivec
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2008-0465 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-21 16:43:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alexander Todorov 2008-04-04 09:51:59 UTC 
Description of problem:
There are multiple SELinux denials after @everything install of RHEL 5.2 Server
snap#4

Version-Release number of selected component (if applicable):
RHEL5.2-Server-20080402.0
selinux-policy-2.4.6-126

How reproducible:
100%

Steps to Reproduce:
1. @everything install
2.
3.
  
Actual results:
Multiple SELinux denials after machine is rebooted.

Expected results:
No SELinux denials

Additional info:
This is a regression from previous snapshot.
Comment 6 Brock Organ 2008-04-04 19:10:37 UTC 
There appear to be 5 separate kinds of error messages:

1) process "mount" error

type=AVC msg=audit(1207267279.404:30): avc:  denied  { read } for  pid=6139
comm="mount" name="sda1" dev=tmpfs ino=1000
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=blk_file

if mount is not able to function properly on scsi devices (such as sda1 here),
this should be considered a blocking issue ...

2) process "ip" trying to write to /var/run

type=AVC msg=audit(1207267280.708:31): avc:  denied  { write } for  pid=6225
comm="ip" path="/var/run/pluto/ipsec_setup.out" dev=dm-0 ino=49025826
scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

if ip is not able to write out /var/run/<system>/ipsec_setup.out, then part of
the ipsec functionality may be compromised ... so i suspect this should be a
blocking issue

3) hald probing is being denied

type=AVC msg=audit(1207267287.192:38): avc:  denied  { read } for  pid=6693
comm="hald-probe-stor" name="hda" dev=tmpfs ino=4694
scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=blk_file

its not clear how this failure for hal to correctly probe would affect any
functionality, so this may not be a blocker ...

4) smartd tmpfs requests being denied

type=AVC msg=audit(1207267289.660:44): avc:  denied  { read write } for 
pid=6796 comm="smartd" name="sda" dev=tmpfs ino=1009
scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=blk_file

its not clear what the impact to smartd of this denial is, so it may not be a
blocker ...

5) pam_console is referencing /dev files that have changed label contexts

audit(1207267271.324:4): avc:  denied  { getattr } for  pid=3708
comm="pam_console_app" path="/dev/hda" dev=tmpfs ino=4694
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=blk_file

its not clear what impact to pam is for this denial, so it may not be a blocker ...
Comment 7 Daniel Walsh 2008-04-04 21:56:43 UTC 
THese are caused by labeling not working for some reason or not.

Some tool is creating devices without labeling them correctly.

matchpathcon /dev/hda /dev/sda /dev/sda1
/dev/hda	system_u:object_r:fixed_disk_device_t
/dev/sda	system_u:object_r:fixed_disk_device_t
/dev/sda1	system_u:object_r:fixed_disk_device_t


type=AVC msg=audit(1207267280.708:31): avc:  denied  { write } for  pid=6225
comm="ip" path="/var/run/pluto/ipsec_setup.out" dev=dm-0 ino=49025826
scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

THis is also a labeling problem

 matchpathcon /var/run/pluto/ipsec_setup.out
/var/run/pluto/ipsec_setup.out	system_u:object_r:ipsec_var_run_t


Something create /var/run/pluto with the wrong context.  Which is causing the
file to be created with the wrong context.
Comment 8 Milan Zázrivec 2008-04-05 09:46:26 UTC 
(In reply to comment #7)
> type=AVC msg=audit(1207267280.708:31): avc:  denied  { write } for  pid=6225
> comm="ip" path="/var/run/pluto/ipsec_setup.out" dev=dm-0 ino=49025826
> scontext=system_u:system_r:ifconfig_t:s0
> tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
> 
> THis is also a labeling problem
> 
>  matchpathcon /var/run/pluto/ipsec_setup.out
> /var/run/pluto/ipsec_setup.out	system_u:object_r:ipsec_var_run_t
> 
> 
> Something create /var/run/pluto with the wrong context.  Which is causing the
> file to be created with the wrong context.

Interestingly enough, this is output from RHEL5.2-Server-20080404.nightly:

# matchpathcon /var/run/pluto/ipsec_setup.out
/var/run/pluto/ipsec_setup.out  system_u:object_r:var_run_t

serefpolicy sources contain a rule
modules/system/ipsec.fc:/var/run/pluto(/.*)?
gen_context(system_u:object_r:ipsec_var_run_t,s0)

yet this rule is not present in the installed package:
# grep pluto /etc/selinux/targeted/contexts/files/file_contexts
#

Any idea what's happening here?
Comment 9 Milan Zázrivec 2008-04-05 15:46:33 UTC 
(In reply to comment #7)
> THese are caused by labeling not working for some reason or not.
> 
> Some tool is creating devices without labeling them correctly.
> 
> matchpathcon /dev/hda /dev/sda /dev/sda1
> /dev/hda	system_u:object_r:fixed_disk_device_t
> /dev/sda	system_u:object_r:fixed_disk_device_t
> /dev/sda1	system_u:object_r:fixed_disk_device_t

These devices get created with a right context, but the thing that causes
them to relabel is the start of openibd service (openib package).

I have to investigate further more.
Comment 10 Milan Zázrivec 2008-04-05 16:25:05 UTC 
I created a separate bugzilla for the problem mentioned in comment #9:
https://bugzilla.redhat.com/show_bug.cgi?id=441054
Comment 11 Daniel Walsh 2008-04-06 09:49:20 UTC 
As far as the ipsec labeling, we do not ship the package in RHEL5.
Comment 12 Milan Zázrivec 2008-04-06 12:14:00 UTC 
We did not ship ipsec in RHEL5 Gold and U1. In RHEL5.2 we have a package
named openswan, which is a free implementation of ipsec.

That avc message about denied write access to /var/run/pluto/ipsec_setup.out
is what happens when the service ipsec starts.
Comment 13 Daniel Walsh 2008-04-08 02:17:12 UTC 
I will dontaudit this in 

selinux-policy-2.4.6-128.el5
Comment 16 Milan Zázrivec 2008-04-09 15:51:26 UTC 
RHEL5.2-Server-20080409.nightly / selinux-policy-2.4.6-128.el5 :

I'm verifying that openswan service start no longer causes selinux denials.
Comment 18 errata-xmlrpc 2008-05-21 16:43:28 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0465.html