Bug 464079
Summary: | avc: denied { search / unlink } for comm="audispd" | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Alexander Todorov <atodorov> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED ERRATA | QA Contact: | Alexander Todorov <atodorov> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 5.3 | CC: | dwalsh, mmalik, syeghiay |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-01-20 21:30:58 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Alexander Todorov
2008-09-26 08:01:32 UTC
what is audispd labeled? ls -lZ /sbin/audispd? After install & before upgrade: -rwxr-x--- root root system_u:object_r:sbin_t /sbin/audispd After upgrade: -rwxr-x--- root root system_u:object_r:audisp_exec_t /sbin/audispd Ok well the second avc should disappear after upgrade also since audispd will run in a different domain then auditd_t which is allowed to unlink the sock_file. Fixed in selinux-policy-2.4.6-161.el5 So why is audispd running as auditd_t and not as audisp_t. The following two roles should have caused auditd_t to transition to audisp_t when it execs the app. #sesearch --allow -s auditd_t -t audisp_t Found 1 av rules: allow auditd_t audisp_t : process { transition signal }; # sesearch --allow -s auditd_t -t audisp_exec_t Found 1 av rules: allow auditd_t audisp_exec_t : file { read getattr execute }; What is the label on audispd? # ls -lZ /sbin/audispd -rwxr-x--- root root system_u:object_r:audisp_exec_t:s0 /sbin/audispd Context after install: -rwxr-x--- root root system_u:object_r:sbin_t /sbin/audispd Context after the upgrade: -rwxr-x--- root root system_u:object_r:audisp_exec_t /sbin/audispd If you do a # service auditd restart what does # ps -eZ | grep audisp Show? If this is running as audisp_t, then you should not see this problem any more. OK, it's running as audisp_t and indeed I didn't see the problem. I was doing manual test but for some reason the automated one failed. Moving back to VERIFIED and will try to find out if this can reproduce more consistently with our automated test case. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-0163.html |