Bug 546567
| Summary: | AVCs appeared during setroubleshoot service start/stop when running SElinux in MLS mode | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Milos Malik <mmalik> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 5.4 | ||
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-12-11 20:36:19 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
setroubleshoot is not supported in an MLS environment. You would need to grab the policy from targeted/strict and make it work in MLS environment. MLS only supports a small subset of apps that run in RHEL5. Anything else the user of MLS is responsible for writing policy for it. |
Description of problem: SELinux seems to block some operations which setroubleshoot init scripts wants to be done during start/stop procedure. Version-Release number of selected component (if applicable): selinux-policy-mls-2.4.6-255.el5 selinux-policy-targeted-2.4.6-255.el5 selinux-policy-2.4.6-255.el5 setroubleshoot-plugins-2.0.4-2.el5 setroubleshoot-server-2.0.5-5.el5 How reproducible: always Steps to Reproduce: 1. setup a MLS machine 2. setenforce 1 3. run_init service setroubleshoot start 4. sleep 1 5. run_init service setroubleshoot stop 6. sleep 1 7. ausearch -m AVC -ts recent ---- time->Fri Dec 11 04:00:10 2009 type=SYSCALL msg=audit(1260522010.186:64): arch=c0000032 syscall=1192 success=no exit=-13 a0=5 a1=2000000006175730 a2=19 a3=20000000075b2544 items=0 ppid=1 pid=30728 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1260522010.186:64): avc: denied { write } for pid=30728 comm="setroubleshootd" name="audispd_events" dev=dm-0 ino=21954782 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:audisp_var_run_t:s15:c0.c1023 tclass=sock_file ---- time->Fri Dec 11 04:00:10 2009 type=SYSCALL msg=audit(1260522010.192:65): arch=c0000032 syscall=1191 success=no exit=-13 a0=5 a1=2000000006175730 a2=2f a3=2000000000250158 items=0 ppid=1 pid=30725 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1260522010.192:65): avc: denied { create } for pid=30725 comm="setroubleshootd" name="setroubleshoot_server" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file 8. tail -n 1 /var/log/messages Dec 11 04:00:10 nec-nx2-1 setroubleshoot: [server.ERROR] cannot start systen DBus service: Connection ":1.7" is not allowed to own the service "com.redhat.setroubleshootd" due to security policies in the configuration file Actual results: 2 AVCs Expected results: no AVCs