Bug 610812

Summary: SELinux Policy does not allow freeradius2 to disable core dumps
Product: Red Hat Enterprise Linux 5 Reporter: Ben Wiechman <ben>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: low Docs Contact:
Priority: low    
Version: 5.4CC: dwalsh, mmalik, syeghiay
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-2.4.6-281.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-07-21 09:21:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ben Wiechman 2010-07-02 13:53:21 UTC 
Description of problem:
There were modifications to freeradius2 in 2.1.9 related to core dumps. SELinux policy does not allow freeradius 2.1.9 to disable core dumps. 


Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-255.el5_4.4
libselinux-1.33.4-5.5.el5
libselinux-1.33.4-5.5.el5
libselinux-utils-1.33.4-5.5.el5
libselinux-python-1.33.4-5.5.el5
selinux-policy-2.4.6-255.el5_4.4
freeradius2 - rpms built from official release available at ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.9.tar.gz

How reproducible:
Always


Steps to Reproduce:
** SELinux in Enforcing mode
1. Build and install FR v2.1.9
2. Configure "allow_core_dumps = no" in /etc/raddb/radiusd.conf
3. Start/Restart FR.
  
Actual results:
The following will be logged in the FR log:
Wed Jun  2 16:19:57 2010 : Error: Failed disabling core dumps: Permission denied

Audit log:
type=SYSCALL msg=audit(1278078430.225:95619): arch=c000003e syscall=1 success=yes exit=1796774 a0=4 a1=2b254a26d000 a2=1b6aa6 a3=0 items=0 ppid=17551 pid=17552 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=16471 comm="load_policy" exe="/usr/sbin/load_policy" subj=user_u:system_r:load_policy_t:s0 key=(null)
type=AVC msg=audit(1278078436.202:95620): avc:  denied  { setrlimit } for  pid=17567 comm="radiusd" scontext=user_u:system_r:radiusd_t:s0 tcontext=user_u:system_r:radiusd_t:s0 tclass=process
type=SYSCALL msg=audit(1278078436.202:95620): arch=c000003e syscall=160 success=no exit=-13 a0=4 a1=7fff020338f0 a2=0 a3=ea items=0 ppid=17566 pid=17567 auid=500 uid=0 gid=95 euid=95 suid=0 fsuid=95 egid=95 sgid=95 fsgid=95 tty=pts0 ses=16471 comm="radiusd" exe="/usr/sbin/radiusd" subj=user_u:system_r:radiusd_t:s0 key=(null)

I cannot confirm whether FR still produces core dumps upon failure.

Expected results:
No SELinux errors and core dumps successfully disabled. 

Additional info:
audit2allow produces the following policy updates which appear to prevent this behavior:

module freeradius2 1.0;

require {
        type radiusd_t;
        class process setrlimit;
}

#============= radiusd_t ==============
allow radiusd_t self:process setrlimit;
Comment 1 Daniel Walsh 2010-07-12 19:58:30 UTC 
This is allowed in RHEL6 should be back ported.
Comment 2 Miroslav Grepl 2010-07-22 09:25:35 UTC 
Fixed in selinux-policy-2.4.6-281.el5.noarch
Comment 5 errata-xmlrpc 2011-07-21 09:21:11 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html
Comment 6 errata-xmlrpc 2011-07-21 11:49:45 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html