Bug 628895
| Summary: | init script searches cwd which can cause SELinux denials | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Milos Malik <mmalik> |
| Component: | libcgroup | Assignee: | Ivana Varekova <varekova> |
| Status: | CLOSED ERRATA | QA Contact: | Red Hat Kernel QE team <kernel-qe> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 6.0 | CC: | jsafrane, rvokal |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-05-19 13:13:14 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 672300 | ||
cgconfigparser changes current directory to the cgroup mount point (which succeeds), but SELinux does not like when cgconfig tries to change it back to /var/log/audit:
getcwd("/var/log/audit", 4096) = 15
mkdir("/", 0775) = -1 EEXIST (File exists) (this is OK)
chdir("/") = 0
mkdir("cgroup/", 0775) = -1 EEXIST (File exists) (this is OK)
chdir("cgroup/") = 0
mkdir("cpuset", 0775) = 0
chdir("cpuset") = 0
chdir("/var/log/audit") = -1 EACCES (Permission denied) (this is WRONG)
cgconfigparser should simply not change current working directory.
Patch sent upstream: http://sourceforge.net/mailarchive/message.php?msg_name=20100901123838.29149.28313.stgit%40dhcp-2-160.brq.redhat.com Confirmed this is fixed in libcgroup-0.37-1.el6.x86_64. service can now be started with /etc/init.d/cgconfig start . Also verified that starting/stopping/restarting still works as expected using /sbin/service. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0577.html |
Description of problem: Some administrators don't use "service" command when managing a service. They still do it this way: /etc/init.d/SERVICE start /etc/init.d/SERVICE restart /etc/init.d/SERVICE stop This procedure can cause SELinux denials when an administrator issues the command in unusual location (usual location is for example / or /root , selinux-policy is aware of usual locations and SELinux denials are dontaudited). I would like to ask to fix the init script in such a way that it does not search for programs in current working directory. Version-Release number of selected component (if applicable): libcgroup-0.36.1-6.el6.i686 selinux-policy-3.7.19-42.el6.noarch selinux-policy-doc-3.7.19-42.el6.noarch selinux-policy-minimum-3.7.19-42.el6.noarch selinux-policy-mls-3.7.19-42.el6.noarch selinux-policy-targeted-3.7.19-42.el6.noarch How reproducible: always Steps to Reproduce: # cd /var/log/audit # /etc/init.d/cgconfig start Starting cgconfig service: Loading configuration file /etc/cgconfig.conf failed Permission denied Failed to parse /etc/cgconfig.conf [FAILED] # /etc/init.d/cgconfig stop Stopping cgconfig service: [ OK ] # ausearch -m avc -ts recent ---- time->Tue Aug 31 12:19:25 2010 type=SYSCALL msg=audit(1283249965.670:304): arch=40000003 syscall=12 success=no exit=-13 a0=bfc7fbac a1=bfc7fbac a2=76f168 a3=e items=0 ppid=5645 pid=5648 auid= 0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="c gconfigparser" exe="/sbin/cgconfigparser" subj=unconfined_u:system_r:cgconfig_t: s0 key=(null) type=AVC msg=audit(1283249965.670:304): avc: denied { search } for pid=5648 comm="cgconfigparser" name="audit" dev=dm-0 ino=9973 scontext=unconfined_u:system_r:cgconfig_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir ---- Actual results: an AVC appears Expected results: no AVC appears Additional info: