Bug 634089

Summary: running cmirrord on boot generates AVC denial
Product: Red Hat Enterprise Linux 6 Reporter: Eduard Benes <ebenes>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.0CC: jbrassow, jkortus, mgrepl, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 11:55:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 629274    
Bug Blocks:    

Description Eduard Benes 2010-09-15 07:58:10 UTC 
Description of problem:
Configuring cmirrord to start on boot time produces AVC denial. Currently cmirrord_t is in permissive domain and thus the action is allowed (success=yes).
Starting the cmirrord service after boot works and does not produce any AVC denials. It should be noted, the service is uncofigured and using defaults.

# semanage permissive -l | grep cmirrord_t
cmirrord_t

Version-Release number of selected component (if applicable):
cmirror-2.02.72-8.el6.x86_64
selinux-policy-3.7.19-54.el6.noarch

How reproducible:
always

Steps to Reproduce:
1. # chkconfig cmirrord on
2. reboot
3. # ausearch -m avc 
  
Additional info:
----
time->Wed Sep 15 03:12:55 2010
type=SYSCALL msg=audit(1284534775.945:11): arch=c000003e syscall=16 success=yes exit=0 a0=1 a1=5401 a2=7fff66fa37d0 a3=7fff66fa3eb0 items=0 ppid=2239 pid=2240 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cmirrord" exe="/usr/sbin/cmirrord" subj=system_u:system_r:cmirrord_t:s0 key=(null)
type=AVC msg=audit(1284534775.945:11): avc:  denied  { sys_tty_config } for  pid=2240 comm="cmirrord" capability=26  scontext=system_u:system_r:cmirrord_t:s0 tcontext=system_u:system_r:cmirrord_t:s0 tclass=capability
----

#============= cmirrord_t ==============
allow cmirrord_t self:capability sys_tty_config;
Comment 1 Daniel Walsh 2010-09-15 12:20:22 UTC 
Miroslav, I believe this should be dontaudited and permissive should be removed from this domain.
Comment 3 Miroslav Grepl 2010-09-15 12:50:37 UTC 
(In reply to comment #1)
> Miroslav, I believe this should be dontaudited and permissive should be removed
> from this domain.

I agree it should be dontaudited and also the cmirrord domain is ready to go without permissive.
Comment 4 Miroslav Grepl 2010-09-16 15:58:14 UTC 
Fixed in selinux-policy-3.7.19-55.el6.noarch.
Comment 9 errata-xmlrpc 2011-05-19 11:55:07 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html