Bug 657568

Summary: selinux MLS policy prevents executing of run_init in single user mode
Product: Red Hat Enterprise Linux 6 Reporter: Karel Srot <ksrot>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Karel Srot <ksrot>
Severity: high Docs Contact:
Priority: high    
Version: 6.0CC: dwalsh, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-60.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 11:57:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Karel Srot 2010-11-26 14:11:52 UTC 
Description of problem:

I am not sure whether this functionality is supposed to be working but it seems to me reasonable to be able to start e.g. network in single user mode.

Version-Release number of selected component (if applicable):
selinux-policy-mls-3.7.19-57.el6

How reproducible:
alwas, qemu-kvm virtual machine started into single user mode, using console

Steps to Reproduce:
1. start (virtual) machine in single user mode, open the console
2. run_init service network status/start
  
Actual results:
nothing happens, I am not even asked for a root password

Expected results:
run_init is working


Additional info:

type=1400 audit(1290774024.567:421): avc:  denied  { read } for  pid=790 comm="run_init" name="console" dev=devtmpfs ino=5059 scontext=system_u:system_r:run_init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file
type=1400 audit(1290774024.567:422): avc:  denied  { read } for  pid=790 comm="run_init" path="pipe:[10054]" dev=pipefs ino=10054 scontext=system_u:system_r:run_init_t:s0-s15:c0.c1023 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=fifo_file
type=1400 audit(1290774024.567:423): avc:  denied  { rlimitinh } for  pid=790 comm="run_init" scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:run_init_t:s0-s15:c0.c1023 tclass=process
type=1400 audit(1290774024.567:424): avc:  denied  { siginh } for  pid=790 comm="run_init" scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:run_init_t:s0-s15:c0.c1023 tclass=process
type=1400 audit(1290774024.567:425): avc:  denied  { noatsecure } for  pid=790 comm="run_init" scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:run_init_t:s0-s15:c0.c1023 tclass=process
type=1400 audit(1290774024.884:426): avc:  denied  { search } for  pid=790 comm="run_init" name="dbus" dev=vda2 ino=262233 scontext=system_u:system_r:run_init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir
type=1400 audit(1290774024.888:427): avc:  denied  { read } for  pid=791 comm="unix_chkpwd" name="console" dev=devtmpfs ino=5059 scontext=system_u:system_r:chkpwd_t:s0-s15:c0.c1023 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file
type=1400 audit(1290774024.888:428): avc:  denied  { rlimitinh } for  pid=791 comm="unix_chkpwd" scontext=system_u:system_r:run_init_t:s0-s15:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s15:c0.c1023 tclass=process
type=1400 audit(1290774024.888:429): avc:  denied  { siginh } for  pid=791 comm="unix_chkpwd" scontext=system_u:system_r:run_init_t:s0-s15:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s15:c0.c1023 tclass=process
type=1400 audit(1290774024.888:430): avc:  denied  { noatsecure } for  pid=791 comm="unix_chkpwd" scontext=system_u:system_r:run_init_t:s0-s15:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s15:c0.c1023 tclass=process


following module solved my problem:

module runinit 1.0;

require {
	type sysadm_t;
	type chkpwd_t;
	type init_t;
	type system_dbusd_var_run_t;
	type console_device_t;
	type run_init_t;
	class process { siginh noatsecure rlimitinh };
	class fifo_file read;
	class dir search;
	class chr_file read;
}

#============= chkpwd_t ==============
#!!!! This avc has a dontaudit rule in the current policy

allow chkpwd_t console_device_t:chr_file read;

#============= run_init_t ==============
#!!!! This avc has a dontaudit rule in the current policy

allow run_init_t chkpwd_t:process { siginh rlimitinh noatsecure };
#!!!! This avc has a dontaudit rule in the current policy

allow run_init_t console_device_t:chr_file read;
allow run_init_t init_t:fifo_file read;
#!!!! This avc has a dontaudit rule in the current policy

allow run_init_t system_dbusd_var_run_t:dir search;

#============= sysadm_t ==============
#!!!! This avc has a dontaudit rule in the current policy

allow sysadm_t run_init_t:process { siginh rlimitinh noatsecure };


Btw, to check this module I had to import it in permissive mode since I am not able to do it in enforcing mode in single user mode.. not sure whether this is a bug either.
Comment 1 Miroslav Grepl 2010-11-29 15:52:32 UTC 
The problem is "/dev/console" is labeled as "console_device_t" and then the following access is needed

allow run_init_t console_device_t:chr_file read;
Comment 2 Miroslav Grepl 2010-11-29 15:57:40 UTC 
(In reply to comment #1)
> The problem is "/dev/console" is labeled as "console_device_t" 

of course this is ok.

and then the
> following access is needed
> 
> allow run_init_t console_device_t:chr_file read;
Comment 4 Miroslav Grepl 2010-12-20 17:59:30 UTC 
Fixed in selinux-policy-3.7.19-60.el6
Comment 7 errata-xmlrpc 2011-05-19 11:57:07 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html