Bug 660691

Summary: avc: denied { dyntransition } for ia32x_loader
Product: Red Hat Enterprise Linux 5 Reporter: Alexander Todorov <atodorov>
Component: ia32elAssignee: Petr Machata <pmachata>
Status: CLOSED DUPLICATE QA Contact: qe-baseos-tools-bugs
Severity: medium Docs Contact:
Priority: low    
Version: 5.6CC: eric.lin, mnewsome
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-07 16:00:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alexander Todorov 2010-12-07 15:48:25 UTC 
Description of problem:

There's SELinux denial when running TPS RHN test case on ia64:


Running: /sbin/ausearch -sv no -m AVC -ts 12/07/2010 10:37:35 SELinux Check: FAIL SELinux AVC messages found: ---- time->Tue Dec 7 10:38:06 2010 type=SYSCALL msg=audit(1291736286.817:5914): arch=c0000032 syscall=1027 success=no exit=-13 a0=5 a1=200000000000c000 a2=2a a3=220 items=0 ppid=17886 pid=21402 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=913 comm="bash" exe="/usr/lib/ia32el/ia32x_loader" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1291736286.817:5914): avc: denied { dyntransition } for pid=21402 comm="bash" scontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tcontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
Comment 2 Alexander Todorov 2010-12-07 15:54:15 UTC 
# getsebool -a
NetworkManager_disable_trans --> off
aisexec_disable_trans --> off
allow_aisexec_rw_tmpfs --> off
allow_console_login --> off
allow_cvs_read_shadow --> off
allow_daemons_dump_core --> on
allow_daemons_use_tty --> on
allow_domain_fd_use --> on
allow_execheap --> off
allow_execmem --> on
allow_execmod --> off
allow_execstack --> on
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
allow_gpg_execstack --> off
allow_gssd_read_tmp --> on
allow_httpd_anon_write --> off
allow_httpd_bugzilla_script_anon_write --> off
allow_httpd_cvs_script_anon_write --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_nagios_script_anon_write --> off
allow_httpd_prewikka_script_anon_write --> off
allow_httpd_squid_script_anon_write --> off
allow_httpd_sys_script_anon_write --> off
allow_java_execstack --> off
allow_kerberos --> on
allow_mount_anyfile --> off
allow_mounton_anydir --> on
allow_mplayer_execstack --> off
allow_nfsd_anon_write --> off
allow_polyinstantiation --> off
allow_postfix_local_write_mail_spool --> off
allow_ptrace --> off
allow_rsync_anon_write --> off
allow_saslauthd_read_shadow --> off
allow_smbd_anon_write --> off
allow_ssh_keysign --> off
allow_tftp_anon_write --> off
allow_unconfined_execmem_dyntrans --> off
allow_unconfined_mmap_low --> on
allow_unlabeled_packets --> on
allow_user_mysql_connect --> off
allow_write_xshm --> off
allow_ypbind --> on
allow_zebra_write_config --> on
amanda_disable_trans --> off
amavis_disable_trans --> off
apmd_disable_trans --> off
arpwatch_disable_trans --> off
auditd_disable_trans --> off
automount_disable_trans --> off
avahi_disable_trans --> off
bluetooth_disable_trans --> off
canna_disable_trans --> off
cardmgr_disable_trans --> off
ccs_disable_trans --> off
cdrecord_read_content --> off
clamd_disable_trans --> off
clamscan_disable_trans --> off
clogd_disable_trans --> off
clvmd_disable_trans --> off
comsat_disable_trans --> off
cron_can_relabel --> off
crond_disable_trans --> off
cupsd_config_disable_trans --> off
cupsd_disable_trans --> off
cupsd_lpd_disable_trans --> off
cvs_disable_trans --> off
cyrus_disable_trans --> off
dbskkd_disable_trans --> off
dccd_disable_trans --> off
dccifd_disable_trans --> off
dccm_disable_trans --> off
dhcpc_disable_trans --> off
dhcpd_disable_trans --> off
disable_evolution_trans --> off
disable_games_trans --> off
disable_mozilla_trans --> off
disable_thunderbird_trans --> off
dlm_controld_disable_trans --> off
dnsmasq_disable_trans --> off
dovecot_disable_trans --> off
fcron_crond --> off
fenced_can_network_connect --> off
fenced_disable_trans --> off
fetchmail_disable_trans --> off
fingerd_disable_trans --> off
freshclam_disable_trans --> off
fsdaemon_disable_trans --> off
ftp_home_dir --> off
ftpd_connect_db --> off
ftpd_disable_trans --> off
ftpd_is_daemon --> on
gfs_controld_disable_trans --> off
global_ssp --> off
gpm_disable_trans --> off
groupd_disable_trans --> off
gssd_disable_trans --> off
hald_disable_trans --> off
hotplug_disable_trans --> off
howl_disable_trans --> off
hplip_disable_trans --> off
httpd_builtin_scripting --> on
httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> on
httpd_disable_trans --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_read_user_content --> off
httpd_rotatelogs_disable_trans --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_suexec_disable_trans --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_nfs --> off
inetd_child_disable_trans --> off
inetd_disable_trans --> off
innd_disable_trans --> off
ipsec_disable_trans --> off
irqbalance_disable_trans --> off
iscsid_disable_trans --> off
kadmind_disable_trans --> off
klogd_disable_trans --> off
kpropd_disable_trans --> off
krb5kdc_disable_trans --> off
ktalkd_disable_trans --> off
lpd_disable_trans --> off
mail_read_content --> off
mailman_mail_disable_trans --> off
mdadm_disable_trans --> off
mozilla_read_content --> off
mysqld_disable_trans --> off
nagios_disable_trans --> off
named_disable_trans --> off
named_write_master_zones --> off
nfs_export_all_ro --> on
nfs_export_all_rw --> on
nfsd_disable_trans --> off
nmbd_disable_trans --> off
nrpe_disable_trans --> off
nscd_disable_trans --> off
ntpd_disable_trans --> off
oddjob_disable_trans --> off
oddjob_mkhomedir_disable_trans --> off
openvpn_disable_trans --> off
openvpn_enable_homedirs --> off
pcscd_disable_trans --> off
pegasus_disable_trans --> off
piranha_fos_disable_trans --> off
piranha_lvs_can_network_connect --> off
piranha_lvs_disable_trans --> off
piranha_pulse_disable_trans --> off
piranha_web_disable_trans --> off
portmap_disable_trans --> off
postfix_disable_trans --> off
postgresql_disable_trans --> off
postgrey_disable_trans --> off
pppd_can_insmod --> off
pppd_disable_trans --> off
pppd_for_user --> off
pptp_disable_trans --> off
prelude_audisp_disable_trans --> off
prelude_disable_trans --> off
prelude_lml_disable_trans --> off
privoxy_connect_any --> off
privoxy_disable_trans --> off
ptal_disable_trans --> off
pyzord_disable_trans --> off
qdiskd_disable_trans --> off
qemu_full_network --> on
qemu_use_cifs --> on
qemu_use_comm --> off
qemu_use_nfs --> on
qemu_use_usb --> on
racoon_disable_trans --> off
racoon_read_shadow --> off
radiusd_disable_trans --> off
radvd_disable_trans --> off
rdisc_disable_trans --> off
read_default_t --> on
read_untrusted_content --> off
readahead_disable_trans --> off
regex_milter_disable_trans --> off
restorecond_disable_trans --> off
rgmanager_can_network_connect --> off
rgmanager_disable_trans --> off
rhgb_disable_trans --> off
ricci_disable_trans --> off
ricci_modclusterd_disable_trans --> off
rlogind_disable_trans --> off
rpcd_disable_trans --> off
rshd_disable_trans --> off
rsync_client --> off
rsync_disable_trans --> off
rsync_export_all_ro --> off
run_ssh_inetd --> off
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_share_fusefs --> off
samba_share_nfs --> off
saslauthd_disable_trans --> off
secure_mode_insmod --> off
secure_mode_policyload --> off
setrans_disable_trans --> off
setroubleshootd_disable_trans --> off
slapd_disable_trans --> off
smbd_disable_trans --> off
snmpd_disable_trans --> off
spamass_milter_disable_trans --> off
spamassassin_can_network --> off
spamd_disable_trans --> off
spamd_enable_home_dirs --> on
squid_connect_any --> off
squid_disable_trans --> off
ssh_sysadm_login --> off
staff_read_sysadm_file --> off
stunnel_disable_trans --> off
stunnel_is_daemon --> off
swat_disable_trans --> off
syslogd_disable_trans --> off
tcpd_disable_trans --> off
telnetd_disable_trans --> off
tftpd_disable_trans --> off
tzdata_disable_trans --> off
udev_disable_trans --> off
use_lpd_server --> off
use_nfs_home_dirs --> off
use_samba_home_dirs --> off
user_direct_mouse --> off
user_dmesg --> off
user_net_control --> off
user_ping --> on
user_rw_noexattrfile --> off
user_tcp_server --> off
user_ttyfile_stat --> off
uucpd_disable_trans --> off
vhostmd_disable_trans --> off
virt_use_comm --> off
virt_use_fusefs --> off
virt_use_nfs --> off
virt_use_samba --> off
virt_use_sysfs --> off
virt_use_usb --> on
virtd_disable_trans --> off
winbind_disable_trans --> off
write_untrusted_content --> off
xdm_disable_trans --> off
xdm_sysadm_login --> off
xend_disable_trans --> off
xfs_disable_trans --> off
xm_disable_trans --> off
ypbind_disable_trans --> off
yppasswdd_disable_trans --> off
ypserv_disable_trans --> off
ypxfr_disable_trans --> off
zebra_disable_trans --> off
Comment 3 Alexander Todorov 2010-12-07 16:00:05 UTC 
# cat /usr/share/doc/ia32el-1.7/README-SELINUX
Using Intel IA-32 Execution Layer on SELinux-enabled systems
------------------------------------------------------------

On systems running SELinux in enforcing mode, to support emulation
properly, Intal IA-32 Execution Layer needs the following three
SELinux Booleans to be turned on: "allow_unconfined_execmem_dyntrans",
and "allow_execstack" and "allow_execmem".

When either of "allow_execstack" and "allow_execmem" SELinux Booleans
is turned on, the system will be able to support the emulation, but
AVC denials will appear.

# getsebool allow_unconfined_execmem_dyntrans allow_execmem allow_execstack
allow_unconfined_execmem_dyntrans --> off
allow_execmem --> on
allow_execstack --> on


Looks like we're OK with the settings.

*** This bug has been marked as a duplicate of bug 474152 ***