| Summary: | permissive MLS: AVC appears when starting libvirtd service | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Milos Malik <mmalik> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.1 | CC: | dwalsh |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-03-31 19:49:31 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
When I repeat the same procedure in enforcing mode I see no AVCs. This looks like virtd is leaking an open file descriptor to a fifo_file. Proabbly stdin/stdout/stderr. I think we only care about enforcing mode. |
Description of problem: found by accident Version-Release number of selected component (if applicable): selinux-policy-mls-3.7.19-80.el6.noarch selinux-policy-doc-3.7.19-80.el6.noarch selinux-policy-3.7.19-80.el6.noarch selinux-policy-targeted-3.7.19-80.el6.noarch selinux-policy-minimum-3.7.19-80.el6.noarch How reproducible: always Steps to Reproduce: (the kernel booted up with enforcing=0, root is logged in via console) # id -Z root:sysadm_r:sysadm_t:s0-s15:c0.c1023 # runlevel S 3 # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 24 Policy from config file: mls # run_init service libvirtd status Authenticating root. Password: libvirtd is stopped # run_init service libvirtd start Authenticating root. Password: Starting libvirtd daemon: [ OK ] Bridge firewalling registered tun: Universal TUN/TAP device driver, 1.6 tun: (C) 1999-2004 Max Krasnyansky <maxk> device virbr0-nic entered promiscuous mode virbr0: starting userspace STP failed, starting kernel STP ip_tables: (C) 2000-2006 Netfilter Core Team nf_conntrack version 0.5.0 (16384 buckets, 65536 max) Ebtables v2.0 registered ip6_tables: (C) 2000-2006 Netfilter Core Team lo: Disabled Privacy Extensions # Actual results: ---- time->Wed Mar 30 10:08:23 2011 type=SYSCALL msg=audit(1301494103.277:85): arch=40000003 syscall=197 success=yes exit=0 a0=2 a1=bff3b0fc a2=cffff4 a3=3 items=0 ppid=2033 pid=2045 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="modprobe" exe="/sbin/modprobe" subj=system_u:system_r:insmod_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1301494103.277:85): avc: denied { getattr } for pid=2045 comm="modprobe" path="pipe:[15441]" dev=pipefs ino=15441 scontext=system_u:system_r:insmod_t:s0-s15:c0.c1023 tcontext=system_u:system_r:virtd_t:s0-s15:c0.c1023 tclass=fifo_file ---- Expected results: no AVCs