Bug 693792
| Summary: | Please include SELinux policy for foghorn (runs as initrc_t) | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Jaroslav Kortus <jkortus> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.1 | CC: | borgan, dwalsh, mmalik, rohara, syeghiay |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-85.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-05-19 12:27:37 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 832330 | ||
|
Description
Jaroslav Kortus
2011-04-05 15:24:20 UTC
https://bugzilla.redhat.com/show_bug.cgi?id=660324 is the proper foghorn bug, the previously mentioned one covers cluster+dbus. 677802 is for the cluster daemons that emit dbus signals (eg. fenced, rgmanager). I don't think that is related to how foghorn is labelled. Since RHEL 6.1 External Beta has begun, and this bug remains unresolved, it has been rejected as it is not proposed as exception or blocker. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. Do we need this for 6.1 or 6.2? We have support for foghorn in RHEL6.1. Just to state the obvious, foghorn being labelled initrc_t doesn't cause any avc denials, etc. My understanding is that this is just undesirable. This appears to be fixed in the latest RHEL6.1 build. # ls -alZ `which foghorn` -rwxr-xr-x. root root system_u:object_r:foghorn_exec_t:s0 /usr/sbin/foghorn I guess I can mark this modified Moving this back to assigned since foghorn daemon generates AVC denials. Details to follow. # rpm -q selinux-policy
selinux-policy-3.7.19-80.el6.noarch
# service foghorn start
Starting foghorn: [ OK ]
From audit.log:
type=AVC msg=audit(1302126247.066:47137): avc: denied { read } for pid=29852 comm="foghorn" name="mib_indexes" dev=dm-0 ino=1575065 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1302126247.066:47137): avc: denied { open } for pid=29852 comm="foghorn" name="mib_indexes" dev=dm-0 ino=1575065 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1302126247.066:47137): arch=c000003e syscall=2 success=yes exit=8 a0=7fffb7411410 a1=90800 a2=7fffb741142d a3=7fffb7411040 items=0 ppid=29851 pid=29852 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=184 comm="foghorn" exe="/usr/sbin/foghorn" subj=unconfined_u:system_r:foghorn_t:s0 key=(null)
type=AVC msg=audit(1302126247.067:47138): avc: denied { read } for pid=29852 comm="foghorn" name="0" dev=dm-0 ino=1575066 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1302126247.067:47138): arch=c000003e syscall=2 success=yes exit=9 a0=7fffb7411410 a1=0 a2=1b6 a3=0 items=0 ppid=29851 pid=29852 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=184 comm="foghorn" exe="/usr/sbin/foghorn" subj=unconfined_u:system_r:foghorn_t:s0 key=(null)
That is allowed in F15. Miroslav please backport rhce.te to RHEL6 Yes, I did not add it to RHEL6. It needs to be fixed. AVC obtained by running all the services together and doing service relocation:
selinux-policy-3.7.19-82.el6.noarch
#============= foghorn_t ==============
allow foghorn_t self:udp_socket { ioctl create };
allow foghorn_t snmpd_t:unix_stream_socket connectto;
allow foghorn_t snmpd_var_lib_t:dir { read getattr open search };
allow foghorn_t snmpd_var_lib_t:file { read getattr open };
allow foghorn_t snmpd_var_lib_t:sock_file write;
$ cat audit.log | grep foghorn
type=AVC msg=audit(1302284078.166:71): avc: denied { getattr } for pid=6309 comm="foghorn" path="/var/lib/net-snmp" dev=dm-0 ino=263109 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1302284078.166:71): arch=c000003e syscall=4 success=yes exit=0 a0=2112010 a1=7fff52db8200 a2=7fff52db8200 a3=12 items=0 ppid=6308 pid=6309 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="foghorn" exe="/usr/sbin/foghorn" subj=unconfined_u:system_r:foghorn_t:s0 key=(null)
type=AVC msg=audit(1302284078.167:72): avc: denied { search } for pid=6309 comm="foghorn" name="net-snmp" dev=dm-0 ino=263109 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1302284078.167:72): arch=c000003e syscall=4 success=no exit=-2 a0=7fff52db8290 a1=7fff52db8200 a2=7fff52db8200 a3=fffffff9 items=0 ppid=6308 pid=6309 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="foghorn" exe="/usr/sbin/foghorn" subj=unconfined_u:system_r:foghorn_t:s0 key=(null)
type=AVC msg=audit(1302284078.167:73): avc: denied { read } for pid=6309 comm="foghorn" name="urandom" dev=devtmpfs ino=3640 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=AVC msg=audit(1302284078.167:73): avc: denied { open } for pid=6309 comm="foghorn" name="urandom" dev=devtmpfs ino=3640 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1302284078.167:73): arch=c000003e syscall=2 success=yes exit=8 a0=3d91535f32 a1=900 a2=7fff52db8230 a3=7fff52db7dd0 items=0 ppid=6308 pid=6309 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="foghorn" exe="/usr/sbin/foghorn" subj=unconfined_u:system_r:foghorn_t:s0 key=(null)
type=AVC msg=audit(1302284078.167:74): avc: denied { getattr } for pid=6309 comm="foghorn" path="/dev/urandom" dev=devtmpfs ino=3640 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1302284078.167:74): arch=c000003e syscall=5 success=yes exit=0 a0=8 a1=7fff52db8070 a2=7fff52db8070 a3=7fff52db7dd0 items=0 ppid=6308 pid=6309 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="foghorn" exe="/usr/sbin/foghorn" subj=unconfined_u:system_r:foghorn_t:s0 key=(null)
type=AVC msg=audit(1302284078.169:75): avc: denied { read } for pid=6309 comm="foghorn" name="mib_indexes" dev=dm-0 ino=263126 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1302284078.169:75): avc: denied { open } for pid=6309 comm="foghorn" name="mib_indexes" dev=dm-0 ino=263126 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1302284078.169:75): arch=c000003e syscall=2 success=yes exit=8 a0=7fff52db8290 a1=90800 a2=7fff52db82ad a3=7fff52db7ec0 items=0 ppid=6308 pid=6309 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="foghorn" exe="/usr/sbin/foghorn" subj=unconfined_u:system_r:foghorn_t:s0 key=(null)
type=AVC msg=audit(1302284078.169:76): avc: denied { search } for pid=6309 comm="foghorn" name="mib_indexes" dev=dm-0 ino=263126 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1302284078.169:76): avc: denied { read } for pid=6309 comm="foghorn" name="0" dev=dm-0 ino=263127 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1302284078.169:76): avc: denied { open } for pid=6309 comm="foghorn" name="0" dev=dm-0 ino=263127 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1302284078.169:76): arch=c000003e syscall=2 success=yes exit=9 a0=7fff52db8290 a1=0 a2=1b6 a3=0 items=0 ppid=6308 pid=6309 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="foghorn" exe="/usr/sbin/foghorn" subj=unconfined_u:system_r:foghorn_t:s0 key=(null)
type=AVC msg=audit(1302284078.169:77): avc: denied { getattr } for pid=6309 comm="foghorn" path="/var/lib/net-snmp/mib_indexes/0" dev=dm-0 ino=263127 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1302284078.169:77): arch=c000003e syscall=5 success=yes exit=0 a0=9 a1=7fff52db7fd0 a2=7fff52db7fd0 a3=7fff52db7ec0 items=0 ppid=6308 pid=6309 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="foghorn" exe="/usr/sbin/foghorn" subj=unconfined_u:system_r:foghorn_t:s0 key=(null)
type=AVC msg=audit(1302284078.170:78): avc: denied { read } for pid=6309 comm="foghorn" name="HOST-RESOURCES-MIB.txt" dev=dm-0 ino=1963610 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=AVC msg=audit(1302284078.170:78): avc: denied { open } for pid=6309 comm="foghorn" name="HOST-RESOURCES-MIB.txt" dev=dm-0 ino=1963610 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1302284078.170:78): arch=c000003e syscall=2 success=yes exit=8 a0=2114890 a1=0 a2=1b6 a3=0 items=0 ppid=6308 pid=6309 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="foghorn" exe="/usr/sbin/foghorn" subj=unconfined_u:system_r:foghorn_t:s0 key=(null)
type=AVC msg=audit(1302284078.171:79): avc: denied { getattr } for pid=6309 comm="foghorn" path="/usr/share/snmp/mibs/HOST-RESOURCES-MIB.txt" dev=dm-0 ino=1963610 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1302284078.171:79): arch=c000003e syscall=5 success=yes exit=0 a0=8 a1=7fff52db7fa0 a2=7fff52db7fa0 a3=7fff52db7e20 items=0 ppid=6308 pid=6309 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="foghorn" exe="/usr/sbin/foghorn" subj=unconfined_u:system_r:foghorn_t:s0 key=(null)
type=AVC msg=audit(1302284078.257:80): avc: denied { write } for pid=6309 comm="foghorn" name="master" dev=dm-0 ino=262409 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=sock_file
type=AVC msg=audit(1302284078.257:80): avc: denied { connectto } for pid=6309 comm="foghorn" path="/var/agentx/master" scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=unconfined_u:system_r:snmpd_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1302284078.257:80): arch=c000003e syscall=42 success=yes exit=0 a0=8 a1=7fff52db7ce0 a2=6e a3=7fff52db7a20 items=0 ppid=6308 pid=6309 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="foghorn" exe="/usr/sbin/foghorn" subj=unconfined_u:system_r:foghorn_t:s0 key=(null)
type=AVC msg=audit(1302284104.005:81): avc: denied { create } for pid=6310 comm="foghorn" scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=unconfined_u:system_r:foghorn_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1302284104.005:81): arch=c000003e syscall=41 success=yes exit=10 a0=2 a1=2 a2=0 a3=7fff52db7cd0 items=0 ppid=1 pid=6310 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="foghorn" exe="/usr/sbin/foghorn" subj=unconfined_u:system_r:foghorn_t:s0 key=(null)
type=AVC msg=audit(1302284104.006:82): avc: denied { ioctl } for pid=6310 comm="foghorn" path="socket:[19642]" dev=sockfs ino=19642 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=unconfined_u:system_r:foghorn_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1302284104.006:82): arch=c000003e syscall=16 success=yes exit=0 a0=a a1=8912 a2=7fff52db7f00 a3=7fff52db7c80 items=0 ppid=1 pid=6310 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="foghorn" exe="/usr/sbin/foghorn" subj=unconfined_u:system_r:foghorn_t:s0 key=(null)
type=AVC msg=audit(1302284225.441:88): avc: denied { create } for pid=6310 comm="foghorn" scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=unconfined_u:system_r:foghorn_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1302284225.441:88): arch=c000003e syscall=41 success=yes exit=10 a0=2 a1=2 a2=0 a3=4 items=0 ppid=1 pid=6310 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="foghorn" exe="/usr/sbin/foghorn" subj=unconfined_u:system_r:foghorn_t:s0 key=(null)
type=AVC msg=audit(1302284225.442:89): avc: denied { ioctl } for pid=6310 comm="foghorn" path="socket:[25123]" dev=sockfs ino=25123 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=unconfined_u:system_r:foghorn_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1302284225.442:89): arch=c000003e syscall=16 success=yes exit=0 a0=a a1=8912 a2=7fff52db7f00 a3=0 items=0 ppid=1 pid=6310 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="foghorn" exe="/usr/sbin/foghorn" subj=unconfined_u:system_r:foghorn_t:s0 key=(null)
Fixed in selinux-policy-3.7.19-84.el6 When I enable global_ssp boolean, the list of AVCs gets reduced to:
----
time->Tue Apr 12 09:36:39 2011
type=SYSCALL msg=audit(1302615399.586:11159): arch=40000003 syscall=102 success=yes exit=8 a0=1 a1=bff1f7c0 a2=fb6cd8 a3=8585b08 items=0 ppid=6114 pid=6115 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="foghorn" exe="/usr/sbin/foghorn" subj=unconfined_u:system_r:foghorn_t:s0 key=(null)
type=AVC msg=audit(1302615399.586:11159): avc: denied { create } for pid=6115 comm="foghorn" scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=unconfined_u:system_r:foghorn_t:s0 tclass=tcp_socket
----
time->Tue Apr 12 09:36:39 2011
type=SYSCALL msg=audit(1302615399.586:11160): arch=40000003 syscall=102 success=no exit=-111 a0=3 a1=bff1f7c0 a2=fb6cd8 a3=8585b08 items=0 ppid=6114 pid=6115 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="foghorn" exe="/usr/sbin/foghorn" subj=unconfined_u:system_r:foghorn_t:s0 key=(null)
type=AVC msg=audit(1302615399.586:11160): avc: denied { name_connect } for pid=6115 comm="foghorn" dest=705 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=system_u:object_r:agentx_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1302615399.586:11160): avc: denied { connect } for pid=6115 comm="foghorn" scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=unconfined_u:system_r:foghorn_t:s0 tclass=tcp_socket
----
Ok, different issues which I need to fix. Fixed in selinux-policy-3.7.19-85.el6. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0526.html |