Bug 697924
| Summary: | faillock avcs when booting with mls policy | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Linda Knippers <linda.knippers> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | high | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 6.1 | CC: | dwalsh, ebenes, iboverma, mgrepl, sgrubb |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-87.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-05-19 12:27:50 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 584498, 846801, 846802 | ||
SELinux policy packages: selinux-policy-3.7.19-82.el6.noarch selinux-policy-mls-3.7.19-82.el6.noarch selinux-policy-targeted-3.7.19-82.el6.noarch We have in F15 policy auth_manage_faillog(initrc_t) Fixed in selinux-policy-3.7.19-87.el6 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0526.html |
Description of problem: I noticed the following messages when booting my RHEL6.1 snap 3 system with the MLS policy. They happen on every boot. Enabling local filesystem quotas: [ OK ] rm: cannot remove `/var/run/faillock/ljk': Permission denied rm: cannot remove `/var/run/faillock/root': Permission denied Enabling /etc/fstab swaps: [ OK ] Additional info: The files are labeled: # ls -lZd /var/run/faillock drwxr-xr-x. root root system_u:object_r:faillog_t:SystemLow /var/run/faillock # ls -lZ /var/run/faillock -rw-------. ljk root system_u:object_r:faillog_t:SystemLow ljk -rw-------. root root system_u:object_r:faillog_t:SystemLow root The labeling is correct according to restorecon. The AVCs/audit records are: type=AVC msg=audit(1303172721.588:4): avc: denied { write } for pid=1319 comm="rm" name="faillock" dev=dm-0 ino=393729 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir type=SYSCALL msg=audit(1303172721.588:4): arch=c000003e syscall=263 success=no exit=-13 a0=ffffffffffffff9c a1=7870c0 a2=0 a3=7ffff2928780 items=0 ppid=1312 pid=1319 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rm" exe="/bin/rm" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1303172721.589:5): avc: denied { write } for pid=1320 comm="rm" name="faillock" dev=dm-0 ino=393729 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir type=SYSCALL msg=audit(1303172721.589:5): arch=c000003e syscall=263 success=no exit=-13 a0=ffffffffffffff9c a1=175b0c0 a2=0 a3=7fffc4635500 items=0 ppid=1312 pid=1320 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rm" exe="/bin/rm" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) audit2allow shows: #============= initrc_t ============== #!!!! The source type 'initrc_t' can write to a 'dir' of the following types: # etc_runtime_t, mysqld_db_t, initrc_tmp_t, pam_var_console_t, udev_var_run_t, virt_var_lib_t, cgroup_t, boot_t, cert_t, mnt_t, root_t, tmp_t, var_t, named_conf_t, system_dbusd_var_lib_t, dkim_milter_data_t, lockfile, pidfile, tmpfile, etc_mail_t, device_t, initrc_state_t, etc_t, file_t, fonts_t, postgresql_db_t, tmpfs_t, alsa_etc_rw_t, gconf_etc_t, var_spool_t, var_lib_t, var_run_t, xserver_log_t, virt_cache_t, dhcpc_state_t, squid_log_t, svc_svc_t, var_log_t, ipsec_var_run_t, pam_var_run_t, ricci_var_lib_t, rpm_var_lib_t, net_conf_t, quota_flag_t, var_lib_nfs_t allow initrc_t faillog_t:dir write;