Bug 697924

Summary: faillock avcs when booting with mls policy
Product: Red Hat Enterprise Linux 6 Reporter: Linda Knippers <linda.knippers>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: urgent    
Version: 6.1CC: dwalsh, ebenes, iboverma, mgrepl, sgrubb
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-87.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 08:27:50 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On:    
Bug Blocks: 584498, 846801, 846802    

Description Linda Knippers 2011-04-19 12:25:36 EDT
Description of problem:

I noticed the following messages when booting my RHEL6.1 snap 3
system with the MLS policy.  They happen on every boot.  

Enabling local filesystem quotas:  [  OK  ]
rm: cannot remove `/var/run/faillock/ljk': Permission denied
rm: cannot remove `/var/run/faillock/root': Permission denied
Enabling /etc/fstab swaps:  [  OK  ]

Additional info:

The files are labeled:

# ls -lZd /var/run/faillock
drwxr-xr-x. root root system_u:object_r:faillog_t:SystemLow /var/run/faillock

# ls -lZ /var/run/faillock
-rw-------. ljk  root system_u:object_r:faillog_t:SystemLow ljk
-rw-------. root root system_u:object_r:faillog_t:SystemLow root

The labeling is correct according to restorecon.

The AVCs/audit records are:
type=AVC msg=audit(1303172721.588:4): avc:  denied  { write } for  pid=1319 comm="rm" name="faillock" dev=dm-0 ino=393729 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir
type=SYSCALL msg=audit(1303172721.588:4): arch=c000003e syscall=263 success=no exit=-13 a0=ffffffffffffff9c a1=7870c0 a2=0 a3=7ffff2928780 items=0 ppid=1312 pid=1319 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rm" exe="/bin/rm" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1303172721.589:5): avc:  denied  { write } for  pid=1320 comm="rm" name="faillock" dev=dm-0 ino=393729 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir
type=SYSCALL msg=audit(1303172721.589:5): arch=c000003e syscall=263 success=no exit=-13 a0=ffffffffffffff9c a1=175b0c0 a2=0 a3=7fffc4635500 items=0 ppid=1312 pid=1320 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rm" exe="/bin/rm" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)


audit2allow shows:

#============= initrc_t ==============
#!!!! The source type 'initrc_t' can write to a 'dir' of the following types:
# etc_runtime_t, mysqld_db_t, initrc_tmp_t, pam_var_console_t, udev_var_run_t, virt_var_lib_t, cgroup_t, boot_t, cert_t, mnt_t, root_t, tmp_t, var_t, named_conf_t, system_dbusd_var_lib_t, dkim_milter_data_t, lockfile, pidfile, tmpfile, etc_mail_t, device_t, initrc_state_t, etc_t, file_t, fonts_t, postgresql_db_t, tmpfs_t, alsa_etc_rw_t, gconf_etc_t, var_spool_t, var_lib_t, var_run_t, xserver_log_t, virt_cache_t, dhcpc_state_t, squid_log_t, svc_svc_t, var_log_t, ipsec_var_run_t, pam_var_run_t, ricci_var_lib_t, rpm_var_lib_t, net_conf_t, quota_flag_t, var_lib_nfs_t

allow initrc_t faillog_t:dir write;
Comment 1 Linda Knippers 2011-04-19 12:31:35 EDT
SELinux policy packages:

selinux-policy-3.7.19-82.el6.noarch
selinux-policy-mls-3.7.19-82.el6.noarch
selinux-policy-targeted-3.7.19-82.el6.noarch
Comment 3 Miroslav Grepl 2011-04-20 03:55:47 EDT
We have in F15 policy

auth_manage_faillog(initrc_t)
Comment 5 Miroslav Grepl 2011-04-20 10:52:39 EDT
Fixed in selinux-policy-3.7.19-87.el6
Comment 8 errata-xmlrpc 2011-05-19 08:27:50 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html