Bug 698144

Summary: AVCs appear when starting tgtd
Product: Red Hat Enterprise Linux 6 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Karel Srot <ksrot>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.1CC: dwalsh, ksrot, mgrepl
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-87.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 12:27:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Milos Malik 2011-04-20 10:10:46 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-minimum-3.7.19-86.el6.noarch
selinux-policy-doc-3.7.19-86.el6.noarch
selinux-policy-mls-3.7.19-86.el6.noarch
selinux-policy-3.7.19-86.el6.noarch
selinux-policy-targeted-3.7.19-86.el6.noarch
scsi-target-utils-1.0.14-2.el6

How reproducible:
always

Steps to Reproduce:
# service tgtd start
Starting SCSI target daemon: [FAILED]
# service tgtd status
tgtd is stopped
# service tgtd restart
Stopping SCSI target daemon: not running[FAILED]
Starting SCSI target daemon: [FAILED]
# service tgtd status
tgtd is stopped

  
Actual results (enforcing mode):
----
type=SYSCALL msg=audit(04/20/2011 06:02:55.917:3260) : arch=x86_64 syscall=bind success=no exit=-13(Permission denied) a0=6 a1=7fffff669fe0 a2=6e a3=2 items=0 ppid=17717 pid=17718 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=7 comm=tgtd exe=/usr/sbin/tgtd subj=unconfined_u:system_r:tgtd_t:s0 key=(null) 
type=AVC msg=audit(04/20/2011 06:02:55.917:3260) : avc:  denied  { write } for  pid=17718 comm=tgtd name=run dev=dm-0 ino=2622195 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(04/20/2011 06:02:58.196:3261) : arch=x86_64 syscall=bind success=no exit=-13(Permission denied) a0=6 a1=7fffd5b50d30 a2=6e a3=2 items=0 ppid=17765 pid=17766 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=7 comm=tgtd exe=/usr/sbin/tgtd subj=unconfined_u:system_r:tgtd_t:s0 key=(null) 
type=AVC msg=audit(04/20/2011 06:02:58.196:3261) : avc:  denied  { write } for  pid=17766 comm=tgtd name=run dev=dm-0 ino=2622195 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir 
----

Actual results (permissive mode):
----
time->Wed Apr 20 06:03:48 2011
type=SYSCALL msg=audit(1303293828.107:3263): arch=c000003e syscall=49 success=yes exit=0 a0=6 a1=7fffa3f08e70 a2=6e a3=2 items=0 ppid=18110 pid=18111 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=7 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null)
type=AVC msg=audit(1303293828.107:3263): avc:  denied  { create } for  pid=18111 comm="tgtd" name="tgtd.ipc_abstract_namespace.0" scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1303293828.107:3263): avc:  denied  { add_name } for  pid=18111 comm="tgtd" name="tgtd.ipc_abstract_namespace.0" scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
type=AVC msg=audit(1303293828.107:3263): avc:  denied  { write } for  pid=18111 comm="tgtd" name="run" dev=dm-0 ino=2622195 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
----
time->Wed Apr 20 06:03:50 2011
type=SYSCALL msg=audit(1303293830.622:3265): arch=c000003e syscall=87 success=yes exit=0 a0=7fffe6a0bc00 a1=4309fa a2=26 a3=7fffe6a0b980 items=0 ppid=18171 pid=18172 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=7 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null)
type=AVC msg=audit(1303293830.622:3265): avc:  denied  { unlink } for  pid=18172 comm="tgtd" name="tgtd.ipc_abstract_namespace.0" dev=dm-0 ino=2623284 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1303293830.622:3265): avc:  denied  { remove_name } for  pid=18172 comm="tgtd" name="tgtd.ipc_abstract_namespace.0" dev=dm-0 ino=2623284 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
----

Expected results:
no AVCs
Comment 1 Miroslav Grepl 2011-04-20 11:34:48 UTC 
I added fixes to F15. I am adding it to RHEL6.
Comment 3 Miroslav Grepl 2011-04-20 14:52:13 UTC 
Fixed in selinux-policy-3.7.19-87.el6
Comment 6 errata-xmlrpc 2011-05-19 12:27:55 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html