Bug 698923

Summary: selinux prevents kadmin from setsched operation
Product: Red Hat Enterprise Linux 6 Reporter: Ondrej Moriš <omoris>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: dwalsh, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-96.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 10:07:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ondrej Moriš 2011-04-22 09:59:55 UTC 
Description of problem:

Selinux is preventing kadmin from setched operation. Even though this denial has (probably) not any harmfull effect (i.e. everything works fine), I am quite sure that the test triggering this AVC does not do anything specific or unsual and hence there is probably missing rule / transition in the policy.

Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.7.19-84.el6.noarch
selinux-policy-3.7.19-84.el6.noarch

How reproducible:

Always.

Steps to Reproduce:

1. Run RHTS test /CoreOS/openldap/Sanity/integration-kerberos.
2. Run ausearch -m AVC -ts recent.
  
Actual results:

type=AVC msg=audit(1303374113.787:46063): avc:  denied  { setsched } for  pid=6402 comm="kadmind" scontext=unconfined_u:system_r:kadmind_t:s0 tcontext=unconfined_u:system_r:kadmind_t:s0 tclass=process

Expected results:

No AVC.

Additional info:

I am not sure if such a reproducer is correct. If not, I will be more than happy to provide a more detailed one. Just ask.
Comment 1 Daniel Walsh 2011-04-22 11:37:11 UTC 
I fixed this in F15 and F16 policy.  Needs back port to RHEL5 and RHEL6 as well as F14
Comment 2 Miroslav Grepl 2011-05-27 11:56:55 UTC 
Fixed in selinux-policy-3.7.19-96.el6
Comment 5 errata-xmlrpc 2011-12-06 10:07:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html