Bug 699063
| Summary: | netlabelctl can't be run by init | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Linda Knippers <linda.knippers> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED ERRATA | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 6.1 | CC: | dwalsh, iboverma, ksrot, mmalik, paul.moore, syeghiay | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | selinux-policy-3.7.19-91.el6 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2011-05-19 12:27:59 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 584498, 846801, 846802 | ||||||
| Attachments: |
|
||||||
Since RHEL 6.1 External Beta has begun, and this bug remains unresolved, it has been rejected as it is not proposed as exception or blocker. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. Linda what were the AVC's you saw to generate this? I knew you were going to ask me that. I don't think I still have them but I can recreate them if I unload my policy module, which was generated using those AVCs. Will take me little while to get on the system. I think we need to add init_system_domain(netlabel_mgmt_t, netlabel_mgmt_exec_t) Created attachment 494689 [details]
Netlabel avcs from system boot
These are the AVCs from boot. I don't recall why I had to add read and write.
Miroslav add the init_system_domain and this should fix the problem Fixed in selinux-policy-3.7.19-88.el6 Bug is not fixed in
selinux-policy-3.7.19-90.el6.noarch
there is a problem when executing netlabel service using run_init.
# run_init service netlabel start
doesn't work but produce following DONTAUDITED AVCs:
type=AVC msg=audit(1303894153.272:147): avc: denied { read write } for pid=2873 comm="netlabelctl" name="4" dev=devpts ino=7 scontext=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 tcontext=system_u:object_r:initrc_devpts_t:s0 tclass=chr_file
In PERMISSIVE mode there is also { getattr } required:
# cat /var/log/audit/audit.log | grep netlabel | egrep -v '(noatsecure|siginh|rlimitinh)'
type=AVC msg=audit(1303894398.896:168): avc: denied { read write } for pid=3078 comm="netlabelctl" name="4" dev=devpts ino=7 scontext=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 tcontext=system_u:object_r:initrc_devpts_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1303894398.896:168): arch=c000003e syscall=59 success=yes exit=0 a0=bf1800 a1=bcae00 a2=c08270 a3=7fff488ba780 items=0 ppid=3077 pid=3078 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=2 comm="netlabelctl" exe="/sbin/netlabelctl" subj=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1303894403.923:171): avc: denied { getattr } for pid=3227 comm="netlabelctl" path="/dev/pts/4" dev=devpts ino=7 scontext=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 tcontext=system_u:object_r:initrc_devpts_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1303894403.923:171): arch=c000003e syscall=5 success=yes exit=0 a0=1 a1=7fffa0192e80 a2=7fffa0192e80 a3=7fffa01934c0 items=0 ppid=3223 pid=3227 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=2 comm="netlabelctl" exe="/sbin/netlabelctl" subj=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 key=(null)
netlabel service seems to start properly during the boot although following AVC (this time it is not dontaudited) appears in the log:
# grep netlabel /var/log/audit/audit.log
type=AVC msg=audit(1303895369.165:14): avc: denied { read write } for pid=964 comm="netlabelctl" path="/dev/console" dev=devtmpfs ino=5058 scontext=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file
my REPRODUCER:
# cat > /etc/netlabel.rules <<EOF
netlabelctl cipsov4 add pass doi:6000 tags:1
netlabelctl map add domain:"foo_t" protocol:cipsov4,6000
#netlabelctl map del domain:"foo_t"
#netlabelctl cipsov4 del doi:6000
EOF
# setenforce 1 # or setenforce 0 to see all required permissions
# semodule -DB # this is required to see dontaudited rules witn -90 policy
# run_init service netlabel start
# run_init service netlabel status
# run_init service netlabel stop
Karel, could you test it with local policy which will contain term_use_all_terms(netlabel_mgmt_t) it should work. With term_use_all_terms(netlabel_mgmt_t) it si working fine, no AVC. Fixed in selinux-policy-3.7.19-91.el6 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0526.html |
Description of problem: netlabel has a config file that allows netlabelctl commands to be run when starting the netlabel service through init. However, running netlabelctl at boot time or using run_init with the mls policy fails, generating some AVCs. Version-Release number of selected component (if applicable): selinux-policy-3.7.19-82.el6.noarch selinux-policy-mls-3.7.19-82.el6.noarch selinux-policy-targeted-3.7.19-82.el6.noarch netlabel_tools-0.19-7.el6.x86_64 Additional info: I was able to fix the problem with this little policy module, although there's probably a better way to fix it in the system/netlabel.te file. policy_module(mynetlabel, 1.3) gen_require(` type initrc_t; ') allow initrc_t self:netlink_socket { create bind getattr read setopt write};