Bug 699063
Summary: | netlabelctl can't be run by init | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Linda Knippers <linda.knippers> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED ERRATA | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 6.1 | CC: | dwalsh, iboverma, ksrot, mmalik, paul.moore, syeghiay | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | selinux-policy-3.7.19-91.el6 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2011-05-19 12:27:59 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 584498, 846801, 846802 | ||||||
Attachments: |
|
Description
Linda Knippers
2011-04-22 21:50:13 UTC
Since RHEL 6.1 External Beta has begun, and this bug remains unresolved, it has been rejected as it is not proposed as exception or blocker. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. Linda what were the AVC's you saw to generate this? I knew you were going to ask me that. I don't think I still have them but I can recreate them if I unload my policy module, which was generated using those AVCs. Will take me little while to get on the system. I think we need to add init_system_domain(netlabel_mgmt_t, netlabel_mgmt_exec_t) Created attachment 494689 [details]
Netlabel avcs from system boot
These are the AVCs from boot. I don't recall why I had to add read and write.
Miroslav add the init_system_domain and this should fix the problem Fixed in selinux-policy-3.7.19-88.el6 Bug is not fixed in selinux-policy-3.7.19-90.el6.noarch there is a problem when executing netlabel service using run_init. # run_init service netlabel start doesn't work but produce following DONTAUDITED AVCs: type=AVC msg=audit(1303894153.272:147): avc: denied { read write } for pid=2873 comm="netlabelctl" name="4" dev=devpts ino=7 scontext=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 tcontext=system_u:object_r:initrc_devpts_t:s0 tclass=chr_file In PERMISSIVE mode there is also { getattr } required: # cat /var/log/audit/audit.log | grep netlabel | egrep -v '(noatsecure|siginh|rlimitinh)' type=AVC msg=audit(1303894398.896:168): avc: denied { read write } for pid=3078 comm="netlabelctl" name="4" dev=devpts ino=7 scontext=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 tcontext=system_u:object_r:initrc_devpts_t:s0 tclass=chr_file type=SYSCALL msg=audit(1303894398.896:168): arch=c000003e syscall=59 success=yes exit=0 a0=bf1800 a1=bcae00 a2=c08270 a3=7fff488ba780 items=0 ppid=3077 pid=3078 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=2 comm="netlabelctl" exe="/sbin/netlabelctl" subj=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1303894403.923:171): avc: denied { getattr } for pid=3227 comm="netlabelctl" path="/dev/pts/4" dev=devpts ino=7 scontext=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 tcontext=system_u:object_r:initrc_devpts_t:s0 tclass=chr_file type=SYSCALL msg=audit(1303894403.923:171): arch=c000003e syscall=5 success=yes exit=0 a0=1 a1=7fffa0192e80 a2=7fffa0192e80 a3=7fffa01934c0 items=0 ppid=3223 pid=3227 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=2 comm="netlabelctl" exe="/sbin/netlabelctl" subj=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 key=(null) netlabel service seems to start properly during the boot although following AVC (this time it is not dontaudited) appears in the log: # grep netlabel /var/log/audit/audit.log type=AVC msg=audit(1303895369.165:14): avc: denied { read write } for pid=964 comm="netlabelctl" path="/dev/console" dev=devtmpfs ino=5058 scontext=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file my REPRODUCER: # cat > /etc/netlabel.rules <<EOF netlabelctl cipsov4 add pass doi:6000 tags:1 netlabelctl map add domain:"foo_t" protocol:cipsov4,6000 #netlabelctl map del domain:"foo_t" #netlabelctl cipsov4 del doi:6000 EOF # setenforce 1 # or setenforce 0 to see all required permissions # semodule -DB # this is required to see dontaudited rules witn -90 policy # run_init service netlabel start # run_init service netlabel status # run_init service netlabel stop Karel, could you test it with local policy which will contain term_use_all_terms(netlabel_mgmt_t) it should work. With term_use_all_terms(netlabel_mgmt_t) it si working fine, no AVC. Fixed in selinux-policy-3.7.19-91.el6 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0526.html |