Bug 699063

Summary: netlabelctl can't be run by init
Product: Red Hat Enterprise Linux 6 Reporter: Linda Knippers <linda.knippers>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: high    
Version: 6.1CC: dwalsh, iboverma, ksrot, mmalik, paul.moore, syeghiay
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-91.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 08:27:59 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 584498, 846801, 846802    
Attachments:
Description Flags
Netlabel avcs from system boot none

Description Linda Knippers 2011-04-22 17:50:13 EDT
Description of problem:
netlabel has a config file that allows netlabelctl commands to be run when 
starting the netlabel service through init.  However, running netlabelctl
at boot time or using run_init with the mls policy fails, generating some AVCs.

Version-Release number of selected component (if applicable):

selinux-policy-3.7.19-82.el6.noarch
selinux-policy-mls-3.7.19-82.el6.noarch
selinux-policy-targeted-3.7.19-82.el6.noarch
netlabel_tools-0.19-7.el6.x86_64

Additional info:

I was able to fix the problem with this little policy module,
although there's probably a better way to fix it in the 
system/netlabel.te file.

policy_module(mynetlabel, 1.3)
gen_require(`
type initrc_t;
')

allow initrc_t self:netlink_socket { create bind getattr read setopt write};
Comment 2 RHEL Product and Program Management 2011-04-23 02:00:44 EDT
Since RHEL 6.1 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.
Comment 3 Daniel Walsh 2011-04-25 09:51:44 EDT
Linda what were the AVC's you saw to generate this?
Comment 4 Linda Knippers 2011-04-25 10:10:23 EDT
I knew you were going to ask me that.  I don't think I still have them but I can recreate them if I unload my policy module, which was generated using those AVCs.  Will take me little while to get on the system.
Comment 5 Daniel Walsh 2011-04-25 10:46:44 EDT
I think we need to add

init_system_domain(netlabel_mgmt_t, netlabel_mgmt_exec_t)
Comment 6 Linda Knippers 2011-04-25 11:21:29 EDT
Created attachment 494689 [details]
Netlabel avcs from system boot

These are the AVCs from boot.  I don't recall why I had to add read and write.
Comment 7 Daniel Walsh 2011-04-25 11:29:38 EDT
Miroslav add the init_system_domain and this should fix the problem
Comment 9 Miroslav Grepl 2011-04-26 06:38:51 EDT
Fixed in selinux-policy-3.7.19-88.el6
Comment 12 Karel Srot 2011-04-27 05:27:52 EDT
Bug is not fixed in
selinux-policy-3.7.19-90.el6.noarch

there is a problem when executing netlabel service using run_init. 

# run_init service netlabel start

doesn't work but produce following DONTAUDITED AVCs:

type=AVC msg=audit(1303894153.272:147): avc:  denied  { read write } for  pid=2873 comm="netlabelctl" name="4" dev=devpts ino=7 scontext=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 tcontext=system_u:object_r:initrc_devpts_t:s0 tclass=chr_file

In PERMISSIVE mode there is also { getattr } required:

# cat /var/log/audit/audit.log  | grep netlabel | egrep -v '(noatsecure|siginh|rlimitinh)'
type=AVC msg=audit(1303894398.896:168): avc:  denied  { read write } for  pid=3078 comm="netlabelctl" name="4" dev=devpts ino=7 scontext=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 tcontext=system_u:object_r:initrc_devpts_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1303894398.896:168): arch=c000003e syscall=59 success=yes exit=0 a0=bf1800 a1=bcae00 a2=c08270 a3=7fff488ba780 items=0 ppid=3077 pid=3078 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=2 comm="netlabelctl" exe="/sbin/netlabelctl" subj=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1303894403.923:171): avc:  denied  { getattr } for  pid=3227 comm="netlabelctl" path="/dev/pts/4" dev=devpts ino=7 scontext=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 tcontext=system_u:object_r:initrc_devpts_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1303894403.923:171): arch=c000003e syscall=5 success=yes exit=0 a0=1 a1=7fffa0192e80 a2=7fffa0192e80 a3=7fffa01934c0 items=0 ppid=3223 pid=3227 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=2 comm="netlabelctl" exe="/sbin/netlabelctl" subj=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 key=(null)


netlabel service seems to start properly during the boot although following AVC (this time it is not dontaudited) appears in the log:

# grep netlabel /var/log/audit/audit.log 
type=AVC msg=audit(1303895369.165:14): avc:  denied  { read write } for  pid=964 comm="netlabelctl" path="/dev/console" dev=devtmpfs ino=5058 scontext=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file

my REPRODUCER:
# cat > /etc/netlabel.rules <<EOF
netlabelctl cipsov4 add pass doi:6000 tags:1
netlabelctl map add domain:"foo_t" protocol:cipsov4,6000
#netlabelctl map del domain:"foo_t"
#netlabelctl cipsov4 del doi:6000
EOF
# setenforce 1    # or setenforce 0 to see all required permissions
# semodule -DB   # this is required to see dontaudited rules witn -90 policy
# run_init service netlabel start
# run_init service netlabel status
# run_init service netlabel stop
Comment 13 Miroslav Grepl 2011-04-27 06:37:16 EDT
Karel,
could you test it with local policy which will contain

term_use_all_terms(netlabel_mgmt_t)

it should work.
Comment 14 Karel Srot 2011-04-27 07:37:06 EDT
With term_use_all_terms(netlabel_mgmt_t) it si working fine, no AVC.
Comment 15 Miroslav Grepl 2011-04-27 09:40:34 EDT
Fixed in selinux-policy-3.7.19-91.el6
Comment 17 errata-xmlrpc 2011-05-19 08:27:59 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html