Bug 706448

Summary: avc: denied when a NIS user is configured in /etc/cgrules.conf
Product: Red Hat Enterprise Linux 6 Reporter: Jason Baron <jbaron>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: high    
Version: 6.1CC: dwalsh, knoel, mgrepl, mmalik, syeghiay
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-98 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 10:08:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jason Baron 2011-05-20 16:03:07 UTC
Description of problem:

If I add a NIS username to /etc/cgrules.conf, I get a avc: denied message which prevents cgroups from properly applying rules to NIS users

Version-Release number of selected component (if applicable):


How reproducible:

put a NIS user rule into /etc/cgrules.conf


Steps to Reproduce:
1. edit /etc/cgrules.conf adding:  jbaron:/tmp/loop cpu            low-priority
2. start cgconfig service
3. start cgred service
  
Actual results:

From the audit.log file:

type=AVC msg=audit(1305907326.265:264): avc:  denied  { create } for  pid=24941 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket



Expected results:

Cgroups properly adds rules for NIS users.

Additional info:

Comment 2 Milos Malik 2011-05-23 07:38:05 UTC
Easy to reproduce:
----
time->Mon May 23 03:35:34 2011
type=SYSCALL msg=audit(1306136134.886:44354): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bf873854 a2=514ff4 a3=93a0b28 items=0 ppid=15863 pid=15864 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=3582 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1306136134.886:44354): avc:  denied  { create } for  pid=15864 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket
----

# rpm -qa | grep -e selinux-policy -e ypbind -e ypserv | sort
selinux-policy-3.7.19-93.el6.noarch
selinux-policy-minimum-3.7.19-93.el6.noarch
selinux-policy-mls-3.7.19-93.el6.noarch
selinux-policy-targeted-3.7.19-93.el6.noarch
ypbind-1.20.4-29.el6.i686
ypserv-2.19-18.el6.i686
#

Comment 3 Miroslav Grepl 2011-05-23 08:30:25 UTC
Could you test it also with

# semanage permissive -a cgred_t

Comment 4 Milos Malik 2011-05-23 09:50:39 UTC
Following AVCs appeared when ypbind and ypserv were not running:
----
time->Mon May 23 05:48:46 2011
type=SYSCALL msg=audit(1306144126.802:44671): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bf994164 a2=514ff4 a3=4 items=0 ppid=18694 pid=18695 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1306144126.802:44671): avc:  denied  { node_bind } for  pid=18695 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=tcp_socket
type=AVC msg=audit(1306144126.802:44671): avc:  denied  { bind } for  pid=18695 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket
----
time->Mon May 23 05:48:46 2011
type=SYSCALL msg=audit(1306144126.801:44670): arch=40000003 syscall=102 success=yes exit=4 a0=1 a1=bf994164 a2=514ff4 a3=8cebb28 items=0 ppid=18694 pid=18695 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1306144126.801:44670): avc:  denied  { create } for  pid=18695 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket
----
time->Mon May 23 05:48:46 2011
type=SYSCALL msg=audit(1306144126.802:44672): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bf994164 a2=514ff4 a3=4 items=0 ppid=18694 pid=18695 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1306144126.802:44672): avc:  denied  { name_connect } for  pid=18695 comm="cgrulesengd" dest=111 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1306144126.802:44672): avc:  denied  { connect } for  pid=18695 comm="cgrulesengd" lport=58245 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket
----
time->Mon May 23 05:48:46 2011
type=SYSCALL msg=audit(1306144126.803:44673): arch=40000003 syscall=4 success=yes exit=60 a0=4 a1=8cebc50 a2=3c a3=3c items=0 ppid=18694 pid=18695 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1306144126.803:44673): avc:  denied  { write } for  pid=18695 comm="cgrulesengd" path="socket:[3265378]" dev=sockfs ino=3265378 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket
----
time->Mon May 23 05:48:46 2011
type=SYSCALL msg=audit(1306144126.803:44674): arch=40000003 syscall=3 success=yes exit=32 a0=4 a1=8cebde0 a2=190 a3=8cebba0 items=0 ppid=18694 pid=18695 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1306144126.803:44674): avc:  denied  { read } for  pid=18695 comm="cgrulesengd" path="socket:[3265378]" dev=sockfs ino=3265378 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket
----

Comment 5 Milos Malik 2011-05-23 09:53:50 UTC
Following AVCs appeared when ypbind and ypserv were running:
----
time->Mon May 23 05:51:45 2011
type=SYSCALL msg=audit(1306144305.951:44687): arch=40000003 syscall=102 success=yes exit=4 a0=1 a1=bff8c4e4 a2=514ff4 a3=8731b28 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1306144305.951:44687): avc:  denied  { create } for  pid=18897 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket
----
time->Mon May 23 05:51:45 2011
type=SYSCALL msg=audit(1306144305.952:44688): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bff8c4e4 a2=514ff4 a3=4 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1306144305.952:44688): avc:  denied  { node_bind } for  pid=18897 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=tcp_socket
type=AVC msg=audit(1306144305.952:44688): avc:  denied  { bind } for  pid=18897 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket
----
time->Mon May 23 05:51:45 2011
type=SYSCALL msg=audit(1306144305.953:44689): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bff8c4e4 a2=514ff4 a3=4 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1306144305.953:44689): avc:  denied  { name_connect } for  pid=18897 comm="cgrulesengd" dest=111 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1306144305.953:44689): avc:  denied  { connect } for  pid=18897 comm="cgrulesengd" lport=44500 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket
----
time->Mon May 23 05:51:45 2011
type=SYSCALL msg=audit(1306144305.953:44690): arch=40000003 syscall=4 success=yes exit=60 a0=4 a1=8731c50 a2=3c a3=3c items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1306144305.953:44690): avc:  denied  { write } for  pid=18897 comm="cgrulesengd" path="socket:[3266325]" dev=sockfs ino=3266325 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket
----
time->Mon May 23 05:51:45 2011
type=SYSCALL msg=audit(1306144305.953:44691): arch=40000003 syscall=3 success=yes exit=32 a0=4 a1=8731de0 a2=190 a3=8731ba0 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1306144305.953:44691): avc:  denied  { read } for  pid=18897 comm="cgrulesengd" path="socket:[3266325]" dev=sockfs ino=3266325 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket
----
time->Mon May 23 05:51:45 2011
type=SYSCALL msg=audit(1306144305.953:44692): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bff8c510 a2=514ff4 a3=bff8c524 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1306144305.953:44692): avc:  denied  { net_bind_service } for  pid=18897 comm="cgrulesengd" capability=10  scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=capability
type=AVC msg=audit(1306144305.953:44692): avc:  denied  { name_bind } for  pid=18897 comm="cgrulesengd" src=841 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
----
time->Mon May 23 05:51:45 2011
type=SYSCALL msg=audit(1306144305.954:44693): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bff8c548 a2=514ff4 a3=8731b28 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1306144305.954:44693): avc:  denied  { name_connect } for  pid=18897 comm="cgrulesengd" dest=797 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
----
time->Mon May 23 05:51:45 2011
type=SYSCALL msg=audit(1306144305.976:44694): arch=40000003 syscall=102 success=yes exit=4 a0=1 a1=bff8c52c a2=514ff4 a3=8731b28 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1306144305.976:44694): avc:  denied  { create } for  pid=18897 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=udp_socket
----
time->Mon May 23 05:51:45 2011
type=SYSCALL msg=audit(1306144305.976:44695): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bff8c4f4 a2=514ff4 a3=bff8c508 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1306144305.976:44695): avc:  denied  { node_bind } for  pid=18897 comm="cgrulesengd" src=842 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket
type=AVC msg=audit(1306144305.976:44695): avc:  denied  { name_bind } for  pid=18897 comm="cgrulesengd" src=842 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket
type=AVC msg=audit(1306144305.976:44695): avc:  denied  { bind } for  pid=18897 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=udp_socket
----
time->Mon May 23 05:51:45 2011
type=SYSCALL msg=audit(1306144305.976:44696): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bff8c52c a2=514ff4 a3=8731b28 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1306144305.976:44696): avc:  denied  { setopt } for  pid=18897 comm="cgrulesengd" lport=842 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=udp_socket
----
time->Mon May 23 05:51:45 2011
type=SYSCALL msg=audit(1306144305.976:44697): arch=40000003 syscall=102 success=yes exit=88 a0=b a1=bff8c508 a2=514ff4 a3=8731b30 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1306144305.976:44697): avc:  denied  { write } for  pid=18897 comm="cgrulesengd" lport=842 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=udp_socket
----
time->Mon May 23 05:51:46 2011
type=SYSCALL msg=audit(1306144306.001:44698): arch=40000003 syscall=102 success=yes exit=92 a0=c a1=bff8c508 a2=514ff4 a3=8731b28 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1306144306.001:44698): avc:  denied  { read } for  pid=18897 comm="cgrulesengd" lport=842 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=udp_socket
----

Comment 6 Daniel Walsh 2011-05-23 16:12:25 UTC
It looks like it needs auth_use_nsswitch(cgred_t).

Comment 7 Daniel Walsh 2011-05-23 16:14:51 UTC
 nm -D /sbin/cgrulesengd  | grep pw
                 U getpwnam


It needs auth_use_nsswitch

Comment 10 Daniel Walsh 2011-06-13 12:41:46 UTC
I see this fix in selinux-policy-3.7.19-98.fc16

Comment 13 errata-xmlrpc 2011-12-06 10:08:06 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html