Bug 706448
| Summary: | avc: denied when a NIS user is configured in /etc/cgrules.conf | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Jason Baron <jbaron> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.1 | CC: | dwalsh, knoel, mgrepl, mmalik, syeghiay |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-98 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-12-06 10:08:06 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Easy to reproduce:
----
time->Mon May 23 03:35:34 2011
type=SYSCALL msg=audit(1306136134.886:44354): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bf873854 a2=514ff4 a3=93a0b28 items=0 ppid=15863 pid=15864 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=3582 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1306136134.886:44354): avc: denied { create } for pid=15864 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket
----
# rpm -qa | grep -e selinux-policy -e ypbind -e ypserv | sort
selinux-policy-3.7.19-93.el6.noarch
selinux-policy-minimum-3.7.19-93.el6.noarch
selinux-policy-mls-3.7.19-93.el6.noarch
selinux-policy-targeted-3.7.19-93.el6.noarch
ypbind-1.20.4-29.el6.i686
ypserv-2.19-18.el6.i686
#
Could you test it also with # semanage permissive -a cgred_t Following AVCs appeared when ypbind and ypserv were not running:
----
time->Mon May 23 05:48:46 2011
type=SYSCALL msg=audit(1306144126.802:44671): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bf994164 a2=514ff4 a3=4 items=0 ppid=18694 pid=18695 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1306144126.802:44671): avc: denied { node_bind } for pid=18695 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=tcp_socket
type=AVC msg=audit(1306144126.802:44671): avc: denied { bind } for pid=18695 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket
----
time->Mon May 23 05:48:46 2011
type=SYSCALL msg=audit(1306144126.801:44670): arch=40000003 syscall=102 success=yes exit=4 a0=1 a1=bf994164 a2=514ff4 a3=8cebb28 items=0 ppid=18694 pid=18695 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1306144126.801:44670): avc: denied { create } for pid=18695 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket
----
time->Mon May 23 05:48:46 2011
type=SYSCALL msg=audit(1306144126.802:44672): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bf994164 a2=514ff4 a3=4 items=0 ppid=18694 pid=18695 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1306144126.802:44672): avc: denied { name_connect } for pid=18695 comm="cgrulesengd" dest=111 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1306144126.802:44672): avc: denied { connect } for pid=18695 comm="cgrulesengd" lport=58245 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket
----
time->Mon May 23 05:48:46 2011
type=SYSCALL msg=audit(1306144126.803:44673): arch=40000003 syscall=4 success=yes exit=60 a0=4 a1=8cebc50 a2=3c a3=3c items=0 ppid=18694 pid=18695 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1306144126.803:44673): avc: denied { write } for pid=18695 comm="cgrulesengd" path="socket:[3265378]" dev=sockfs ino=3265378 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket
----
time->Mon May 23 05:48:46 2011
type=SYSCALL msg=audit(1306144126.803:44674): arch=40000003 syscall=3 success=yes exit=32 a0=4 a1=8cebde0 a2=190 a3=8cebba0 items=0 ppid=18694 pid=18695 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1306144126.803:44674): avc: denied { read } for pid=18695 comm="cgrulesengd" path="socket:[3265378]" dev=sockfs ino=3265378 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket
----
Following AVCs appeared when ypbind and ypserv were running:
----
time->Mon May 23 05:51:45 2011
type=SYSCALL msg=audit(1306144305.951:44687): arch=40000003 syscall=102 success=yes exit=4 a0=1 a1=bff8c4e4 a2=514ff4 a3=8731b28 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1306144305.951:44687): avc: denied { create } for pid=18897 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket
----
time->Mon May 23 05:51:45 2011
type=SYSCALL msg=audit(1306144305.952:44688): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bff8c4e4 a2=514ff4 a3=4 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1306144305.952:44688): avc: denied { node_bind } for pid=18897 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=tcp_socket
type=AVC msg=audit(1306144305.952:44688): avc: denied { bind } for pid=18897 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket
----
time->Mon May 23 05:51:45 2011
type=SYSCALL msg=audit(1306144305.953:44689): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bff8c4e4 a2=514ff4 a3=4 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1306144305.953:44689): avc: denied { name_connect } for pid=18897 comm="cgrulesengd" dest=111 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1306144305.953:44689): avc: denied { connect } for pid=18897 comm="cgrulesengd" lport=44500 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket
----
time->Mon May 23 05:51:45 2011
type=SYSCALL msg=audit(1306144305.953:44690): arch=40000003 syscall=4 success=yes exit=60 a0=4 a1=8731c50 a2=3c a3=3c items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1306144305.953:44690): avc: denied { write } for pid=18897 comm="cgrulesengd" path="socket:[3266325]" dev=sockfs ino=3266325 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket
----
time->Mon May 23 05:51:45 2011
type=SYSCALL msg=audit(1306144305.953:44691): arch=40000003 syscall=3 success=yes exit=32 a0=4 a1=8731de0 a2=190 a3=8731ba0 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1306144305.953:44691): avc: denied { read } for pid=18897 comm="cgrulesengd" path="socket:[3266325]" dev=sockfs ino=3266325 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket
----
time->Mon May 23 05:51:45 2011
type=SYSCALL msg=audit(1306144305.953:44692): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bff8c510 a2=514ff4 a3=bff8c524 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1306144305.953:44692): avc: denied { net_bind_service } for pid=18897 comm="cgrulesengd" capability=10 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=capability
type=AVC msg=audit(1306144305.953:44692): avc: denied { name_bind } for pid=18897 comm="cgrulesengd" src=841 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
----
time->Mon May 23 05:51:45 2011
type=SYSCALL msg=audit(1306144305.954:44693): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bff8c548 a2=514ff4 a3=8731b28 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1306144305.954:44693): avc: denied { name_connect } for pid=18897 comm="cgrulesengd" dest=797 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
----
time->Mon May 23 05:51:45 2011
type=SYSCALL msg=audit(1306144305.976:44694): arch=40000003 syscall=102 success=yes exit=4 a0=1 a1=bff8c52c a2=514ff4 a3=8731b28 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1306144305.976:44694): avc: denied { create } for pid=18897 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=udp_socket
----
time->Mon May 23 05:51:45 2011
type=SYSCALL msg=audit(1306144305.976:44695): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bff8c4f4 a2=514ff4 a3=bff8c508 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1306144305.976:44695): avc: denied { node_bind } for pid=18897 comm="cgrulesengd" src=842 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket
type=AVC msg=audit(1306144305.976:44695): avc: denied { name_bind } for pid=18897 comm="cgrulesengd" src=842 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket
type=AVC msg=audit(1306144305.976:44695): avc: denied { bind } for pid=18897 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=udp_socket
----
time->Mon May 23 05:51:45 2011
type=SYSCALL msg=audit(1306144305.976:44696): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bff8c52c a2=514ff4 a3=8731b28 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1306144305.976:44696): avc: denied { setopt } for pid=18897 comm="cgrulesengd" lport=842 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=udp_socket
----
time->Mon May 23 05:51:45 2011
type=SYSCALL msg=audit(1306144305.976:44697): arch=40000003 syscall=102 success=yes exit=88 a0=b a1=bff8c508 a2=514ff4 a3=8731b30 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1306144305.976:44697): avc: denied { write } for pid=18897 comm="cgrulesengd" lport=842 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=udp_socket
----
time->Mon May 23 05:51:46 2011
type=SYSCALL msg=audit(1306144306.001:44698): arch=40000003 syscall=102 success=yes exit=92 a0=c a1=bff8c508 a2=514ff4 a3=8731b28 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)
type=AVC msg=audit(1306144306.001:44698): avc: denied { read } for pid=18897 comm="cgrulesengd" lport=842 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=udp_socket
----
It looks like it needs auth_use_nsswitch(cgred_t). nm -D /sbin/cgrulesengd | grep pw
U getpwnam
It needs auth_use_nsswitch
I see this fix in selinux-policy-3.7.19-98.fc16 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1511.html |
Description of problem: If I add a NIS username to /etc/cgrules.conf, I get a avc: denied message which prevents cgroups from properly applying rules to NIS users Version-Release number of selected component (if applicable): How reproducible: put a NIS user rule into /etc/cgrules.conf Steps to Reproduce: 1. edit /etc/cgrules.conf adding: jbaron:/tmp/loop cpu low-priority 2. start cgconfig service 3. start cgred service Actual results: From the audit.log file: type=AVC msg=audit(1305907326.265:264): avc: denied { create } for pid=24941 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket Expected results: Cgroups properly adds rules for NIS users. Additional info: