Bug 706448
Summary: | avc: denied when a NIS user is configured in /etc/cgrules.conf | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Jason Baron <jbaron> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 6.1 | CC: | dwalsh, knoel, mgrepl, mmalik, syeghiay |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.7.19-98 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-12-06 10:08:06 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jason Baron
2011-05-20 16:03:07 UTC
Easy to reproduce: ---- time->Mon May 23 03:35:34 2011 type=SYSCALL msg=audit(1306136134.886:44354): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bf873854 a2=514ff4 a3=93a0b28 items=0 ppid=15863 pid=15864 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=3582 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) type=AVC msg=audit(1306136134.886:44354): avc: denied { create } for pid=15864 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket ---- # rpm -qa | grep -e selinux-policy -e ypbind -e ypserv | sort selinux-policy-3.7.19-93.el6.noarch selinux-policy-minimum-3.7.19-93.el6.noarch selinux-policy-mls-3.7.19-93.el6.noarch selinux-policy-targeted-3.7.19-93.el6.noarch ypbind-1.20.4-29.el6.i686 ypserv-2.19-18.el6.i686 # Could you test it also with # semanage permissive -a cgred_t Following AVCs appeared when ypbind and ypserv were not running: ---- time->Mon May 23 05:48:46 2011 type=SYSCALL msg=audit(1306144126.802:44671): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bf994164 a2=514ff4 a3=4 items=0 ppid=18694 pid=18695 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) type=AVC msg=audit(1306144126.802:44671): avc: denied { node_bind } for pid=18695 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=tcp_socket type=AVC msg=audit(1306144126.802:44671): avc: denied { bind } for pid=18695 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket ---- time->Mon May 23 05:48:46 2011 type=SYSCALL msg=audit(1306144126.801:44670): arch=40000003 syscall=102 success=yes exit=4 a0=1 a1=bf994164 a2=514ff4 a3=8cebb28 items=0 ppid=18694 pid=18695 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) type=AVC msg=audit(1306144126.801:44670): avc: denied { create } for pid=18695 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket ---- time->Mon May 23 05:48:46 2011 type=SYSCALL msg=audit(1306144126.802:44672): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bf994164 a2=514ff4 a3=4 items=0 ppid=18694 pid=18695 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) type=AVC msg=audit(1306144126.802:44672): avc: denied { name_connect } for pid=18695 comm="cgrulesengd" dest=111 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1306144126.802:44672): avc: denied { connect } for pid=18695 comm="cgrulesengd" lport=58245 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket ---- time->Mon May 23 05:48:46 2011 type=SYSCALL msg=audit(1306144126.803:44673): arch=40000003 syscall=4 success=yes exit=60 a0=4 a1=8cebc50 a2=3c a3=3c items=0 ppid=18694 pid=18695 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) type=AVC msg=audit(1306144126.803:44673): avc: denied { write } for pid=18695 comm="cgrulesengd" path="socket:[3265378]" dev=sockfs ino=3265378 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket ---- time->Mon May 23 05:48:46 2011 type=SYSCALL msg=audit(1306144126.803:44674): arch=40000003 syscall=3 success=yes exit=32 a0=4 a1=8cebde0 a2=190 a3=8cebba0 items=0 ppid=18694 pid=18695 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) type=AVC msg=audit(1306144126.803:44674): avc: denied { read } for pid=18695 comm="cgrulesengd" path="socket:[3265378]" dev=sockfs ino=3265378 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket ---- Following AVCs appeared when ypbind and ypserv were running: ---- time->Mon May 23 05:51:45 2011 type=SYSCALL msg=audit(1306144305.951:44687): arch=40000003 syscall=102 success=yes exit=4 a0=1 a1=bff8c4e4 a2=514ff4 a3=8731b28 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) type=AVC msg=audit(1306144305.951:44687): avc: denied { create } for pid=18897 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket ---- time->Mon May 23 05:51:45 2011 type=SYSCALL msg=audit(1306144305.952:44688): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bff8c4e4 a2=514ff4 a3=4 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) type=AVC msg=audit(1306144305.952:44688): avc: denied { node_bind } for pid=18897 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=tcp_socket type=AVC msg=audit(1306144305.952:44688): avc: denied { bind } for pid=18897 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket ---- time->Mon May 23 05:51:45 2011 type=SYSCALL msg=audit(1306144305.953:44689): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bff8c4e4 a2=514ff4 a3=4 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) type=AVC msg=audit(1306144305.953:44689): avc: denied { name_connect } for pid=18897 comm="cgrulesengd" dest=111 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1306144305.953:44689): avc: denied { connect } for pid=18897 comm="cgrulesengd" lport=44500 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket ---- time->Mon May 23 05:51:45 2011 type=SYSCALL msg=audit(1306144305.953:44690): arch=40000003 syscall=4 success=yes exit=60 a0=4 a1=8731c50 a2=3c a3=3c items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) type=AVC msg=audit(1306144305.953:44690): avc: denied { write } for pid=18897 comm="cgrulesengd" path="socket:[3266325]" dev=sockfs ino=3266325 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket ---- time->Mon May 23 05:51:45 2011 type=SYSCALL msg=audit(1306144305.953:44691): arch=40000003 syscall=3 success=yes exit=32 a0=4 a1=8731de0 a2=190 a3=8731ba0 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) type=AVC msg=audit(1306144305.953:44691): avc: denied { read } for pid=18897 comm="cgrulesengd" path="socket:[3266325]" dev=sockfs ino=3266325 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket ---- time->Mon May 23 05:51:45 2011 type=SYSCALL msg=audit(1306144305.953:44692): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bff8c510 a2=514ff4 a3=bff8c524 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) type=AVC msg=audit(1306144305.953:44692): avc: denied { net_bind_service } for pid=18897 comm="cgrulesengd" capability=10 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=capability type=AVC msg=audit(1306144305.953:44692): avc: denied { name_bind } for pid=18897 comm="cgrulesengd" src=841 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket ---- time->Mon May 23 05:51:45 2011 type=SYSCALL msg=audit(1306144305.954:44693): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bff8c548 a2=514ff4 a3=8731b28 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) type=AVC msg=audit(1306144305.954:44693): avc: denied { name_connect } for pid=18897 comm="cgrulesengd" dest=797 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket ---- time->Mon May 23 05:51:45 2011 type=SYSCALL msg=audit(1306144305.976:44694): arch=40000003 syscall=102 success=yes exit=4 a0=1 a1=bff8c52c a2=514ff4 a3=8731b28 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) type=AVC msg=audit(1306144305.976:44694): avc: denied { create } for pid=18897 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=udp_socket ---- time->Mon May 23 05:51:45 2011 type=SYSCALL msg=audit(1306144305.976:44695): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bff8c4f4 a2=514ff4 a3=bff8c508 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) type=AVC msg=audit(1306144305.976:44695): avc: denied { node_bind } for pid=18897 comm="cgrulesengd" src=842 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket type=AVC msg=audit(1306144305.976:44695): avc: denied { name_bind } for pid=18897 comm="cgrulesengd" src=842 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket type=AVC msg=audit(1306144305.976:44695): avc: denied { bind } for pid=18897 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=udp_socket ---- time->Mon May 23 05:51:45 2011 type=SYSCALL msg=audit(1306144305.976:44696): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bff8c52c a2=514ff4 a3=8731b28 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) type=AVC msg=audit(1306144305.976:44696): avc: denied { setopt } for pid=18897 comm="cgrulesengd" lport=842 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=udp_socket ---- time->Mon May 23 05:51:45 2011 type=SYSCALL msg=audit(1306144305.976:44697): arch=40000003 syscall=102 success=yes exit=88 a0=b a1=bff8c508 a2=514ff4 a3=8731b30 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) type=AVC msg=audit(1306144305.976:44697): avc: denied { write } for pid=18897 comm="cgrulesengd" lport=842 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=udp_socket ---- time->Mon May 23 05:51:46 2011 type=SYSCALL msg=audit(1306144306.001:44698): arch=40000003 syscall=102 success=yes exit=92 a0=c a1=bff8c508 a2=514ff4 a3=8731b28 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) type=AVC msg=audit(1306144306.001:44698): avc: denied { read } for pid=18897 comm="cgrulesengd" lport=842 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=udp_socket ---- It looks like it needs auth_use_nsswitch(cgred_t). nm -D /sbin/cgrulesengd | grep pw U getpwnam It needs auth_use_nsswitch I see this fix in selinux-policy-3.7.19-98.fc16 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1511.html |