Bug 734431

Summary: rhts selinux module fails to load on RHEL6.0
Product: [Retired] Beaker Reporter: Jan Stancek <jstancek>
Component: beahAssignee: Bill Peck <bpeck>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 0.6CC: bpeck, dcallagh, jburke, mcsontos, pbunyan, rmancy, stl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-08 02:42:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jan Stancek 2011-08-30 11:50:59 UTC
Description of problem:
We recently started to get many AVC errors from ltp syslog test on RHEL 6.0, just like this one:
type=1400 audit(1314394496.000:252629): avc:  denied  { read append } for  pid=63576 comm="rsyslogd" path="/mnt/testarea/RHEL6KT1LITE.log" dev=dm-0 ino=541457 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:mnt_t:s0 tclass=file

The files created in /mnt are not of tmp_t type anymore:
touch /mnt/testarea/dummy
ls -laZ /mnt/testarea/dummy 
-rw-r--r--. root root unconfined_u:object_r:mnt_t:s0   /mnt/testarea/dummy

This is because, rhts.pp selinux module is not loaded:
semodule -l | grep rhts

The loading is most likely attempted, but fails, just like when I try to load it from command line:
semodule -i /usr/share/selinux/packages/rhts/rhts.pp
libsepol.permission_copy_callback: Module rhts depends on permission read_policy in class security, not satisfied (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!

If I rebuild the module from sources on same host, it loads OK, new files in /mnt/testarea have tmp_t type, and ltp syslog test does not generate AVCs anymore.


Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-54.el6.noarch
selinux-policy-targeted-3.7.19-54.el6.noarch
rhts-test-env-4.38-1.el6eso.noarch
kernel-2.6.32-71.35.1.el6
Red Hat Enterprise Linux Server release 6.0 (Santiago)

How reproducible:
100%

Steps to Reproduce:
1. install RHEL 6.0 and rhts-test-env-4.38-1.el6eso.noarch
2. check if rhts module is loaded, load if necessary
semodule -l | grep rhts
semodule -i /usr/share/selinux/packages/rhts/rhts.pp
3. try to create dummy file, check its selinux type 
touch /mnt/testarea/dummy
ls -laZ /mnt/testarea/dummy 

Actual results:
-rw-r--r--. root root unconfined_u:object_r:mnt_t:s0   /mnt/testarea/dummy

Expected results:
-rw-r--r--. root root unconfined_u:object_r:tmp_t:s0   /mnt/testarea/dummy

Additional info:

Comment 3 Raymond Mancy 2011-09-06 06:33:44 UTC
on beaker-stage:
[root@dev-kvm-guest-03 ~]# semodule -l | grep rhts
rhts	2.0.1

Comment 4 Dan Callaghan 2011-09-08 02:42:59 UTC
Beaker 0.7.1 has been released.