Bug 739047

Summary: Update against RHN Live-selinux Test fails
Product: Red Hat Enterprise Linux 6 Reporter: Iveta Wiedermann <isenfeld>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: low Docs Contact:
Priority: low    
Version: 6.2CC: dwalsh, mmalik
Target Milestone: alpha   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-112.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 10:19:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Iveta Wiedermann 2011-09-16 12:04:14 UTC 
Description of problem: while there were running tps jobs, it failed with this message:

Running: /sbin/ausearch -sv no -m AVC -ts 09/16/2011 03:40:17 SELinux Check: FAIL SELinux AVC messages found: type=1400 audit(1316158860.115:39690): avc: denied { signull } for pid=21318 comm="who" scontext=unconfined_u:system_r:sblim_gatherd_t:s0 tcontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process type=1400 audit(1316158860.255:39691): avc: denied { search } for pid=21321 comm="ps" name="home" dev=sdb1 ino=2129921 scontext=unconfined_u:system_r:sblim_gatherd_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir type=1400 audit(1316158888.795:39692): avc: denied { name_connect } for pid=2641 comm="polkitd" dest=111 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket


Version-Release number of selected component (if applicable):
# rpm -qa selinux-policy\*
selinux-policy-doc-3.7.19-93.el6_1.7.noarch
selinux-policy-targeted-3.7.19-93.el6_1.7.noarch
selinux-policy-minimum-3.7.19-93.el6_1.7.noarch
selinux-policy-3.7.19-93.el6_1.7.noarch
selinux-policy-mls-3.7.19-93.el6_1.7.noarch


How reproducible:
Using below scenario

Steps to Reproduce:
1. Run tps-RHNqa job

  
Actual results:
SELinux AVC messages

Expected results:
No SELinux AVC messages expected
Comment 3 Milos Malik 2011-09-16 12:51:32 UTC 
The same problem leads to different AVCs:
----
time->Fri Sep 16 04:11:00 2011
type=SYSCALL msg=audit(1316160660.101:39741): arch=c000003e syscall=62 success=
yes exit=0 a0=725d a1=0 a2=1546030 a3=8 items=0 ppid=30359 pid=30360 auid=0 uid
=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4600 comm="who" exe="/usr/bin/who" subj=unconfined_u:system_r:sblim_gatherd_t:s0 key=(null)
type=AVC msg=audit(1316160660.101:39741): avc:  denied  { signull } for  pid=30360 comm="who" scontext=unconfined_u:system_r:sblim_gatherd_t:s0 tcontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process
----
time->Fri Sep 16 05:36:00 2011
type=SYSCALL msg=audit(1316165760.560:384): arch=40000003 syscall=270 success=y
es exit=0 a0=4b95 a1=4ba4 a2=6 a3=0 items=0 ppid=1 pid=19364 auid=0 uid=0 gid=0
 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2917 comm="gatherd"
 exe="/usr/sbin/gatherd" subj=unconfined_u:system_r:sblim_gatherd_t:s0 key=(null)
type=AVC msg=audit(1316165760.560:384): avc:  denied  { signal } for  pid=19364 comm="gatherd" scontext=unconfined_u:system_r:sblim_gatherd_t:s0 tcontext=unconfined_u:system_r:sblim_gatherd_t:s0 tclass=process
----
time->Fri Sep 16 06:23:00 2011
type=SYSCALL msg=audit(1316168580.361:498): arch=40000003 syscall=195 success=yes exit=0 a0=12d7e0 a1=bf8b11ec a2=2ccff4 a3=3 items=0 ppid=19811 pid=19812 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2917 comm="ps" exe="/bin/ps" subj=unconfined_u:system_r:sblim_gatherd_t:s0 key=(null)
type=AVC msg=audit(1316168580.361:498): avc:  denied  { search } for  pid=19812 comm="ps" name=".vnc" dev=vda2 ino=1529157 scontext=unconfined_u:system_r:sblim_gatherd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1316168580.361:498): avc:  denied  { search } for  pid=19812 comm="ps" name="test" dev=vda2 ino=1528916 scontext=unconfined_u:system_r:sblim_gatherd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1316168580.361:498): avc:  denied  { search } for  pid=19812 comm="ps" name="home" dev=vda2 ino=1528913 scontext=unconfined_u:system_r:sblim_gatherd_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
----
Comment 4 Milos Malik 2011-09-16 12:54:20 UTC 
Whatever runs these actions it's pretty invasive:
----
time->Fri Sep 16 06:02:00 2011
type=SYSCALL msg=audit(1316167320.360:30726): arch=80000015 syscall=106 success
=yes exit=0 a0=80fd4049a8 a1=ffffea81388 a2=ffffea81388 a3=7fffffff items=0 ppi
d=12854 pid=12855 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=
0 tty=(none) ses=5421 comm="ps" exe="/bin/ps" subj=unconfined_u:system_r:sblim_
gatherd_t:s0 key=(null)
type=AVC msg=audit(1316167320.360:30726): avc:  denied  { search } for  pid=12855 comm="ps" name="" dev=0:16 ino=2 scontext=unconfined_u:system_r:sblim_gatherd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
----
Comment 5 Miroslav Grepl 2011-09-16 13:04:54 UTC 
Ok, sblim needs more fixes. 

Not sure why but I did not make only this new domain as unconfined domain which I need to fix.
Comment 7 Miroslav Grepl 2011-09-20 15:32:50 UTC 
Fixed in selinux-policy-3.7.19-112.el6
Comment 11 errata-xmlrpc 2011-12-06 10:19:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html