Bug 739886

Summary: avc: denied { read } for pid=19050 comm="rndc" path="/proc/loadavg"
Product: Red Hat Enterprise Linux 6 Reporter: Robert Scheck <redhat-bugzilla>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: dwalsh, jwest, ksrot, mmalik, robert.scheck
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-136.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 12:24:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robert Scheck 2011-09-20 10:34:23 UTC 
Description of problem:
type=AVC msg=audit(1315704063.389:193228): avc:  denied  { read } for  pid=19050 comm="rndc" path="/proc/loadavg" dev=proc ino=4026532014 scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=SYSCALL msg=audit(1315704063.389:193228): arch=c000003e syscall=59 success=yes exit=0 a0=101e350 a1=101dfd0 a2=101e660 a3=18 items=0 ppid=19046 pid=19050 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4341 comm="rndc" exe="/usr/sbin/rndc" subj=system_u:system_r:ndc_t:s0 key=(null)

type=AVC msg=audit(1315099084.187:175386): avc:  denied  { read } for  pid=26174 comm="rndc" path="/proc/loadavg" dev=proc ino=4026532014 scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=SYSCALL msg=audit(1315099084.187:175386): arch=c000003e syscall=59 success=yes exit=0 a0=1ab6350 a1=1ab5fd0 a2=1ab6660 a3=18 items=0 ppid=26170 pid=26174 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1470 comm="rndc" exe="/usr/sbin/rndc" subj=system_u:system_r:ndc_t:s0 key=(null)

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-93.el6_1.7.noarch

How reproducible:
No idea, just happens somehow sometimes.

Expected results:
No AVC denied.
Comment 1 Robert Scheck 2011-09-20 10:37:15 UTC 
I've cross-filed this issue as Service Request 00532319.
Comment 3 Miroslav Grepl 2011-09-20 11:02:01 UTC 
I added to Fedora, adding to RHEL6.
Comment 4 Milos Malik 2011-09-20 13:05:00 UTC 
The AVC contains "success=yes". Could it mean a leaked file descriptor ?
Comment 5 Miroslav Grepl 2011-09-20 13:08:44 UTC 
Good catch. I overlooked it. Yes, it looks like a leak.

Do you use confined users? Or a tool when this happens?

Also, what does 

# ps -eZ |grep initrc
Comment 6 Robert Scheck 2011-09-20 15:32:13 UTC 
# ps -eZ |grep initrc
system_u:system_r:initrc_t:s0    2742 ?        00:03:16 heartbeat
system_u:system_r:initrc_t:s0    2771 ?        00:00:04 heartbeat
system_u:system_r:initrc_t:s0    2773 ?        00:00:09 heartbeat
system_u:system_r:initrc_t:s0    2775 ?        00:00:04 heartbeat
system_u:system_r:initrc_t:s0    2776 ?        00:00:20 heartbeat
system_u:system_r:initrc_t:s0    2777 ?        00:00:15 heartbeat
system_u:system_r:initrc_t:s0    2779 ?        00:00:22 heartbeat
system_u:system_r:initrc_t:s0    2780 ?        00:00:16 heartbeat
system_u:system_r:initrc_t:s0    3093 ?        00:00:08 ipfail
system_u:system_r:initrc_t:s0    3165 ?        00:00:08 dsm_sa_datamgrd
system_u:system_r:initrc_t:s0    3272 ?        00:00:01 dsm_sa_eventmgr
system_u:system_r:initrc_t:s0    3289 ?        00:00:00 rhnsd
system_u:system_r:initrc_t:s0    3299 ?        00:00:00 rhsmcertd
system_u:system_r:initrc_t:s0    3357 ?        00:00:00 dsm_om_shrsvcd
# 

The line above that AVC denied in audit.log is always logrotate related and 
logrotate is executed by cron which is getting restarted by heartbeat.

/etc/logrotate.d/named contains an "/etc/init.d/named reload" which executes
an "/usr/sbin/rndc reload" again. Could that match?
Comment 7 Miroslav Grepl 2011-09-21 08:45:15 UTC 
Ok, so it looks heartbeat is leaking.
Comment 8 Miroslav Grepl 2011-09-21 12:37:31 UTC 
Robert,
could you test the policy from the 

https://bugzilla.redhat.com/show_bug.cgi?id=720939#c14

Heartbeat needs to fix this leaking and also we need to add policy for it.
Comment 12 Miroslav Grepl 2012-01-26 08:50:56 UTC 
We treat hearbeat with corosync policy.

Fixed in selinux-policy-3.7.19-136.el6
Comment 17 errata-xmlrpc 2012-06-20 12:24:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html