| Summary: | [RHEL6.2] AVC denied comm="hald-probe-stor" comm="hald-probe-volu" | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | PaulB <pbunyan> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 6.2 | CC: | dwalsh, jburke, ksrot, mmalik, pbunyan |
| Target Milestone: | rc | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-138.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-06-20 12:24:53 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
PaulB
2011-10-07 19:03:48 UTC
Could you add your output of # ls -Z PATHO/modules.dep # matchpathcon PATHO/modules.dep Looks like it could be a labeling issue. Is your test script creating these dep files? If so where are they located, does running restorecon on them change the label? (In reply to comment #2) > Could you add your output of > > # ls -Z PATHO/modules.dep > > # matchpathcon PATHO/modules.dep Miroslav, As this issue is intermittent, the test will need to be modifed in order to gather this data. I will contact test owner and look into modify the /kernel/storage/iscsi/iscsi-target-ipv4 test. Best, -pbunyan (In reply to comment #3) > Looks like it could be a labeling issue. I agree it looks like a labeling issue. Can you please tell me what the label is suppose to be. >Is your test script creating these dep files? No we are not creating the file module.dep. >If so where are they located, does running restorecon on them change the label? I have not tried, since this is intermittent during automated testing. Best, -pbunyan (In reply to comment #5) > (In reply to comment #3) > > Looks like it could be a labeling issue. > I agree it looks like a labeling issue. > Can you please tell me what the label is suppose to be. # matchpathcon PATHO/modules.dep > >Is your test script creating these dep files? > No we are not creating the file module.dep. > >If so where are they located, does running restorecon on them change the label? > I have not tried, since this is intermittent during automated testing. > > > Best, > -pbunyan (In reply to comment #6) > (In reply to comment #5) > > (In reply to comment #3) > > > Looks like it could be a labeling issue. > > I agree it looks like a labeling issue. > > Can you please tell me what the label is suppose to be. > > # matchpathcon PATHO/modules.dep I know what this returns on my machine, but what is this "suppose to return" on a RHEL 6.2 installed system. -pbunyan matchpathcon returns the default SELinux security context from the policy. should be labeled as modules_dep_t Since RHEL 6.2 External Beta has begun, and this bug remains unresolved, it has been rejected as it is not proposed as exception or blocker. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. Still looks like mislabeling issue. Closing as NOTABUG. Miroslav,
As this issue is intermittent, seems like a bug to me.
I modified the kernel/storage/iscsi/iscsi-target-ipv4 test to provide your requested data:
+selinuxcheck(){
+ ls -Z /lib/modules/`uname -r`/modules.dep
+ matchpathcon /lib/modules/`uname -r`/modules.dep
+}
Issue was reproduced here:
https://beaker.engineering.redhat.com/jobs/144495
http://beaker-archive.app.eng.bos.redhat.com/beaker-logs/2011/10/1444/144495/300552/3313348/17698271/test_log--kernel-storage-iscsi-iscsi-target-ipv4-initiator.log
<-SNIP->
-rw-r--r--. root root unconfined_u:object_r:modules_object_t:s0 /lib/modules/2.6.32-210.el6.ppc64/modules.dep
/lib/modules/2.6.32-210.el6.ppc64/modules.dep system_u:object_r:modules_dep_t:s0
<-SNIP->
-pbunyan
That looks incorrect to me. What is creating these files? Miroslav lets just add files_read_kernel_modules(hald_t) And try to figure out why these files are getting the wrong label in Fedora. I would say that depmod is the culprit: # rpm -qa selinux-policy\* selinux-policy-mls-3.7.19-118.el6.noarch selinux-policy-doc-3.7.19-118.el6.noarch selinux-policy-3.7.19-118.el6.noarch selinux-policy-targeted-3.7.19-118.el6.noarch selinux-policy-minimum-3.7.19-118.el6.noarch # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted # id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 # restorecon -Rv /lib/modules/2.6.32-211.el6.i686/ restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.ofmap context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0 restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.inputmap context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0 restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.ccwmap context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0 restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.symbols context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0 restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.alias.bin context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0 restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.pcimap context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0 restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.alias context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0 restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.dep.bin context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0 restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.seriomap context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0 restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.usbmap context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0 restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.symbols.bin context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0 restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.ieee1394map context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0 restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.dep context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0 restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.isapnpmap context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0 # depmod -ae # restorecon -Rv /lib/modules/2.6.32-211.el6.i686/ restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.ofmap context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0 restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.inputmap context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0 restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.ccwmap context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0 restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.symbols context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0 restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.alias.bin context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0 restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.pcimap context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0 restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.alias context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0 restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.dep.bin context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0 restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.seriomap context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0 restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.usbmap context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0 restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.symbols.bin context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0 restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.ieee1394map context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0 restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.dep context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0 restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.isapnpmap context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0 # After reboot I saw following AVCs:
----
time->Mon Oct 24 12:00:35 2011
type=PATH msg=audit(1319450435.031:11125): item=0 name="/lib/modules/2.6.32-211.el6.i686/modules.dep" inode=83316 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:modules_object_t:s0
type=CWD msg=audit(1319450435.031:11125): cwd="/usr/libexec"
type=SYSCALL msg=audit(1319450435.031:11125): arch=40000003 syscall=5 success=no exit=-13 a0=bf9719b6 a1=8000 a2=1b6 a3=a77e8d items=1 ppid=1411 pid=1454 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hald-probe-volu" exe="/usr/libexec/hald-probe-volume" subj=system_u:system_r:hald_t:s0 key=(null)
type=AVC msg=audit(1319450435.031:11125): avc: denied { read } for pid=1454 comm="hald-probe-volu" name="modules.dep" dev=dm-0 ino=83316 scontext=system_u:system_r:hald_t:s0 tcontext=unconfined_u:object_r:modules_object_t:s0 tclass=file
----
time->Mon Oct 24 12:00:34 2011
type=PATH msg=audit(1319450434.795:11124): item=0 name="/lib/modules/2.6.32-211.el6.i686/modules.dep" inode=83316 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:modules_object_t:s0
type=CWD msg=audit(1319450434.795:11124): cwd="/usr/libexec"
type=SYSCALL msg=audit(1319450434.795:11124): arch=40000003 syscall=5 success=no exit=-13 a0=bf9cb246 a1=8000 a2=1b6 a3=a77e8d items=1 ppid=1411 pid=1440 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hald-probe-stor" exe="/usr/libexec/hald-probe-storage" subj=system_u:system_r:hald_t:s0 key=(null)
type=AVC msg=audit(1319450434.795:11124): avc: denied { read } for pid=1440 comm="hald-probe-stor" name="modules.dep" dev=dm-0 ino=83316 scontext=system_u:system_r:hald_t:s0 tcontext=unconfined_u:object_r:modules_object_t:s0 tclass=file
----
Good catch. This means the modules.dep is re-created by depmod which is running in the unconfined_t domain in this case. This is fixed by file name transition in Fedora. Not sure how we should handle this in RHEL6, probably just add the rule. We have modutils_run_depmod(sysadm_t, sysadm_r) So modutils_run_depmod(unconfined_t, unconfined_r) could be tested. Paul, try to test it with the latest -119 release from brew. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0780.html |