Bug 746351
Summary: | SELinux prevents ricci from starting/stopping & enabling/disabling services. | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Jan Pokorný [poki] <jpokorny> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 5.7 | CC: | bperkins, dwalsh, mmalik |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-2.4.6-318.el5 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | 722579 | Environment: | |
Last Closed: | 2012-02-21 05:48:23 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Pokorný [poki]
2011-10-14 21:25:22 UTC
In addition to "create -- unix_dgram_socket" message, I got "write -- pipe" one when stopping service bluetooth (the denial messages probably differ according to the content of respective initscripts, i.e. what commands are being executed): Summary: SELinux is preventing rfcomm (bluetooth_t) "write" to pipe (ricci_modservice_t). Detailed Description: SELinux denied access requested by rfcomm [...] Allowing Access: [...] Additional Information: Source Context root:system_r:bluetooth_t Target Context root:system_r:ricci_modservice_t Target Objects pipe [ fifo_file ] Source rfcomm Source Path /usr/bin/rfcomm Port <Unknown> Host localhost.localdomain Source RPM Packages bluez-utils-3.7-2.2 Target RPM Packages Policy RPM selinux-policy-2.4.6-317.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.18-274.6.1.el5 #1 SMP Fri Sep 23 21:12:11 EDT 2011 x86_64 x86_64 Alert Count 2 First Seen Mon Oct 17 17:27:53 2011 Last Seen Mon Oct 17 17:29:28 2011 Local ID e82c731a-91b3-4f6b-8a77-25da319a8b04 Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1318865368.500:85): avc: denied { write } for pid=3890 comm="rfcomm" path="pipe:[15659]" dev=pipefs ino=15659 scontext=root:system_r:bluetooth_t:s0 tcontext=root:system_r:ricci_modservice_t:s0 tclass=fifo_file host=localhost.localdomain type=AVC msg=audit(1318865368.500:85): avc: denied { write } for pid=3890 comm="rfcomm" path="pipe:[15660]" dev=pipefs ino=15660 scontext=root:system_r:bluetooth_t:s0 tcontext=root:system_r:ricci_modservice_t:s0 tclass=fifo_file host=localhost.localdomain type=SYSCALL msg=audit(1318865368.500:85): arch=c000003e syscall=59 success=yes exit=0 a0=18e67300 a1=18e67460 a2=18e6dc10 a3=8 items=0 ppid=3883 pid=3890 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="rfcomm" exe="/usr/bin/rfcomm" subj=root:system_r:bluetooth_t:s0 key=(null) With the same program (ricci's executable module), also proceeding service enable/disable will generate a message like the Brandon's one (comment ##4 within the description). Such requests are handled by executing "/sbin/chkconfig (on|off)". To be noted that despite the SELinux denial messages, all the mentioned actions regarding services seem to succeed (with enforcing SELinux). Re comment 2: "/sbin/chkconfig $SERVICENAME (on|off)", indeed Fixed in selinux-policy-2.4.6-318.el5 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0158.html |