Bug 746351

Summary: SELinux prevents ricci from starting/stopping & enabling/disabling services.
Product: Red Hat Enterprise Linux 5 Reporter: Jan Pokorný [poki] <jpokorny>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.7CC: bperkins, dwalsh, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-2.4.6-318.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 722579 Environment:
Last Closed: 2012-02-21 05:48:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Pokorný [poki] 2011-10-14 21:25:22 UTC 
I also encounter the problem with starting/stopping services (installing
packages as per bug 722579 works well for me with stated configuration).

Packages:
ricci-0.12.2-32.el5_7.1
selinux-policy-2.4.6-317.el5
selinux-policy-targeted-2.4.6-317.el5

How ricci handles services:
Ricci's executable module /usr/libexec/ricci-modrpm executes
"/etc/init.d/$SERVICENAME (start|stop|restart)"

Note:
I tried using "/sbin/service $SERVICENAME (start|stop|restart)" way instead,
but got the same result.


+++ Partial manual clone (removing unrelated comments) of bug 722579 +++

> Comment ##4 Brandon Perkins 2011-10-04 19:32:11 CEST

The issue described in the original description appears to be fixed (using
selinux-policy-2.4.6-317.el5 and ricci-0.12.2-33.el5).  However, that then
exposes the next issue.  While not related to the original installation of
RPMs, which is in fact working now, it appears ricci is unable to start the
daemons for a similar reason.  I am happy to open this as a new bug if that's
preferred.

Summary:

SELinux is preventing ricci-modservic (ricci_modservice_t) "create" to
<Unknown>
(ricci_modservice_t).

Detailed Description:

SELinux denied access requested by ricci-modservic. It is not expected that
this
access is required by ricci-modservic and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:ricci_modservice_t
Target Context                system_u:system_r:ricci_modservice_t
Target Objects                None [ unix_dgram_socket ]
Source                        ricci-modservic
Source Path                   /usr/libexec/ricci-modservice
Port                          <Unknown>
Host                          bz722579.dhcp151-173.mpc.lab.eng.bos.redhat.com
Source RPM Packages           ricci-0.12.2-33.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-317.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     bz722579.dhcp151-173.mpc.lab.eng.bos.redhat.com
Platform                      Linux
                              bz722579.dhcp151-173.mpc.lab.eng.bos.redhat.com
                              2.6.18-274.3.1.el5 #1 SMP Fri Aug 26 18:49:02 EDT
                              2011 x86_64 x86_64
Alert Count                   4
First Seen                    Tue Oct  4 13:26:46 2011
Last Seen                     Tue Oct  4 13:26:46 2011
Local ID                      932f9ada-a4cc-4ca7-8149-02ce9f8b91ce
Line Numbers                  

Raw Audit Messages            

host=bz722579.dhcp151-173.mpc.lab.eng.bos.redhat.com type=AVC
msg=audit(1317749206.35:39): avc:  denied  { create } for  pid=19400
comm="ricci-modservic" scontext=system_u:system_r:ricci_modservice_t:s0
tcontext=system_u:system_r:ricci_modservice_t:s0 tclass=unix_dgram_socket

host=bz722579.dhcp151-173.mpc.lab.eng.bos.redhat.com type=SYSCALL
msg=audit(1317749206.35:39): arch=c000003e syscall=41 success=no exit=-13 a0=1
a1=2 a2=0 a3=7db items=0 ppid=19398 pid=19400 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="ricci-modservic" exe="/usr/libexec/ricci-modservice"
subj=system_u:system_r:ricci_modservice_t:s0 key=(null)


> Comment ##5 Miroslav Grepl 2011-10-05 07:05:21 CEST

Ok, this is a different AVC msg.
Comment 1 Jan Pokorný [poki] 2011-10-17 15:42:57 UTC 
In addition to "create -- unix_dgram_socket" message, I got "write -- pipe"
one when stopping service bluetooth (the denial messages probably differ
according to the content of respective initscripts, i.e. what commands are
being executed):


Summary:

SELinux is preventing rfcomm (bluetooth_t) "write" to pipe (ricci_modservice_t).

Detailed Description:

SELinux denied access requested by rfcomm [...]

Allowing Access:

[...]

Additional Information:

Source Context                root:system_r:bluetooth_t
Target Context                root:system_r:ricci_modservice_t
Target Objects                pipe [ fifo_file ]
Source                        rfcomm
Source Path                   /usr/bin/rfcomm
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           bluez-utils-3.7-2.2
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-317.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.18-274.6.1.el5 #1
                              SMP Fri Sep 23 21:12:11 EDT 2011 x86_64 x86_64
Alert Count                   2
First Seen                    Mon Oct 17 17:27:53 2011
Last Seen                     Mon Oct 17 17:29:28 2011
Local ID                      e82c731a-91b3-4f6b-8a77-25da319a8b04
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC msg=audit(1318865368.500:85): avc:
    denied  { write } for  pid=3890 comm="rfcomm" path="pipe:[15659]"
    dev=pipefs ino=15659 scontext=root:system_r:bluetooth_t:s0
    tcontext=root:system_r:ricci_modservice_t:s0 tclass=fifo_file

host=localhost.localdomain type=AVC msg=audit(1318865368.500:85): avc:
    denied  { write } for  pid=3890 comm="rfcomm" path="pipe:[15660]"
    dev=pipefs ino=15660 scontext=root:system_r:bluetooth_t:s0
    tcontext=root:system_r:ricci_modservice_t:s0 tclass=fifo_file

host=localhost.localdomain type=SYSCALL msg=audit(1318865368.500:85):
    arch=c000003e syscall=59 success=yes exit=0 a0=18e67300 a1=18e67460
    a2=18e6dc10 a3=8 items=0 ppid=3883 pid=3890
    auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
    tty=(none) ses=1 comm="rfcomm" exe="/usr/bin/rfcomm"
    subj=root:system_r:bluetooth_t:s0 key=(null)
Comment 2 Jan Pokorný [poki] 2011-10-17 15:54:16 UTC 
With the same program (ricci's executable module), also proceeding service
enable/disable will generate a message like the Brandon's one (comment ##4
within the description).

Such requests are handled by executing "/sbin/chkconfig (on|off)".
Comment 3 Jan Pokorný [poki] 2011-10-17 15:59:01 UTC 
To be noted that despite the SELinux denial messages, all the mentioned
actions regarding services seem to succeed (with enforcing SELinux).
Comment 4 Jan Pokorný [poki] 2011-10-17 16:00:44 UTC 
Re comment 2:
"/sbin/chkconfig $SERVICENAME (on|off)", indeed
Comment 5 Miroslav Grepl 2011-10-20 14:34:03 UTC 
Fixed in selinux-policy-2.4.6-318.el5
Comment 14 errata-xmlrpc 2012-02-21 05:48:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0158.html