Bug 747239

Summary:

quota_nld runs as initrc_t

Product:

Red Hat Enterprise Linux 6

Reporter:

Milos Malik <mmalik>

Component:

selinux-policy

Assignee:

Miroslav Grepl <mgrepl>

Status:

CLOSED ERRATA

QA Contact:

Michal Trunecka <mtruneck>

Severity:

medium

Docs Contact:

Priority:

unspecified

Version:

6.2

CC:

dwalsh, ebenes, ksrot, mtruneck, ppisar, psklenar

Target Milestone:

Target Release:

---

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

selinux-policy-3.7.19-136.el6

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Clones:

784333 (view as bug list)

Environment:

Last Closed:

2012-06-20 12:28:00 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

Bug Blocks:

784333, 832330

Attachments:

Description	Flags
quotanld.te	none
quotanld.fc	none
quotanld.if	none

Description Milos Malik 2011-10-19 08:19:15 UTC

Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-mls-3.7.19-118.el6.noarch
selinux-policy-doc-3.7.19-118.el6.noarch
selinux-policy-3.7.19-118.el6.noarch
selinux-policy-targeted-3.7.19-118.el6.noarch
selinux-policy-minimum-3.7.19-118.el6.noarch
quota-3.17-16.el6.i686

How reproducible:
always

Steps to Reproduce:
# service quota_nld status
quota_nld is stopped
# service quota_nld start
Starting quota_nld:                                        [  OK  ]
# ps -efZ | grep quota
unconfined_u:system_r:initrc_t:s0 root   15764     1  0 10:17 ?        00:00:00 /usr/sbin/quota_nld
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 15767 3942  0 10:17 pts/0 00:00:00 grep quota
# 
  
Actual results:
* quota_nld is running as initrc_t

Expected results:
* quota_nld is running as quota_t or similar domain

Comment 1 Milos Malik 2011-10-19 08:24:11 UTC

Simple workaround caused AVCs:

# chcon -t quota_exec_t `which quota_nld`
# service quota_nld status
quota_nld is stopped
# service quota_nld start
Starting quota_nld: quota_nld: Cannot connect to netlink socket: Operation not permitted
                                                          [FAILED]
# ausearch -m AVC -m USER_AVC -ts today
----
time->Wed Oct 19 10:21:26 2011
type=PATH msg=audit(1319012486.582:35371): item=0 name="/proc/net/psched" inode=4026531984 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:proc_net_t:s0
type=CWD msg=audit(1319012486.582:35371):  cwd="/"
type=SYSCALL msg=audit(1319012486.582:35371): arch=40000003 syscall=5 success=no exit=-13 a0=bfadd8ac a1=0 a2=1b6 a3=d3ac42 items=1 ppid=15811 pid=15812 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8 comm="quota_nld" exe="/usr/sbin/quota_nld" subj=unconfined_u:system_r:quota_t:s0 key=(null)
type=AVC msg=audit(1319012486.582:35371): avc:  denied  { read } for  pid=15812 comm="quota_nld" name="psched" dev=proc ino=4026531984 scontext=unconfined_u:system_r:quota_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
----
time->Wed Oct 19 10:21:26 2011
type=SOCKETCALL msg=audit(1319012486.586:35372): nargs=3 a0=10 a1=3 a2=10
type=SYSCALL msg=audit(1319012486.586:35372): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bfade750 a2=d4c314 a3=20d5a30 items=0 ppid=15811 pid=15812 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8 comm="quota_nld" exe="/usr/sbin/quota_nld" subj=unconfined_u:system_r:quota_t:s0 key=(null)
type=AVC msg=audit(1319012486.586:35372): avc:  denied  { create } for  pid=15812 comm="quota_nld" scontext=unconfined_u:system_r:quota_t:s0 tcontext=unconfined_u:system_r:quota_t:s0 tclass=netlink_socket
----

Comment 2 Milos Malik 2011-10-19 08:36:37 UTC

# setenforce 0
# ls -Z `which quota_nld`
-rwxr-xr-x. root root system_u:object_r:quota_exec_t:s0 /usr/sbin/quota_nld
# service quota_nld status
quota_nld is stopped
# service quota_nld start
Starting quota_nld:                                        [  OK  ]
# ausearch -m AVC -m USER_AVC -ts recent
----
time->Wed Oct 19 10:32:14 2011
type=USER_AVC msg=audit(1319013134.371:35390): user pid=1266 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=15868 scontext=unconfined_u:system_r:quota_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus : exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Wed Oct 19 10:32:14 2011
type=PATH msg=audit(1319013134.283:35381): item=0 name="/proc/net/psched" inode=4026531984 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:proc_net_t:s0
type=CWD msg=audit(1319013134.283:35381):  cwd="/"
type=SYSCALL msg=audit(1319013134.283:35381): arch=40000003 syscall=5 success=yes exit=3 a0=bffa9cac a1=0 a2=1b6 a3=328c42 items=1 ppid=15867 pid=15868 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8 comm="quota_nld" exe="/usr/sbin/quota_nld" subj=unconfined_u:system_r:quota_t:s0 key=(null)
type=AVC msg=audit(1319013134.283:35381): avc:  denied  { open } for  pid=15868 comm="quota_nld" name="psched" dev=proc ino=4026531984 scontext=unconfined_u:system_r:quota_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1319013134.283:35381): avc:  denied  { read } for  pid=15868 comm="quota_nld" name="psched" dev=proc ino=4026531984 scontext=unconfined_u:system_r:quota_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
----
time->Wed Oct 19 10:32:14 2011
type=SYSCALL msg=audit(1319013134.289:35382): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=bffa9904 a2=8deff4 a3=1900170 items=0 ppid=15867 pid=15868 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8 comm="quota_nld" exe="/usr/sbin/quota_nld" subj=unconfined_u:system_r:quota_t:s0 key=(null)
type=AVC msg=audit(1319013134.289:35382): avc:  denied  { getattr } for  pid=15868 comm="quota_nld" path="/proc/15868/net/psched" dev=proc ino=4026531984 scontext=unconfined_u:system_r:quota_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
----
time->Wed Oct 19 10:32:14 2011
type=SOCKETCALL msg=audit(1319013134.291:35383): nargs=3 a0=10 a1=3 a2=10
type=SYSCALL msg=audit(1319013134.291:35383): arch=40000003 syscall=102 success=yes exit=3 a0=1 a1=bffaab50 a2=33a314 a3=1900a30 items=0 ppid=15867 pid=15868 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8 comm="quota_nld" exe="/usr/sbin/quota_nld" subj=unconfined_u:system_r:quota_t:s0 key=(null)
type=AVC msg=audit(1319013134.291:35383): avc:  denied  { create } for  pid=15868 comm="quota_nld" scontext=unconfined_u:system_r:quota_t:s0 tcontext=unconfined_u:system_r:quota_t:s0 tclass=netlink_socket
----
time->Wed Oct 19 10:32:14 2011
type=SOCKETCALL msg=audit(1319013134.293:35384): nargs=5 a0=3 a1=1 a2=7 a3=bffaab58 a4=4
type=SYSCALL msg=audit(1319013134.293:35384): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bffaab20 a2=33a314 a3=1900a30 items=0 ppid=15867 pid=15868 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8 comm="quota_nld" exe="/usr/sbin/quota_nld" subj=unconfined_u:system_r:quota_t:s0 key=(null)
type=AVC msg=audit(1319013134.293:35384): avc:  denied  { setopt } for  pid=15868 comm="quota_nld" scontext=unconfined_u:system_r:quota_t:s0 tcontext=unconfined_u:system_r:quota_t:s0 tclass=netlink_socket
----
time->Wed Oct 19 10:32:14 2011
type=SOCKADDR msg=audit(1319013134.293:35385): saddr=10000000FC3D000000000000
type=SOCKETCALL msg=audit(1319013134.293:35385): nargs=3 a0=3 a1=1900a30 a2=c
type=SYSCALL msg=audit(1319013134.293:35385): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bffaab50 a2=33a314 a3=1900a30 items=0 ppid=15867 pid=15868 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8 comm="quota_nld" exe="/usr/sbin/quota_nld" subj=unconfined_u:system_r:quota_t:s0 key=(null)
type=AVC msg=audit(1319013134.293:35385): avc:  denied  { bind } for  pid=15868 comm="quota_nld" scontext=unconfined_u:system_r:quota_t:s0 tcontext=unconfined_u:system_r:quota_t:s0 tclass=netlink_socket
----
time->Wed Oct 19 10:32:14 2011
type=SOCKADDR msg=audit(1319013134.294:35386): saddr=10000000FC3D000000000000
type=SOCKETCALL msg=audit(1319013134.294:35386): nargs=3 a0=3 a1=1900a30 a2=bffaab7c
type=SYSCALL msg=audit(1319013134.294:35386): arch=40000003 syscall=102 success=yes exit=0 a0=6 a1=bffaab50 a2=33a314 a3=1900a30 items=0 ppid=15867 pid=15868 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8 comm="quota_nld" exe="/usr/sbin/quota_nld" subj=unconfined_u:system_r:quota_t:s0 key=(null)
type=AVC msg=audit(1319013134.294:35386): avc:  denied  { getattr } for  pid=15868 comm="quota_nld" scontext=unconfined_u:system_r:quota_t:s0 tcontext=unconfined_u:system_r:quota_t:s0 tclass=netlink_socket
----
time->Wed Oct 19 10:32:14 2011
type=SOCKADDR msg=audit(1319013134.294:35387): saddr=100000000000000000000000
type=SOCKETCALL msg=audit(1319013134.294:35387): nargs=3 a0=3 a1=bffaa988 a2=0
type=SYSCALL msg=audit(1319013134.294:35387): arch=40000003 syscall=102 success=yes exit=20 a0=10 a1=bffaa900 a2=33a314 a3=1900a88 items=0 ppid=15867 pid=15868 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8 comm="quota_nld" exe="/usr/sbin/quota_nld" subj=unconfined_u:system_r:quota_t:s0 key=(null)
type=AVC msg=audit(1319013134.294:35387): avc:  denied  { write } for  pid=15868 comm="quota_nld" scontext=unconfined_u:system_r:quota_t:s0 tcontext=unconfined_u:system_r:quota_t:s0 tclass=netlink_socket
----
time->Wed Oct 19 10:32:14 2011
type=SOCKADDR msg=audit(1319013134.294:35388): saddr=100000000000000000000000
type=SOCKETCALL msg=audit(1319013134.294:35388): nargs=3 a0=3 a1=bffaa9ac a2=0
type=SYSCALL msg=audit(1319013134.294:35388): arch=40000003 syscall=102 success=yes exit=1148 a0=11 a1=bffaa970 a2=33a314 a3=0 items=0 ppid=15867 pid=15868 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8 comm="quota_nld" exe="/usr/sbin/quota_nld" subj=unconfined_u:system_r:quota_t:s0 key=(null)
type=AVC msg=audit(1319013134.294:35388): avc:  denied  { read } for  pid=15868 comm="quota_nld" scontext=unconfined_u:system_r:quota_t:s0 tcontext=unconfined_u:system_r:quota_t:s0 tclass=netlink_socket
----
time->Wed Oct 19 10:32:14 2011
type=PATH msg=audit(1319013134.295:35389): item=0 name=(null) inode=52170 dev=fd:00 mode=0140777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:system_dbusd_var_run_t:s0
type=SOCKADDR msg=audit(1319013134.295:35389): saddr=01002F7661722F72756E2F646275732F73797374656D5F6275735F736F636B6574
type=SOCKETCALL msg=audit(1319013134.295:35389): nargs=3 a0=4 a1=bffaa91e a2=21
type=SYSCALL msg=audit(1319013134.295:35389): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bffaa8e0 a2=617ff4 a3=bffaaa8c items=1 ppid=15867 pid=15868 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8 comm="quota_nld" exe="/usr/sbin/quota_nld" subj=unconfined_u:system_r:quota_t:s0 key=(null)
type=AVC msg=audit(1319013134.295:35389): avc:  denied  { connectto } for  pid=15868 comm="quota_nld" path="/var/run/dbus/system_bus_socket" scontext=unconfined_u:system_r:quota_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=AVC msg=audit(1319013134.295:35389): avc:  denied  { write } for  pid=15868 comm="quota_nld" name="system_bus_socket" dev=dm-0 ino=52170 scontext=unconfined_u:system_r:quota_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
----
time->Wed Oct 19 10:32:14 2011
type=PATH msg=audit(1319013134.386:35391): item=1 name="/var/run/quota_nld.pid" inode=9715 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:var_run_t:s0
type=PATH msg=audit(1319013134.386:35391): item=0 name="/var/run/" inode=2059 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t:s0
type=CWD msg=audit(1319013134.386:35391):  cwd="/"
type=SYSCALL msg=audit(1319013134.386:35391): arch=40000003 syscall=5 success=yes exit=5 a0=1901d18 a1=8241 a2=1b6 a3=da9efb items=2 ppid=1 pid=15871 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=8 comm="quota_nld" exe="/usr/sbin/quota_nld" subj=unconfined_u:system_r:quota_t:s0 key=(null)
type=AVC msg=audit(1319013134.386:35391): avc:  denied  { write } for  pid=15871 comm="quota_nld" name="quota_nld.pid" dev=dm-0 ino=9715 scontext=unconfined_u:system_r:quota_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1319013134.386:35391): avc:  denied  { create } for  pid=15871 comm="quota_nld" name="quota_nld.pid" scontext=unconfined_u:system_r:quota_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1319013134.386:35391): avc:  denied  { add_name } for  pid=15871 comm="quota_nld" name="quota_nld.pid" scontext=unconfined_u:system_r:quota_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
type=AVC msg=audit(1319013134.386:35391): avc:  denied  { write } for  pid=15871 comm="quota_nld" name="run" dev=dm-0 ino=2059 scontext=unconfined_u:system_r:quota_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
----
# service quota_nld stop
Stopping quota_nld:                                        [  OK  ]
# ausearch -m AVC -m USER_AVC -ts recent
----
time->Wed Oct 19 10:34:49 2011
type=PATH msg=audit(1319013289.598:35392): item=1 name="/var/run/quota_nld.pid" inode=9715 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:var_run_t:s0
type=PATH msg=audit(1319013289.598:35392): item=0 name="/var/run/" inode=2059 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t:s0
type=CWD msg=audit(1319013289.598:35392):  cwd="/"
type=SYSCALL msg=audit(1319013289.598:35392): arch=40000003 syscall=10 success=yes exit=0 a0=1900e50 a1=bffaa3fc a2=dad708 a3=1900e50 items=2 ppid=1 pid=15871 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=8 comm="quota_nld" exe="/usr/sbin/quota_nld" subj=unconfined_u:system_r:quota_t:s0 key=(null)
type=AVC msg=audit(1319013289.598:35392): avc:  denied  { unlink } for  pid=15871 comm="quota_nld" name="quota_nld.pid" dev=dm-0 ino=9715 scontext=unconfined_u:system_r:quota_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1319013289.598:35392): avc:  denied  { remove_name } for  pid=15871 comm="quota_nld" name="quota_nld.pid" dev=dm-0 ino=9715 scontext=unconfined_u:system_r:quota_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
----

Comment 3 Miroslav Grepl 2011-10-19 08:55:29 UTC

The only question is if we want to treat it with the quota_t domain type or we will want to create a new type, for example quota_nld_t (which looks for me as the right solution)

Petr,
what does this daemon do?

Comment 4 Milos Malik 2011-10-19 10:05:09 UTC

Created attachment 528964 [details]
quotanld.te

Comment 5 Milos Malik 2011-10-19 10:05:59 UTC

Created attachment 528965 [details]
quotanld.fc

Comment 6 Milos Malik 2011-10-19 10:06:53 UTC

Created attachment 528966 [details]
quotanld.if

Comment 7 Petr Pisar 2011-10-19 11:16:06 UTC

(In reply to comment #3)
> what does this daemon do?
It registers on netlink group for disk quota events and waits for events from kernel. When the daemon receives event (usage exceeded or underrun limit), it can print it to last user's terminal (access to /var/log/utmp is needed and to other users PTYs) or brodcast it via system D-bus (desktop environments can listen for the D-bus event and raise a notification on user's workspace). The daemon also will write into syslog, if something wrong happens (like error while finding terminal or writing into it).

Whether the daemon warns into terminal or/and to D-bus is configurable at execution time (there is a file in /etc/sysconf). See manual page for more details.

Comment 8 Miroslav Grepl 2011-10-19 14:03:19 UTC

Ok, I believe we need to add a new domain for this.

Comment 9 Daniel Walsh 2011-10-19 14:18:38 UTC

Yes although we probably should put this off to 6.3.

Comment 10 Miroslav Grepl 2011-10-19 14:29:36 UTC

(In reply to comment #8)
> Ok, I believe we need to add a new domain for this.

I am adding quota_nld_t policy to Fedora.

Comment 11 Miroslav Grepl 2011-10-19 14:30:04 UTC

(In reply to comment #9)
> Yes although we probably should put this off to 6.3.

Yes, I agree.

Comment 15 Miroslav Grepl 2012-01-26 08:53:20 UTC

Fixed in selinux-policy-3.7.19-136.el6

Comment 18 errata-xmlrpc 2012-06-20 12:28:00 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html