| Summary: | Failing cvs login causes avc denial on /var/run/utmp | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Petr Sklenar <psklenar> | |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 5.7 | CC: | dwalsh, mmalik, ppisar | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-2.4.6-320.el5 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 853403 (view as bug list) | Environment: | ||
| Last Closed: | 2012-02-21 05:48:36 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
I think this is triggered by PAM module after I applied patch to /usr/bin/cvs setting dummy PAM_TTY value (https://bugzilla.redhat.com/attachment.cgi?id=484179). Enforcing mode reveals the read operation only. Permissive mode reveals both operations: read and lock.
----
type=SYSCALL msg=audit(11/23/2011 07:16:30.921:80099) : arch=x86_64 syscall=open success=yes exit=3 a0=364e122686 a1=0 a2=2 a3=cc8d5a0d items=0 ppid=20118 pid=20192 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=7901 comm=cvs exe=/usr/bin/cvs subj=root:system_r:cvs_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(11/23/2011 07:16:30.921:80099) : avc: denied { read } for pid=20192 comm=cvs name=utmp dev=dm-0 ino=16859047 scontext=root:system_r:cvs_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
----
type=SYSCALL msg=audit(11/23/2011 07:16:30.921:80100) : arch=x86_64 syscall=fcntl success=yes exit=0 a0=3 a1=7 a2=7fff7f5edab0 a3=8 items=0 ppid=20118 pid=20192 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=7901 comm=cvs exe=/usr/bin/cvs subj=root:system_r:cvs_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(11/23/2011 07:16:30.921:80100) : avc: denied { lock } for pid=20192 comm=cvs path=/var/run/utmp dev=dm-0 ino=16859047 scontext=root:system_r:cvs_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
----
We should dontaudit this. Dontaudited in the selinux-policy-2.4.6-320.el5 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0158.html |
Description of problem: Failing cvs login causes avc denial on /var/run/utmp Version-Release number of selected component (if applicable): # rpm -qa | grep cvs cvs-1.11.22-10.el5 cvs-debuginfo-1.11.22-10.el5 cvs-inetd-1.11.22-10.el5 # rpm -qa | grep selinux selinux-policy-targeted-2.4.6-317.el5 libselinux-devel-1.33.4-5.7.el5 libselinux-utils-1.33.4-5.7.el5 libselinux-python-1.33.4-5.7.el5 selinux-policy-2.4.6-317.el5 libselinux-1.33.4-5.7.el5 How reproducible: deterministic Steps to Reproduce: 1, Install `cvs-inetd' and `cvs' packages. 2, Enable cvs service in xinetd configuration (/etc/xinetd.d/cvs: disable = no) 3, service xinetd restart 4, Try logging into CVS service on this machine as existing user (e.g. `root') with bad password: 5, cvs -d ":pserver:root:fooWrongPassword@localhost:/var/cvs" login Logging in to :pserver:root@localhost:2401/var/cvs PAM authenticate error: Authentication failure cvs login: authorization failed: server localhost rejected access to /var/cvs for user root # cvs failure is correct but not avc denial: Actual results: type=AVC msg=audit(1321976733.640:1688): avc: denied { read } for pid=22606 comm="cvs" name="utmp" dev=dm-0 ino=33914887 scontext=root:system_r:cvs_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file type=AVC msg=audit(1321976733.640:1689): avc: denied { lock } for pid=22606 comm="cvs" path="/var/run/utmp" dev=dm-0 ino=33914887 scontext=root:system_r:cvs_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file # find / -mount -inum 33914887 /var/run/utmp # ls -laZ /var/run/utmp -rw-rw-r-- root utmp system_u:object_r:initrc_var_run_t /var/run/utmp # restorecon /var/run/utmp # ls -laZ /var/run/utmp -rw-rw-r-- root utmp system_u:object_r:initrc_var_run_t /var/run/utmp Expected results: no avc denial Additional info: Avc denial appears occasionally on file /var/run/utmp. But there is always on the first try of command in step 5. After that you need to wait random time to reproduce it again.