Bug 772717

Summary:

selinux-policy in rhel-6.2 doesn't allow mcelogd to create pid file causing it not to start

Product:

Red Hat Enterprise Linux 6

Reporter:

Tuomo Soini <tis>

Component:

selinux-policy

Assignee:

Miroslav Grepl <mgrepl>

Status:

CLOSED ERRATA

QA Contact:

Milos Malik <mmalik>

Severity:

high

Docs Contact:

Priority:

medium

Version:

6.2

CC:

dwalsh, fixing-stuff-d-f-crisman-redhat-bugzilla, ilmis, ksrot, mmalik, stephenf

Target Milestone:

Target Release:

---

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

selinux-policy-3.7.19-135.el6

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2012-06-20 12:30:17 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Attachments:

Description	Flags
Patch for selinux policy for the issue - mostly backport from rawhide	none

Description Tuomo Soini 2012-01-09 18:29:15 UTC

Created attachment 551633 [details]
Patch for selinux policy for the issue - mostly backport from rawhide

Description of problem:

selinux-policy in rhel-6.2 prevents mcelogd mandatory access to pid file and log file. These problems cause mcelogd not being able to startup.

Version-Release number of selected component (if applicable):

3.7.19-126.el6_2.4

How reproducible:

always when selinux is Enforcing

Steps to Reproduce:
1. boot system
2. mcelogd not running after boot

Comment 1 Tuomo Soini 2012-01-09 18:31:07 UTC

Patch file includes original avc messages

Comment 4 Milos Malik 2012-01-11 17:51:35 UTC

Seen in enforcing mode:
----
time->Wed Jan 11 12:45:48 2012
type=SYSCALL msg=audit(1326303948.956:84270): arch=c000003e syscall=42 success=no exit=-13 a0=6 a1=7fff45eea640 a2=6e a3=8 items=0 ppid=15459 pid=15460 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=16 comm="mcelog" exe="/usr/sbin/mcelog" subj=system_u:system_r:mcelog_t:s0 key=(null)
type=AVC msg=audit(1326303948.956:84270): avc:  denied  { write } for  pid=15460 comm="mcelog" name="mcelog-client" dev=dm-0 ino=1704219 scontext=system_u:system_r:mcelog_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
----
time->Wed Jan 11 12:45:48 2012
type=SYSCALL msg=audit(1326303948.956:84271): arch=c000003e syscall=87 success=no exit=-13 a0=411085 a1=7fff45eea400 a2=0 a3=8 items=0 ppid=15459 pid=15460 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=16 comm="mcelog" exe="/usr/sbin/mcelog" subj=system_u:system_r:mcelog_t:s0 key=(null)
type=AVC msg=audit(1326303948.956:84271): avc:  denied  { write } for  pid=15460 comm="mcelog" name="run" dev=dm-0 ino=1704702 scontext=system_u:system_r:mcelog_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
----

Comment 5 Milos Malik 2012-01-11 17:54:35 UTC

Seen in permissive mode:
----
time->Wed Jan 11 12:52:34 2012
type=SYSCALL msg=audit(1326304354.626:84295): arch=c000003e syscall=2 success=yes exit=4 a0=615160 a1=441 a2=1b6 a3=0 items=0 ppid=16075 pid=16076 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=16 comm="mcelog" exe="/usr/sbin/mcelog" subj=system_u:system_r:mcelog_t:s0 key=(null)
type=AVC msg=audit(1326304354.626:84295): avc:  denied  { open } for  pid=16076 comm="mcelog" name="mcelog" dev=dm-0 ino=1704220 scontext=system_u:system_r:mcelog_t:s0 tcontext=system_u:object_r:cron_log_t:s0 tclass=file
----
time->Wed Jan 11 12:52:34 2012
type=SYSCALL msg=audit(1326304354.628:84296): arch=c000003e syscall=42 success=no exit=-111 a0=7 a1=7fffca1942f0 a2=6e a3=8 items=0 ppid=16075 pid=16076 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=16 comm="mcelog" exe="/usr/sbin/mcelog" subj=system_u:system_r:mcelog_t:s0 key=(null)
type=AVC msg=audit(1326304354.628:84296): avc:  denied  { write } for  pid=16076 comm="mcelog" name="mcelog-client" dev=dm-0 ino=1704219 scontext=system_u:system_r:mcelog_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
----
time->Wed Jan 11 12:52:34 2012
type=SYSCALL msg=audit(1326304354.629:84297): arch=c000003e syscall=87 success=yes exit=0 a0=411085 a1=7fffca1940b0 a2=0 a3=8 items=0 ppid=16075 pid=16076 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=16 comm="mcelog" exe="/usr/sbin/mcelog" subj=system_u:system_r:mcelog_t:s0 key=(null)
type=AVC msg=audit(1326304354.629:84297): avc:  denied  { unlink } for  pid=16076 comm="mcelog" name="mcelog-client" dev=dm-0 ino=1704219 scontext=system_u:system_r:mcelog_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1326304354.629:84297): avc:  denied  { remove_name } for  pid=16076 comm="mcelog" name="mcelog-client" dev=dm-0 ino=1704219 scontext=system_u:system_r:mcelog_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
type=AVC msg=audit(1326304354.629:84297): avc:  denied  { write } for  pid=16076 comm="mcelog" name="run" dev=dm-0 ino=1704702 scontext=system_u:system_r:mcelog_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
----
time->Wed Jan 11 12:52:34 2012
type=SYSCALL msg=audit(1326304354.629:84298): arch=c000003e syscall=49 success=yes exit=0 a0=7 a1=7fffca1942f0 a2=6e a3=8 items=0 ppid=16075 pid=16076 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=16 comm="mcelog" exe="/usr/sbin/mcelog" subj=system_u:system_r:mcelog_t:s0 key=(null)
type=AVC msg=audit(1326304354.629:84298): avc:  denied  { create } for  pid=16076 comm="mcelog" name="mcelog-client" scontext=system_u:system_r:mcelog_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1326304354.629:84298): avc:  denied  { add_name } for  pid=16076 comm="mcelog" name="mcelog-client" scontext=system_u:system_r:mcelog_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
----
time->Wed Jan 11 12:52:34 2012
type=SYSCALL msg=audit(1326304354.629:84299): arch=c000003e syscall=2 success=yes exit=8 a0=615140 a1=241 a2=1b6 a3=0 items=0 ppid=1 pid=16077 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=16 comm="mcelog" exe="/usr/sbin/mcelog" subj=system_u:system_r:mcelog_t:s0 key=(null)
type=AVC msg=audit(1326304354.629:84299): avc:  denied  { write open } for  pid=16077 comm="mcelog" name="mcelog.pid" dev=dm-0 ino=1704225 scontext=system_u:system_r:mcelog_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1326304354.629:84299): avc:  denied  { create } for  pid=16077 comm="mcelog" name="mcelog.pid" scontext=system_u:system_r:mcelog_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
----
time->Wed Jan 11 12:52:34 2012
type=SYSCALL msg=audit(1326304354.630:84300): arch=c000003e syscall=5 success=yes exit=0 a0=8 a1=7fffca193ac0 a2=7fffca193ac0 a3=0 items=0 ppid=1 pid=16077 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=16 comm="mcelog" exe="/usr/sbin/mcelog" subj=system_u:system_r:mcelog_t:s0 key=(null)
type=AVC msg=audit(1326304354.630:84300): avc:  denied  { getattr } for  pid=16077 comm="mcelog" path="/var/run/mcelog.pid" dev=dm-0 ino=1704225 scontext=system_u:system_r:mcelog_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
----
time->Wed Jan 11 12:52:36 2012
type=SYSCALL msg=audit(1326304356.049:84305): arch=c000003e syscall=87 success=yes exit=0 a0=615140 a1=7fffca193f70 a2=7fffca193e40 a3=617520 items=0 ppid=1 pid=16077 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=16 comm="mcelog" exe="/usr/sbin/mcelog" subj=system_u:system_r:mcelog_t:s0 key=(null)
type=AVC msg=audit(1326304356.049:84305): avc:  denied  { unlink } for  pid=16077 comm="mcelog" name="mcelog.pid" dev=dm-0 ino=1704225 scontext=system_u:system_r:mcelog_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
----

Comment 6 Miroslav Grepl 2012-01-12 08:23:55 UTC

Milos,
could you add output of

# ls -lZ /var/run/mcelog*

Comment 7 Milos Malik 2012-01-12 09:25:10 UTC

# ls -Z /var/run/mcelog*
srwxr-xr-x. root root unconfined_u:object_r:var_run_t:s0 /var/run/mcelog-client
-rw-r--r--. root root unconfined_u:object_r:var_run_t:s0 /var/run/mcelog.pid
#

Comment 8 Miroslav Grepl 2012-01-25 16:56:34 UTC

Fixed in selinux-policy-3.7.19-135.el6

Comment 11 errata-xmlrpc 2012-06-20 12:30:17 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html