Bug 784197
Summary: | targeted: cannot stop tog-pegasus service | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Milos Malik <mmalik> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | low | ||||||
Version: | 5.8 | CC: | dwalsh | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | selinux-policy-2.4.6-330.el5 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2013-01-08 03:31:34 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Milos Malik
2012-01-24 08:47:33 UTC
The automated test discovered 2 more AVCs. Could you fix them too? ---- time->Tue Jan 24 10:12:22 2012 type=SYSCALL msg=audit(1327396342.272:48): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfb52120 a2=31edac a3=bfb52516 items=0 ppid=3733 pid=3743 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="cimmof" exe="/usr/bin/cimmof" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1327396342.272:48): avc: denied { connectto } for pid=3743 comm="cimmof" path="/var/run/tog-pegasus/cimxml.socket" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tclass=unix_stream_socket ---- time->Tue Jan 24 10:12:22 2012 type=SYSCALL msg=audit(1327396342.564:49): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfc21740 a2=4bbdac a3=bfc21b36 items=0 ppid=3775 pid=3783 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="EnumInstances" exe="/usr/share/Pegasus/samples/bin/EnumInstances" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1327396342.564:49): avc: denied { connectto } for pid=3783 comm="EnumInstances" path="/var/run/tog-pegasus/cimxml.socket" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tclass=unix_stream_socket ---- What were you testing when this happened? Created attachment 557178 [details]
all AVCs produced by the automated test in permissive mode
I think some of these are test issues. Could you re-test it without the automatic test? Following AVCs appeared in permissive mode when I re-tested the scenario manually: ---- time->Tue Jan 24 14:27:35 2012 type=SYSCALL msg=audit(1327411655.655:45): arch=40000003 syscall=37 success=yes exit=0 a0=a5d a1=f a2=986e80 a3=987020 items=0 ppid=1 pid=2652 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1327411655.655:45): avc: denied { kill } for pid=2652 comm="cimserver" capability=5 scontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tclass=capability ---- time->Tue Jan 24 14:28:34 2012 type=SYSCALL msg=audit(1327411714.292:48): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfb07140 a2=514dac a3=bfb07536 items=0 ppid=3521 pid=3531 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="cimmof" exe="/usr/bin/cimmof" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1327411714.292:48): avc: denied { connectto } for pid=3531 comm="cimmof" path="/var/run/tog-pegasus/cimxml.socket" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tclass=unix_stream_socket ---- time->Tue Jan 24 14:28:45 2012 type=SYSCALL msg=audit(1327411725.335:49): arch=40000003 syscall=192 success=yes exit=11616256 a0=0 a1=66a0 a2=5 a3=802 items=0 ppid=2985 pid=3591 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="cimprovagt" exe="/usr/sbin/cimprovagt" subj=system_u:system_r:pegasus_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1327411725.335:49): avc: denied { execute } for pid=3591 comm="cimprovagt" path="/usr/share/Pegasus/samples/lib/libSDKInstanceProvider.so" dev=hda3 ino=494737 scontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tcontext=root:object_r:lib_t:s0 tclass=file ---- time->Tue Jan 24 14:29:22 2012 type=SYSCALL msg=audit(1327411762.085:52): arch=40000003 syscall=37 success=yes exit=0 a0=baa a1=f a2=599e80 a3=59a020 items=0 ppid=1 pid=2985 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1327411762.085:52): avc: denied { kill } for pid=2985 comm="cimserver" capability=5 scontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tclass=capability ---- Yes, these are need to be fixed. We have them in RHEL6/Fedora. Let's move it to 5.9. This happens only on MLS machines where pegasus is not so important. This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release. Fixed in selinux-policy-2.4.6-330.el5 # rpm -qa selinux-policy\* selinux-policy-2.4.6-330.el5 selinux-policy-minimum-2.4.6-330.el5 selinux-policy-strict-2.4.6-330.el5 selinux-policy-targeted-2.4.6-330.el5 selinux-policy-mls-2.4.6-330.el5 selinux-policy-devel-2.4.6-330.el5 # The automated test produced following AVC on MLS machine in enforcing mode: ---- type=PATH msg=audit(08/03/2012 10:24:01.419:181) : item=0 name=(null) inode=100451 dev=03:03 mode=socket,777 ouid=cimsrvr ogid=cimsrvr rdev=00:00 obj=system_u:object_r:pegasus_var_run_t:s0 type=SOCKETCALL msg=audit(08/03/2012 10:24:01.419:181) : nargs=3 a0=5 a1=bfb2ddc6 a2=6e type=SOCKADDR msg=audit(08/03/2012 10:24:01.419:181) : saddr=local /var/run/tog-pegasus/cimxml.socket type=SYSCALL msg=audit(08/03/2012 10:24:01.419:181) : arch=i386 syscall=socketcall(connect) success=no exit=-13(Permission denied) a0=3 a1=bfb2d9d0 a2=316dac a3=bfb2ddc6 items=1 ppid=6130 pid=6138 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=5 comm=EnumInstances exe=/usr/share/Pegasus/samples/bin/EnumInstances subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(08/03/2012 10:24:01.419:181) : avc: denied { connectto } for pid=6138 comm=EnumInstances path=/var/run/tog-pegasus/cimxml.socket scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tclass=unix_stream_socket ---- The automated test produced the same AVC on MLS machine in permissive mode: ---- type=PATH msg=audit(08/03/2012 10:31:22.598:217) : item=0 name=(null) inode=100451 dev=03:03 mode=socket,777 ouid=cimsrvr ogid=cimsrvr rdev=00:00 obj=system_u:object_r:pegasus_var_run_t:s0 type=SOCKETCALL msg=audit(08/03/2012 10:31:22.598:217) : nargs=3 a0=5 a1=bfc70ca6 a2=6e type=SOCKADDR msg=audit(08/03/2012 10:31:22.598:217) : saddr=local /var/run/tog-pegasus/cimxml.socket type=SYSCALL msg=audit(08/03/2012 10:31:22.598:217) : arch=i386 syscall=socketcall(connect) success=yes exit=0 a0=3 a1=bfc708b0 a2=43bdac a3=bfc70ca6 items=1 ppid=8068 pid=8078 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=5 comm=cimmof exe=/usr/bin/cimmof subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(08/03/2012 10:31:22.598:217) : avc: denied { connectto } for pid=8078 comm=cimmof path=/var/run/tog-pegasus/cimxml.socket scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tclass=unix_stream_socket ---- Other AVCs are probably leaked file descriptors: ---- type=PATH msg=audit(08/03/2012 10:31:29.947:224) : item=1 name=(null) inode=559593 dev=03:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 type=PATH msg=audit(08/03/2012 10:31:29.947:224) : item=0 name=/usr/sbin/open_init_pty inode=605144 dev=03:03 mode=file,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:initrc_exec_t:s0 type=CWD msg=audit(08/03/2012 10:31:29.947:224) : cwd=/ type=EXECVE msg=audit(08/03/2012 10:31:29.947:224) : argc=4 a0=run_init a1=service a2=tog-pegasus a3=status type=SYSCALL msg=audit(08/03/2012 10:31:29.947:224) : arch=i386 syscall=execve success=yes exit=0 a0=fc93f5 a1=bf84ca34 a2=bf84ca48 a3=fc93c5 items=2 ppid=8654 pid=8656 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=5 comm=open_init_pty exe=/usr/sbin/open_init_pty subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(08/03/2012 10:31:29.947:224) : avc: denied { write } for pid=8656 comm=open_init_pty path=pipe:[22399] dev=pipefs ino=22399 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tclass=fifo_file type=AVC msg=audit(08/03/2012 10:31:29.947:224) : avc: denied { read } for pid=8656 comm=open_init_pty path=pipe:[22399] dev=pipefs ino=22399 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tclass=fifo_file ---- type=PATH msg=audit(08/03/2012 10:31:30.643:227) : item=1 name=(null) inode=559593 dev=03:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 type=PATH msg=audit(08/03/2012 10:31:30.643:227) : item=0 name=/usr/sbin/cimserver inode=66117 dev=03:03 mode=file,755 ouid=root ogid=pegasus rdev=00:00 obj=system_u:object_r:pegasus_exec_t:s0 type=CWD msg=audit(08/03/2012 10:31:30.643:227) : cwd=/ type=EXECVE msg=audit(08/03/2012 10:31:30.643:227) : argc=1 a0=/usr/sbin/cimserver type=SYSCALL msg=audit(08/03/2012 10:31:30.643:227) : arch=i386 syscall=execve success=yes exit=0 a0=97ffdd0 a1=97ffd30 a2=98001e8 a3=0 items=2 ppid=8698 pid=8704 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 ses=5 comm=cimserver exe=/usr/sbin/cimserver subj=system_u:system_r:pegasus_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(08/03/2012 10:31:30.643:227) : avc: denied { write } for pid=8704 comm=cimserver path=pipe:[22468] dev=pipefs ino=22468 scontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tclass=fifo_file type=AVC msg=audit(08/03/2012 10:31:30.643:227) : avc: denied { read } for pid=8704 comm=cimserver path=pipe:[22468] dev=pipefs ino=22468 scontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tclass=fifo_file ---- I don't believe cimserver would ever be allowed to run on an MLS box. So this is pretty much not a bug. I would like to know what fifo_file is being communicated between sysadm_t and cimserver? Could we change the bug summary to address targeted policy instead of MLS ? Because I see the /var/run/tog-pegasus/cimxml.socket issue in targeted policy too. I saw the issue. It is fixed in selinux-policy-2.4.6-330.el5. Ok, I was going to mention that this could be broken in targeted also. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0060.html |