Bug 784197
| Summary: | targeted: cannot stop tog-pegasus service | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Milos Malik <mmalik> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 5.8 | CC: | dwalsh | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | selinux-policy-2.4.6-330.el5 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2013-01-08 03:31:34 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
The automated test discovered 2 more AVCs. Could you fix them too?
----
time->Tue Jan 24 10:12:22 2012
type=SYSCALL msg=audit(1327396342.272:48): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfb52120 a2=31edac a3=bfb52516 items=0 ppid=3733 pid=3743 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="cimmof" exe="/usr/bin/cimmof" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1327396342.272:48): avc: denied { connectto } for pid=3743 comm="cimmof" path="/var/run/tog-pegasus/cimxml.socket" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tclass=unix_stream_socket
----
time->Tue Jan 24 10:12:22 2012
type=SYSCALL msg=audit(1327396342.564:49): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfc21740 a2=4bbdac a3=bfc21b36 items=0 ppid=3775 pid=3783 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="EnumInstances" exe="/usr/share/Pegasus/samples/bin/EnumInstances" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1327396342.564:49): avc: denied { connectto } for pid=3783 comm="EnumInstances" path="/var/run/tog-pegasus/cimxml.socket" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tclass=unix_stream_socket
----
What were you testing when this happened? Created attachment 557178 [details]
all AVCs produced by the automated test in permissive mode
I think some of these are test issues. Could you re-test it without the automatic test? Following AVCs appeared in permissive mode when I re-tested the scenario manually:
----
time->Tue Jan 24 14:27:35 2012
type=SYSCALL msg=audit(1327411655.655:45): arch=40000003 syscall=37 success=yes exit=0 a0=a5d a1=f a2=986e80 a3=987020 items=0 ppid=1 pid=2652 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1327411655.655:45): avc: denied { kill } for pid=2652 comm="cimserver" capability=5 scontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tclass=capability
----
time->Tue Jan 24 14:28:34 2012
type=SYSCALL msg=audit(1327411714.292:48): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfb07140 a2=514dac a3=bfb07536 items=0 ppid=3521 pid=3531 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="cimmof" exe="/usr/bin/cimmof" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1327411714.292:48): avc: denied { connectto } for pid=3531 comm="cimmof" path="/var/run/tog-pegasus/cimxml.socket" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tclass=unix_stream_socket
----
time->Tue Jan 24 14:28:45 2012
type=SYSCALL msg=audit(1327411725.335:49): arch=40000003 syscall=192 success=yes exit=11616256 a0=0 a1=66a0 a2=5 a3=802 items=0 ppid=2985 pid=3591 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="cimprovagt" exe="/usr/sbin/cimprovagt" subj=system_u:system_r:pegasus_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1327411725.335:49): avc: denied { execute } for pid=3591 comm="cimprovagt" path="/usr/share/Pegasus/samples/lib/libSDKInstanceProvider.so" dev=hda3 ino=494737 scontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tcontext=root:object_r:lib_t:s0 tclass=file
----
time->Tue Jan 24 14:29:22 2012
type=SYSCALL msg=audit(1327411762.085:52): arch=40000003 syscall=37 success=yes exit=0 a0=baa a1=f a2=599e80 a3=59a020 items=0 ppid=1 pid=2985 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1327411762.085:52): avc: denied { kill } for pid=2985 comm="cimserver" capability=5 scontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tclass=capability
----
Yes, these are need to be fixed. We have them in RHEL6/Fedora. Let's move it to 5.9. This happens only on MLS machines where pegasus is not so important. This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release. Fixed in selinux-policy-2.4.6-330.el5 # rpm -qa selinux-policy\*
selinux-policy-2.4.6-330.el5
selinux-policy-minimum-2.4.6-330.el5
selinux-policy-strict-2.4.6-330.el5
selinux-policy-targeted-2.4.6-330.el5
selinux-policy-mls-2.4.6-330.el5
selinux-policy-devel-2.4.6-330.el5
#
The automated test produced following AVC on MLS machine in enforcing mode:
----
type=PATH msg=audit(08/03/2012 10:24:01.419:181) : item=0 name=(null) inode=100451 dev=03:03 mode=socket,777 ouid=cimsrvr ogid=cimsrvr rdev=00:00 obj=system_u:object_r:pegasus_var_run_t:s0
type=SOCKETCALL msg=audit(08/03/2012 10:24:01.419:181) : nargs=3 a0=5 a1=bfb2ddc6 a2=6e
type=SOCKADDR msg=audit(08/03/2012 10:24:01.419:181) : saddr=local /var/run/tog-pegasus/cimxml.socket
type=SYSCALL msg=audit(08/03/2012 10:24:01.419:181) : arch=i386 syscall=socketcall(connect) success=no exit=-13(Permission denied) a0=3 a1=bfb2d9d0 a2=316dac a3=bfb2ddc6 items=1 ppid=6130 pid=6138 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=5 comm=EnumInstances exe=/usr/share/Pegasus/samples/bin/EnumInstances subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(08/03/2012 10:24:01.419:181) : avc: denied { connectto } for pid=6138 comm=EnumInstances path=/var/run/tog-pegasus/cimxml.socket scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tclass=unix_stream_socket
----
The automated test produced the same AVC on MLS machine in permissive mode:
----
type=PATH msg=audit(08/03/2012 10:31:22.598:217) : item=0 name=(null) inode=100451 dev=03:03 mode=socket,777 ouid=cimsrvr ogid=cimsrvr rdev=00:00 obj=system_u:object_r:pegasus_var_run_t:s0
type=SOCKETCALL msg=audit(08/03/2012 10:31:22.598:217) : nargs=3 a0=5 a1=bfc70ca6 a2=6e
type=SOCKADDR msg=audit(08/03/2012 10:31:22.598:217) : saddr=local /var/run/tog-pegasus/cimxml.socket
type=SYSCALL msg=audit(08/03/2012 10:31:22.598:217) : arch=i386 syscall=socketcall(connect) success=yes exit=0 a0=3 a1=bfc708b0 a2=43bdac a3=bfc70ca6 items=1 ppid=8068 pid=8078 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=5 comm=cimmof exe=/usr/bin/cimmof subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(08/03/2012 10:31:22.598:217) : avc: denied { connectto } for pid=8078 comm=cimmof path=/var/run/tog-pegasus/cimxml.socket scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tclass=unix_stream_socket
----
Other AVCs are probably leaked file descriptors:
----
type=PATH msg=audit(08/03/2012 10:31:29.947:224) : item=1 name=(null) inode=559593 dev=03:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0
type=PATH msg=audit(08/03/2012 10:31:29.947:224) : item=0 name=/usr/sbin/open_init_pty inode=605144 dev=03:03 mode=file,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:initrc_exec_t:s0
type=CWD msg=audit(08/03/2012 10:31:29.947:224) : cwd=/
type=EXECVE msg=audit(08/03/2012 10:31:29.947:224) : argc=4 a0=run_init a1=service a2=tog-pegasus a3=status
type=SYSCALL msg=audit(08/03/2012 10:31:29.947:224) : arch=i386 syscall=execve success=yes exit=0 a0=fc93f5 a1=bf84ca34 a2=bf84ca48 a3=fc93c5 items=2 ppid=8654 pid=8656 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=5 comm=open_init_pty exe=/usr/sbin/open_init_pty subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(08/03/2012 10:31:29.947:224) : avc: denied { write } for pid=8656 comm=open_init_pty path=pipe:[22399] dev=pipefs ino=22399 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tclass=fifo_file
type=AVC msg=audit(08/03/2012 10:31:29.947:224) : avc: denied { read } for pid=8656 comm=open_init_pty path=pipe:[22399] dev=pipefs ino=22399 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tclass=fifo_file
----
type=PATH msg=audit(08/03/2012 10:31:30.643:227) : item=1 name=(null) inode=559593 dev=03:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0
type=PATH msg=audit(08/03/2012 10:31:30.643:227) : item=0 name=/usr/sbin/cimserver inode=66117 dev=03:03 mode=file,755 ouid=root ogid=pegasus rdev=00:00 obj=system_u:object_r:pegasus_exec_t:s0
type=CWD msg=audit(08/03/2012 10:31:30.643:227) : cwd=/
type=EXECVE msg=audit(08/03/2012 10:31:30.643:227) : argc=1 a0=/usr/sbin/cimserver
type=SYSCALL msg=audit(08/03/2012 10:31:30.643:227) : arch=i386 syscall=execve success=yes exit=0 a0=97ffdd0 a1=97ffd30 a2=98001e8 a3=0 items=2 ppid=8698 pid=8704 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 ses=5 comm=cimserver exe=/usr/sbin/cimserver subj=system_u:system_r:pegasus_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(08/03/2012 10:31:30.643:227) : avc: denied { write } for pid=8704 comm=cimserver path=pipe:[22468] dev=pipefs ino=22468 scontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tclass=fifo_file
type=AVC msg=audit(08/03/2012 10:31:30.643:227) : avc: denied { read } for pid=8704 comm=cimserver path=pipe:[22468] dev=pipefs ino=22468 scontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tclass=fifo_file
----
I don't believe cimserver would ever be allowed to run on an MLS box. So this is pretty much not a bug. I would like to know what fifo_file is being communicated between sysadm_t and cimserver? Could we change the bug summary to address targeted policy instead of MLS ? Because I see the /var/run/tog-pegasus/cimxml.socket issue in targeted policy too. I saw the issue. It is fixed in selinux-policy-2.4.6-330.el5. Ok, I was going to mention that this could be broken in targeted also. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0060.html |
Description of problem: Version-Release number of selected component (if applicable): selinux-policy-targeted-2.4.6-326.el5 selinux-policy-minimum-2.4.6-326.el5 selinux-policy-strict-2.4.6-326.el5 selinux-policy-devel-2.4.6-326.el5 selinux-policy-2.4.6-326.el5 selinux-policy-mls-2.4.6-326.el5 How reproducible: always Steps to Reproduce: # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: mls # id -Z root:sysadm_r:sysadm_t:SystemLow-SystemHigh # ps -efZ | grep pegasus system_u:system_r:pegasus_t:SystemLow-SystemHigh cimsrvr 2650 1 0 09:13 ? 00:00:00 cimservermain --executor-socket 3 root:sysadm_r:sysadm_t:SystemLow-SystemHigh root 3336 2990 0 09:44 pts/0 00:00:00 grep pegasus # run_init service tog-pegasus stop Authenticating root. Password: Shutting down CIM server: [ OK ] # ps -efZ | grep pegasus system_u:system_r:pegasus_t:SystemLow-SystemHigh cimsrvr 2650 1 0 09:13 ? 00:00:00 cimservermain --executor-socket 3 root:sysadm_r:sysadm_t:SystemLow-SystemHigh root 3359 2990 0 09:44 pts/0 00:00:00 grep cim # Actual results: ---- time->Tue Jan 24 09:39:24 2012 type=SYSCALL msg=audit(1327394364.929:86): arch=40000003 syscall=37 success=no exit=-1 a0=c4f a1=f a2=bd4e80 a3=bd5020 items=0 ppid=1 pid=3150 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1327394364.929:86): avc: denied { kill } for pid=3150 comm="cimserver" capability=5 scontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tclass=capability ---- Expected results: * no AVCs