Bug 830822

Summary: AVCs when running kdump (AVCs caused by ldconfig)
Product: Red Hat Enterprise Linux 7 Reporter: Michal Trunecka <mtruneck>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Michal Trunecka <mtruneck>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.0CC: ebenes, mgrepl, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 12:54:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michal Trunecka 2012-06-11 13:27:03 UTC 
Description of problem:
When running test /CoreOS/selinux-policy/Regression/bz533007-unable-to-start-kdump-service several AVCs showed up. Following AVCs showed up in permissive mode:

----
time->Mon Jun 11 09:08:16 2012
type=SYSCALL msg=audit(1339420096.504:1018): arch=c000003e syscall=257 success=yes exit=4 a0=ffffffffffffff9c a1=7fff49ad41b0 a2=90800 a3=0 items=0 ppid=8250 pid=11748 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ldconfig" exe="/usr/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null)
type=AVC msg=audit(1339420096.504:1018): avc:  denied  { read } for  pid=11748 comm="ldconfig" name="ld.so.conf.d" dev="dm-1" ino=159183 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
----
time->Mon Jun 11 09:08:16 2012
type=SYSCALL msg=audit(1339420096.505:1019): arch=c000003e syscall=4 success=yes exit=0 a0=1085df0 a1=7fff49ad4520 a2=7fff49ad4520 a3=5 items=0 ppid=8250 pid=11748 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ldconfig" exe="/usr/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null)
type=AVC msg=audit(1339420096.505:1019): avc:  denied  { read } for  pid=11748 comm="ldconfig" name="lib" dev="dm-1" ino=158635 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=lnk_file
----
time->Mon Jun 11 09:08:16 2012
type=SYSCALL msg=audit(1339420096.517:1020): arch=c000003e syscall=2 success=yes exit=3 a0=107cb60 a1=20241 a2=180 a3=4b9f5c items=0 ppid=8250 pid=11748 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ldconfig" exe="/usr/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null)
type=AVC msg=audit(1339420096.517:1020): avc:  denied  { create } for  pid=11748 comm="ldconfig" name="ld.so.cache~" scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(1339420096.517:1020): avc:  denied  { add_name } for  pid=11748 comm="ldconfig" name="ld.so.cache~" scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
type=AVC msg=audit(1339420096.517:1020): avc:  denied  { write } for  pid=11748 comm="ldconfig" name="etc" dev="dm-1" ino=158633 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
----
time->Mon Jun 11 09:08:16 2012
type=SYSCALL msg=audit(1339420096.518:1021): arch=c000003e syscall=90 success=yes exit=0 a0=107cb60 a1=1a4 a2=91f a3=4b9f5c items=0 ppid=8250 pid=11748 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ldconfig" exe="/usr/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null)
type=AVC msg=audit(1339420096.518:1021): avc:  denied  { setattr } for  pid=11748 comm="ldconfig" name="ld.so.cache~" dev="dm-1" ino=159189 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
----
time->Mon Jun 11 09:08:16 2012
type=SYSCALL msg=audit(1339420096.519:1022): arch=c000003e syscall=82 success=yes exit=0 a0=107cb60 a1=7fff49ad45e0 a2=91f a3=4b9f5c items=0 ppid=8250 pid=11748 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ldconfig" exe="/usr/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null)
type=AVC msg=audit(1339420096.519:1022): avc:  denied  { rename } for  pid=11748 comm="ldconfig" name="ld.so.cache~" dev="dm-1" ino=159189 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(1339420096.519:1022): avc:  denied  { remove_name } for  pid=11748 comm="ldconfig" name="ld.so.cache~" dev="dm-1" ino=159189 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir



Version-Release number of selected component (if applicable):
kexec-tools-2.0.3-47.el7.x86_64
selinux-policy-3.10.0-128.el7.noarch

How reproducible:
run the test
/CoreOS/selinux-policy/Regression/bz533007-unable-to-start-kdump-service
  
Actual results:
AVCs

Expected results:
No AVCs

Additional info:

There are two related, but closed bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=819496
https://bugzilla.redhat.com/show_bug.cgi?id=800770
Comment 1 Daniel Walsh 2012-06-11 14:21:18 UTC 
This looks like either a labeling issue or a test issue.  You have ldconfig_t trying to write to a directory created by an initrc script?
Comment 2 Michal Trunecka 2012-06-11 15:21:12 UTC 
This AVCs are caused just by running "service kdump start" with no special settings. All the target files and directories from AVCs are temporary and don't exist afterwards.
Comment 3 Miroslav Grepl 2012-06-28 14:14:03 UTC 
It has been fixed in the latest F17/F18 policy.

Fixed in selinux-policy-3.10.0-133.el7.noarch
Comment 5 Ludek Smid 2014-06-13 12:54:33 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.