Bug 840786

Summary: tog-pegasus cannot be started; avc: denied { create } for pid=2520 comm="cimserver" name="cimxml.socket"
Product: Red Hat Enterprise Linux 7 Reporter: Petr Sklenar <psklenar>
Component: tog-pegasusAssignee: Vitezslav Crhonek <vcrhonek>
Status: CLOSED CURRENTRELEASE QA Contact: qe-baseos-daemons
Severity: high Docs Contact:
Priority: high    
Version: 7.0CC: dwalsh, mmalik, vcrhonek
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: tog-pegasus-2.11.1-9.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-07-31 12:55:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Sklenar 2012-07-17 08:18:43 UTC 
Description of problem:
tog-pegasus cannot be started

Version-Release number of selected component (if applicable):
tog-pegasus-2.11.1-6.el7.x86_64
selinux-policy-3.10.0-137.el7.noarc

How reproducible:
deterministic

Steps to Reproduce:
1. service tog-pegasus start

  
Actual results:

# ausearch -m avc -ts recent
----
time->Tue Jul 17 08:05:19 2012
type=SYSCALL msg=audit(1342526719.558:585): arch=c000003e syscall=49 success=no exit=-13 a0=8 a1=7fcd988026c0 a2=6e a3=7fff8ea8dd68 items=0 ppid=2321 pid=2322 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0 key=(null)
type=AVC msg=audit(1342526719.558:585): avc:  denied  { create } for  pid=2322 comm="cimserver" name="cimxml.socket" scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
----
time->Tue Jul 17 08:08:22 2012
type=SYSCALL msg=audit(1342526902.438:587): arch=c000003e syscall=49 success=no exit=-13 a0=8 a1=7f75abf53ea0 a2=6e a3=7fffc7eb1f68 items=0 ppid=2500 pid=2501 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0 key=(null)
type=AVC msg=audit(1342526902.438:587): avc:  denied  { create } for  pid=2501 comm="cimserver" name="cimxml.socket" scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
----
time->Tue Jul 17 08:08:33 2012
type=SYSCALL msg=audit(1342526913.073:590): arch=c000003e syscall=49 success=yes exit=0 a0=8 a1=7f3fffc60ec0 a2=6e a3=7fff9f1f03c8 items=0 ppid=2519 pid=2520 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0 key=(null)
type=AVC msg=audit(1342526913.073:590): avc:  denied  { create } for  pid=2520 comm="cimserver" name="cimxml.socket" scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
----
time->Tue Jul 17 08:08:33 2012
type=SYSCALL msg=audit(1342526913.074:591): arch=c000003e syscall=90 success=yes exit=0 a0=7f3ffafe1568 a1=1ff a2=7fff9f1f03cc a3=7fff9f1f0150 items=0 ppid=2519 pid=2520 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0 key=(null)
type=AVC msg=audit(1342526913.074:591): avc:  denied  { setattr } for  pid=2520 comm="cimserver" name="cimxml.socket" dev="dm-1" ino=1576667 scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file

# find / -mount -inum 1576667
/var/run/tog-pegasus/cimxml.socket

# ls -laZ /var/run/tog-pegasus/cimxml.socket
srwxrwxrwx. root root system_u:object_r:var_run_t:s0   /var/run/tog-pegasus/cimxml.socket

# rpm -q tog-pegasus selinux-policy
tog-pegasus-2.11.1-6.el7.x86_64
selinux-policy-3.10.0-137.el7.noarch

Expected results:
I can start tog-pegasus

Additional info:
Comment 1 Milos Malik 2012-07-17 20:59:01 UTC 
Have you tried "restorecon -Rv /var/run/tog-pegasus" ?

# matchpathcon /var/run/tog-pegasus/cimxml.socket
/var/run/tog-pegasus/cimxml.socket	system_u:object_r:pegasus_var_run_t:s0

I believe that /var/run/tog-pegasus/cimxml.socket on your machine is mislabelled.
Comment 2 Petr Sklenar 2012-07-18 06:38:36 UTC 
(In reply to comment #1)
> Have you tried "restorecon -Rv /var/run/tog-pegasus" ?
hm right you are

but see what happens when I have fresh machine, right after tog-pegasus installation. Then /var/run/tog-pegasus is empty.


[root@unused-4-205 ~]# ll /var/run/tog-pegasus
total 0

[root@unused-4-205 ~]# ls -laZ /var/run/tog-pegasus
drwxr-x--T. root pegasus unconfined_u:object_r:var_run_t:s0 .
drwxr-xr-x. root root    system_u:object_r:var_run_t:s0   ..

[root@unused-4-205 ~]# service tog-pegasus start
Redirecting to /bin/systemctl start  tog-pegasus.service
Job failed. See system journal and 'systemctl status' for details.

[root@unused-4-205 ~]# ls -laZ /var/run/tog-pegasus
drwxr-x--T. root pegasus unconfined_u:object_r:var_run_t:s0 .
drwxr-xr-x. root root    system_u:object_r:var_run_t:s0   ..
-rw-------. root root    system_u:object_r:pegasus_var_run_t:s0 cimserver_start.lock

[root@unused-4-205 ~]# setenforce 0

[root@unused-4-205 ~]# service tog-pegasus start
Redirecting to /bin/systemctl start  tog-pegasus.service

[root@unused-4-205 ~]# service tog-pegasus stop
Redirecting to /bin/systemctl stop  tog-pegasus.service

[root@unused-4-205 ~]# ls -laZ /var/run/tog-pegasus
drwxr-x--T. root pegasus unconfined_u:object_r:var_run_t:s0 .
drwxr-xr-x. root root    system_u:object_r:var_run_t:s0   ..
-rw-------. root root    system_u:object_r:pegasus_var_run_t:s0 cimserver_start.lock

[root@unused-4-205 ~]# restorecon -Rv /var/run/tog-pegasus
restorecon reset /run/tog-pegasus context unconfined_u:object_r:var_run_t:s0->unconfined_u:object_r:pegasus_var_run_t:s0

[root@unused-4-205 ~]# setenforce 1

[root@unused-4-205 ~]# service tog-pegasus start
Redirecting to /bin/systemctl start  tog-pegasus.service

--------------denials during ^this procedure:
[root@unused-4-205 ~]# ausearch -m avc -ts recent
----
time->Wed Jul 18 07:31:35 2012
type=SYSCALL msg=audit(1342589495.843:346): arch=c000003e syscall=49 success=no exit=-13 a0=7 a1=7f9fec34b9b0 a2=6e a3=7fff3d8072a8 items=0 ppid=1719 pid=1720 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0 key=(null)
type=AVC msg=audit(1342589495.843:346): avc:  denied  { create } for  pid=1720 comm="cimserver" name="cimxml.socket" scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
----
time->Wed Jul 18 07:31:57 2012
type=SYSCALL msg=audit(1342589517.730:349): arch=c000003e syscall=49 success=yes exit=0 a0=7 a1=7f55fec83140 a2=6e a3=7fff091b08c8 items=0 ppid=1737 pid=1738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0 key=(null)
type=AVC msg=audit(1342589517.730:349): avc:  denied  { create } for  pid=1738 comm="cimserver" name="cimxml.socket" scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
----
time->Wed Jul 18 07:31:57 2012
type=SYSCALL msg=audit(1342589517.733:350): arch=c000003e syscall=90 success=yes exit=0 a0=7f55f999e568 a1=1ff a2=7fff091b08cc a3=7fff091b0650 items=0 ppid=1737 pid=1738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0 key=(null)
type=AVC msg=audit(1342589517.733:350): avc:  denied  { setattr } for  pid=1738 comm="cimserver" name="cimxml.socket" dev="tmpfs" ino=20768 scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
----
time->Wed Jul 18 07:32:00 2012
type=SYSCALL msg=audit(1342589520.163:352): arch=c000003e syscall=87 success=yes exit=0 a0=7f55fec83142 a1=1 a2=0 a3=7fff091b10b0 items=0 ppid=1 pid=1738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0 key=(null)
type=AVC msg=audit(1342589520.163:352): avc:  denied  { unlink } for  pid=1738 comm="cimserver" name="cimxml.socket" dev="tmpfs" ino=20768 scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
Comment 3 Milos Malik 2012-07-18 07:03:23 UTC 
You're right. If you run "service tog-pegasus start" immediately after installation of tog-pegasus package, the job fails and AVCs appear.

Now the question is who to blame for the AVCs:
1) post-install script of tog-pegasus package does not call restorecon on /var/run/tog-pegasus directory
2) selinux-policy does not contain a type_transition which labels the /var/run/tog-pegasus directory correctly when it is created

Hi Dan or Miroslav, what do you think about it?
Comment 4 Daniel Walsh 2012-07-19 15:47:22 UTC 
Any idea who is creating the /var/run/tog-pegusus directory?
Comment 5 Daniel Walsh 2012-07-19 15:53:48 UTC 
In post install script you need to add

install -d -m 1750 -o root -g pegasus /var/run/tog-pegasus
restorecon /var/run/tog-pegasus