Bug 840786
Summary: | tog-pegasus cannot be started; avc: denied { create } for pid=2520 comm="cimserver" name="cimxml.socket" | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Petr Sklenar <psklenar> |
Component: | tog-pegasus | Assignee: | Vitezslav Crhonek <vcrhonek> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | qe-baseos-daemons |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 7.0 | CC: | dwalsh, mmalik, vcrhonek |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | tog-pegasus-2.11.1-9.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-07-31 12:55:38 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Petr Sklenar
2012-07-17 08:18:43 UTC
Have you tried "restorecon -Rv /var/run/tog-pegasus" ? # matchpathcon /var/run/tog-pegasus/cimxml.socket /var/run/tog-pegasus/cimxml.socket system_u:object_r:pegasus_var_run_t:s0 I believe that /var/run/tog-pegasus/cimxml.socket on your machine is mislabelled. (In reply to comment #1) > Have you tried "restorecon -Rv /var/run/tog-pegasus" ? hm right you are but see what happens when I have fresh machine, right after tog-pegasus installation. Then /var/run/tog-pegasus is empty. [root@unused-4-205 ~]# ll /var/run/tog-pegasus total 0 [root@unused-4-205 ~]# ls -laZ /var/run/tog-pegasus drwxr-x--T. root pegasus unconfined_u:object_r:var_run_t:s0 . drwxr-xr-x. root root system_u:object_r:var_run_t:s0 .. [root@unused-4-205 ~]# service tog-pegasus start Redirecting to /bin/systemctl start tog-pegasus.service Job failed. See system journal and 'systemctl status' for details. [root@unused-4-205 ~]# ls -laZ /var/run/tog-pegasus drwxr-x--T. root pegasus unconfined_u:object_r:var_run_t:s0 . drwxr-xr-x. root root system_u:object_r:var_run_t:s0 .. -rw-------. root root system_u:object_r:pegasus_var_run_t:s0 cimserver_start.lock [root@unused-4-205 ~]# setenforce 0 [root@unused-4-205 ~]# service tog-pegasus start Redirecting to /bin/systemctl start tog-pegasus.service [root@unused-4-205 ~]# service tog-pegasus stop Redirecting to /bin/systemctl stop tog-pegasus.service [root@unused-4-205 ~]# ls -laZ /var/run/tog-pegasus drwxr-x--T. root pegasus unconfined_u:object_r:var_run_t:s0 . drwxr-xr-x. root root system_u:object_r:var_run_t:s0 .. -rw-------. root root system_u:object_r:pegasus_var_run_t:s0 cimserver_start.lock [root@unused-4-205 ~]# restorecon -Rv /var/run/tog-pegasus restorecon reset /run/tog-pegasus context unconfined_u:object_r:var_run_t:s0->unconfined_u:object_r:pegasus_var_run_t:s0 [root@unused-4-205 ~]# setenforce 1 [root@unused-4-205 ~]# service tog-pegasus start Redirecting to /bin/systemctl start tog-pegasus.service --------------denials during ^this procedure: [root@unused-4-205 ~]# ausearch -m avc -ts recent ---- time->Wed Jul 18 07:31:35 2012 type=SYSCALL msg=audit(1342589495.843:346): arch=c000003e syscall=49 success=no exit=-13 a0=7 a1=7f9fec34b9b0 a2=6e a3=7fff3d8072a8 items=0 ppid=1719 pid=1720 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0 key=(null) type=AVC msg=audit(1342589495.843:346): avc: denied { create } for pid=1720 comm="cimserver" name="cimxml.socket" scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file ---- time->Wed Jul 18 07:31:57 2012 type=SYSCALL msg=audit(1342589517.730:349): arch=c000003e syscall=49 success=yes exit=0 a0=7 a1=7f55fec83140 a2=6e a3=7fff091b08c8 items=0 ppid=1737 pid=1738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0 key=(null) type=AVC msg=audit(1342589517.730:349): avc: denied { create } for pid=1738 comm="cimserver" name="cimxml.socket" scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file ---- time->Wed Jul 18 07:31:57 2012 type=SYSCALL msg=audit(1342589517.733:350): arch=c000003e syscall=90 success=yes exit=0 a0=7f55f999e568 a1=1ff a2=7fff091b08cc a3=7fff091b0650 items=0 ppid=1737 pid=1738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0 key=(null) type=AVC msg=audit(1342589517.733:350): avc: denied { setattr } for pid=1738 comm="cimserver" name="cimxml.socket" dev="tmpfs" ino=20768 scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file ---- time->Wed Jul 18 07:32:00 2012 type=SYSCALL msg=audit(1342589520.163:352): arch=c000003e syscall=87 success=yes exit=0 a0=7f55fec83142 a1=1 a2=0 a3=7fff091b10b0 items=0 ppid=1 pid=1738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0 key=(null) type=AVC msg=audit(1342589520.163:352): avc: denied { unlink } for pid=1738 comm="cimserver" name="cimxml.socket" dev="tmpfs" ino=20768 scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file You're right. If you run "service tog-pegasus start" immediately after installation of tog-pegasus package, the job fails and AVCs appear. Now the question is who to blame for the AVCs: 1) post-install script of tog-pegasus package does not call restorecon on /var/run/tog-pegasus directory 2) selinux-policy does not contain a type_transition which labels the /var/run/tog-pegasus directory correctly when it is created Hi Dan or Miroslav, what do you think about it? Any idea who is creating the /var/run/tog-pegusus directory? In post install script you need to add install -d -m 1750 -o root -g pegasus /var/run/tog-pegasus restorecon /var/run/tog-pegasus |