Bug 845033

Summary: selinux policy for iucvtty
Product: Red Hat Enterprise Linux 6 Reporter: David Juran <djuran>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.3CC: dwalsh, mmalik, mtruneck
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-188.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 08:27:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Module that solves the problem none

Description David Juran 2012-08-01 14:44:29 UTC
Description of problem:
On zLinux (s390x) there is a way to communicate between two VM:s running
on the same hypervisor using iucvcon (on the connecting side) and
iucvtty (on the receiver). These utilities are part of our s390utils
package. However, if selinux is enabled (well enforcing of course), all
of this fails since iucvtty won't be allowed to transition out of the
init_t domain.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.7.19-155.el6_3

How reproducible:
Every time

Steps to Reproduce:
1. from another VM on the same hypervisor run 
iucvconn <target vm> <target terminal>
  
Actual results:

May 30 10:37:44 zlin1006 kernel: type=1400 audit(1338367064.593:28): avc:  denied  { transition } for  pid=27030 comm="login" path="/lib64/security/pam_krb5/pam_krb5_storetmp" dev=dm-0 ino=137345 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process

Expected results:
No AVC


Additional info:

As recommended in the iucvtty man-page, I'm starting iucvtty from the inittab (well /etc/init, this is RHEL6)

Comment 1 David Juran 2012-08-01 14:46:05 UTC
Created attachment 601759 [details]
Module that solves the problem

The attached module (mainly by Dan Walsh) solves the problem

Comment 10 errata-xmlrpc 2013-02-21 08:27:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html